SlideShare a Scribd company logo
Liferay as a Headless Platform
Introducing a New Breed of Secure Hypermedia APIs
Jorge Ferrer, VP Engineering
Michael Han, VP Operations
@jorgeferrer #LSNA17
H e a d l e s s s o f t w a r e i s s o f t w a r e c a p a b l e o f
w o r k i n g w i t h o u t a   g r a p h i c a l u s e r i n t e r f a c e
W i k i p e d i a
“
@jorgeferrer #LSNA17
Why support Headless?
@jorgeferrer #LSNA17
ONE USER, MANY DEVICES AND APPLICATIONS
SPA
@jorgeferrer #LSNA17
APIs ARE ENABLERS
SPA
@jorgeferrer #LSNA17
Th e   A P I e c o n o m y   i s a n e n a b l e r f o r t u r n i n g
a b u s i n e s s o r o r g a n i z a t i o n i n t o a p l a t f o r m .
P l a t f o r m s m u l t i p l y v a l u e c r e a t i o n .
G a r t n e r
“
@jorgeferrer #LRDEVCON
Who must have
access to the API?
@jorgeferrer #LSNA17
PARTNER
PRIVATE
PLATFORM
PUBLIC
API TARGET AUDIENCE
3rd party developers
Trusted Companies
Internal Teams
Increased challenges on:
Security and usage
control
Change management
@jorgeferrer #LRDEVCON
What does Liferay
offer today?
@jorgeferrer #LSNA17
Autogenerated
Comprehensive
Featureful
Efficient
RPC
Coupled
Standard
Flexible
RESTful
@jorgeferrer #LRDEVCON
How can we
improve?
@jorgeferrer #LSNA17
Security & Control
#LRDEVCON
Authentication Authorization Service Access Quotas
21
Headless Service Security Requirements
#LRDEVCON
Authentication
SSO solutions are already supported by Portal
LDAP, SAML, CAS, NTLM, OpenID, Facebook, Google,
OpenAM/SSO, Siteminder
#LRDEVCON
Liferay to be an OAuth 2.0 provider
Giving end-users the ability to delegate permissions to
apps
• An authorization protocol for web APIs
• Protocol widely adapted on the web
• Multiple authorization granting flows available
#LRDEVCON
Authorization
Resource Owner – the User
Client – a client application (e.g. mobile application)
Authorization Server – Issues access token for clients
approved by the owner.
Resource Server – API server providing API resources
#LRDEVCON
Authorization Flows
Client Credential Grant
Resource Owner Grant
Authorization Code Grant
Implicit Grant
#LRDEVCON
For applications to authenticate on behalf of itself
Useful when getting non-user specific information from the portal
Easