Systems and methods for API routing and security

US 10,834,054 B2
Filed: 05/25/2016
Issued: 11/10/2020
Est. Priority Date: 05/27/2015
Status: Active Grant

First Claim

Patent Images

1. A proxy configured for routing messages to a plurality of Application Programming Interfaces (APIs), the proxy comprising:

a memory configured to store a plurality of API characteristics data definitions, each API characteristics data definition from the plurality of API characteristics data definitions being a data file that is uniquely associated with an API from the plurality of APIs; and

a processor operatively coupled to the memory, the processor configured to;

extract, from a message received from a client device, parameter information including a name of a target API from the plurality of APIs;

select, from among the plurality of API characteristics data definitions, an API characteristics data definition that includes the name of the target API;

compare the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;

identify, in response to the parameter information matching the information contained within the API characteristics data definition, a plurality of API servers each hosting a different instance of the target API;

select an instance of the target API hosted on an API server from the plurality of API servers by;

in response to determining that the message is a non-session based message based on session data stored in the memory, selecting the instance of the target API hosted on the API server having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers, andin response to determining that the message is a session based message based on the session data;

in response to determining that the client device has been assigned to the API server, selecting the instance of the target API hosted on the API server; and

in response to determining that the client device has not been assigned to the API server, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and

transmit the message to the instance of the target API.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides methods, computer program products, proxies and proxy clusters configured for forwarding, routing and/or load balancing of client requests or messages between multiple different APIs and/or multiple instances of an API. The invention further provides for efficient session information based routing of client requests for a target API, wherein multiple instances of the target API are simultaneously implemented across one or more API servers. The invention additionally enables separation of a control plane (i.e. control logic) and run time execution logic within a data plane within proxies in a proxy cluster, and also enables implementation of a plurality of data planes within each proxy—thereby ensuring security, high availability and scalability. An invention embodiment additionally implements two-stage rate limiting protection for API servers combining rate limiting between client and each proxy, and rate limiting between a proxy cluster and a server backend.

95 Citations

View as Search Results

22 Claims

1. A proxy configured for routing messages to a plurality of Application Programming Interfaces (APIs), the proxy comprising:
- a memory configured to store a plurality of API characteristics data definitions, each API characteristics data definition from the plurality of API characteristics data definitions being a data file that is uniquely associated with an API from the plurality of APIs; and
  
  a processor operatively coupled to the memory, the processor configured to;
  
  extract, from a message received from a client device, parameter information including a name of a target API from the plurality of APIs;
  
  select, from among the plurality of API characteristics data definitions, an API characteristics data definition that includes the name of the target API;
  
  compare the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;
  
  identify, in response to the parameter information matching the information contained within the API characteristics data definition, a plurality of API servers each hosting a different instance of the target API;
  
  select an instance of the target API hosted on an API server from the plurality of API servers by;
  
  in response to determining that the message is a non-session based message based on session data stored in the memory, selecting the instance of the target API hosted on the API server having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers, andin response to determining that the message is a session based message based on the session data;
  
  in response to determining that the client device has been assigned to the API server, selecting the instance of the target API hosted on the API server; and
  
  in response to determining that the client device has not been assigned to the API server, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  transmit the message to the instance of the target API.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The proxy as claimed in claim 1, wherein the parameter information includes one or more of cookie information, token information, communication protocol information, protocol method information, and content type.
  - 3. The proxy as claimed in claim 1, wherein:
    - the processor is configured to identify the plurality of API servers based on a plurality of IP addresses and a plurality of TCP ports included within the API characteristics data definition,the processor is configured to select the instance of the target API by selecting an IP address from the plurality of IP addresses and a TCP port from the plurality of TCP ports.
  - 4. The proxy as claimed in claim 3, wherein the processor is configured to transmit the message to the instance of the target API based at least on the IP address and the TCP port.
  - 5. The proxy as claimed in claim 1, wherein the processor is configured to implement (i) a control plane including a processor implemented control process associated with configuring and synchronizing the plurality of API characteristics data definitions, and (ii) one or more data planes, each data plane from the one or more data planes including a discrete processor implemented balancer process associated with routing the messages.
  - 6. The proxy as claimed in claim 5, wherein the processor implementing the control plane is configured for one or more of:
    - (i) receiving a new API characteristics data definition,(ii) validating the new API characteristics data definition based on at least one of a prescribed API characteristics data definition schema or one or more validation rules,(iii) persisting the plurality of API characteristics data definitions, the plurality of API characteristics data definitions including one or more API characteristics data definitions that have been validated,(iv) synchronizing the plurality of API characteristics data definitions with pluralities of API characteristics data definitions of a plurality of proxies so that each proxy from the plurality of proxies has access to the plurality of API characteristics data definitions,(v) monitoring and synchronizing session data including cookies, or(vi) monitoring the one or more data planes for a failure event.
  - 7. The proxy as claimed in claim 5, wherein the processor implementing the one or more data planes is configured for one or more of:
    - (i) the selecting the API characteristics data definition including (a) comparing data parsed from the message with data in the plurality of API characteristics data definitions, and (b) identifying the API characteristics data definition uniquely associated with the target API,(ii) implementing one or more routing or load balancing decisions based on the information identified from within the API characteristics data definition, the implementing including the identifying of the information from within the API characteristics data definition and the transmitting the message,(iii) implementing authentication steps for authenticating the message,(iv) implementing rate limiting based security for one or more API servers, or(v) implementing one or more load balancing decisions based on cookies or session data.
  - 8. The proxy as claimed in claim 5, wherein the processor is configured to implement asynchronous message based inter process communication (IPC) between the control plane and each data plane from the one or more data planes.
  - 9. The proxy as claimed in claim 5, wherein at least one data plane from the one or more data planes is an asynchronous data plane.
  - 10. The proxy as claimed in claim 5, wherein the one or more data planes includes a discrete data plane uniquely associated with each protocol supported by the proxy or each TCP port supported by the proxy.
  - 11. The proxy as claimed in claim 5, wherein at least one data plane from the one or more data planes is associated with a plurality of sub-processes, the processor configured to initialize the plurality of sub-processes to simultaneously handle routing of the messages.
  - 12. The proxy as claimed in claim 1, wherein the processor is further configured to authenticate the message based on security data stored in the memory, the security data including one or more of a cipher suite, a digital certificate, a session key, and an asymmetric or symmetric cipher,the processor configured to transmit the message after authenticating the message.

13. A proxy configured for routing messages to a plurality of APIs, the proxy configured to be included in a proxy cluster including a plurality of proxies, the proxy including:
- a memory configured to store a plurality of API characteristics data definitions, each API characteristics data definition from the plurality of API characteristics data definitions being a data file that is uniquely associated with an API from the plurality of APIs; and
  
  a processor operatively coupled to the memory, the processor configured to;
  
  extract, from a message received from a client device, parameter information including a name of a target API from the plurality of APIs and a hostname associated with the target API;
  
  select, from among the plurality of API characteristics data definitions, an API characteristics data definition based on the name of the target API and the hostname, the API characteristics data definition uniquely associated with the target API and including a plurality of IP addresses, each IP address from the plurality of IP addresses being associated with a different API server from a plurality of API servers, each API server from the plurality of API servers hosting a different instance of the target API;
  
  compare the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;
  
  identify, in response to the parameter information matching the information contained within the API characteristics data definition, the plurality of API servers based on the plurality of IP addresses;
  
  select an instance of the target API hosted on an API server from the plurality of API servers by;
  
  in response to determining that the message is a non-session based message based on session data stored in the memory, selecting the instance of the target API hosted on the API server having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers, andin response to determining that the message is a session based message based on the session data;
  
  in response to determining that the client device has been assigned to the API server, selecting the instance of the target API hosted on the API server; and
  
  in response to determining that the client device has not been assigned to the API server, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  transmit the message to the instance of the target API.
- View Dependent Claims (14)
- - 14. The proxy as claimed in claim 13, wherein the processor is further configured to synchronize a data state of the plurality of API characteristics data definitions accessible at the proxy with data states of pluralities of API characteristics data definitions accessible at remaining proxies from the plurality of proxies within the proxy cluster.

15. A method for routing client messages received at a proxy to a target API among a plurality of APIs implemented on a plurality of API servers, the method comprising:
- extracting, from a message received from a client device at the proxy, parameter information including a name of the target API;
  
  selecting, from among a plurality of API characteristics data definitions stored at the proxy, an API characteristics data definition that includes the name of the target API, each API characteristics data definition from the plurality of API characteristics data definitions being a data file that is uniquely associated with an API from the plurality of APIs;
  
  comparing the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;
  
  identifying, in response to the parameter information matching the information contained within the API characteristics data definition, a plurality of API servers each hosting a different instance of the target API;
  
  selecting an instance of the target API hosted on an API server from the plurality of API servers by;
  
  in response to determining that the message is a non-session based message based on session data stored at the proxy, selecting the instance of the target API hosted on the API server having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers, andin response to determining that the message is a session based message based on the session data;
  
  in response to determining that the client device has been assigned to the API server, selecting the instance of the target API hosted on the API server; and
  
  in response to determining that the client device has not been assigned to the API server, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  transmitting the message to the instance of the target API.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as claimed in claim 15, wherein the parameter information includes one or more of cookie information, communication protocol information, protocol method information, and content type.
  - 17. The method as claimed in claim 15, wherein:
    - the identifying the plurality of API servers is based on a plurality of IP addresses and a plurality of TCP ports included within the API characteristics data definition, andthe selecting the instance of the target API includes selecting an IP address from the plurality of IP addresses and a TCP port from the plurality of TCP ports.
  - 18. The method as claimed in claim 17, wherein the transmitting the message to the instance of the target API is based at least on the IP address and the TCP port.
  - 19. The method as claimed in claim 15, whereinthe identifying the plurality of target API servers is based on a combination of transport protocol data and application protocol data.
  - 20. The method as claimed in claim 15, whereinthe identifying the plurality of target API servers is based on TCP data extracted from the message.

21. A method for routing client messages received at a proxy to an instance of a target API among a plurality of instances of the target API, the method comprising:
- extracting, from a message received from a client device at the proxy, parameter information including a name of the target API and a hostname associated with the target API;
  
  selecting, from among a plurality of API characteristics data definitions stored at the proxy, an API characteristics data definition based on the name of the target API and the hostname, the API characteristics data definition uniquely associated with the target API and including a plurality of IP addresses, each IP address from the plurality of IP addresses being associated with a different API server from a plurality of API servers;
  
  comparing the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;
  
  identifying, responsive to the parameter information matching the information contained within the API characteristics data definition, the plurality of API servers, each API server within the plurality of API servers hosting a different instance of the target API from the plurality of instances of the target API; and
  
  responsive to determining that the message is a non-session based message, selecting the instance of the target API from the plurality of instances of the target API and hosted on an API server from the plurality of API servers and having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  responsive to determining that the message is a session based message;
  
  responsive to determining that the client device has been assigned to an API server from the plurality of API servers, selecting the instance of the target API hosted on that API server; and
  
  responsive to determining that the client device has not been assigned to an API server from the plurality of API servers, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  transmitting the message to the instance of the target API that is selected.

22. A computer program product for routing messages received at a proxy to a target API among a plurality of APIs implemented on one or more API servers, the computer program product comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code comprising instructions for:
- extracting, from message received from a client device at a client device, parameter information including a name of the target API;
  
  selecting, from among a plurality of API characteristics data definitions stored at the proxy, an API characteristics data definition that includes the name of the target API, each API characteristics data definition from the plurality of API characteristics data definitions being a data file that is uniquely associated with an API from the plurality of APIs;
  
  comparing the parameter information extracted from the message and information contained within the API characteristics data definition to determine whether the parameter information matches the information contained within the API characteristics data definition;
  
  identifying, in response to the parameter information matching the information contained within the API characteristics data definition, a plurality of API servers each hosting a different instance of the target API;
  
  selecting an instance of the target API hosted on an API server from the plurality of API servers by;
  
  in response to determining that the message is a non-session based message based on session data stored at the proxy, selecting the instance of the target API hosted on the API server having a number of session users lower than a number of session users for each remaining API server from the plurality of API servers, andin response to determining that the message is a session based message based on the session data;
  
  in response to determining that the client device has been assigned to the API server, selecting the instance of the target API hosted on the API server; and
  
  in response to determining that the client device has not been assigned to the API server, selecting the instance of the target API hosted on the API server having the number of session users lower than a number of session users for each remaining API server from the plurality of API servers; and
  
  transmitting the message to the instance of the target API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Subbarayan, Udayakumar, Harguindeguy, Bernard, Gopalakrishnan, Anoop Krishnan, Poonthiruthi, Abdu Raheem
Primary Examiner(s)
Lee, Gil H.

Application Number

US15/164,555
Publication Number

US 20160352867A1
Time in Patent Office

1,630 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/546   Message passing systems or ...

H04L 41/0813   characterised by the condit...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 41/28   Restricting access to netwo...

H04L 41/50   Network service management,...

H04L 45/46   Cluster building

H04L 45/56   Routing software

H04L 45/58   Association of routers

H04L 45/74   Address processing for routing

H04L 47/125   by balancing the load, e.g....

H04L 47/20   Traffic policing

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/1014   based on the content of a r...

H04L 67/1068   Discovery involving direct ...

H04L 67/1095 : Replication or mirroring of...

H04L 67/12 : specially adapted for propr...

H04L 67/145 : avoiding end of session, e....

H04L 67/56 : Provisioning of proxy servi...

H04L 67/60 : Scheduling or organising th...

H04L 69/16 : Implementation or adaptatio...

H04L 69/329 : in the application layer [O...

H04L 69/40 : for recovering from a failu...

View All

Systems and methods for API routing and security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for API routing and security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links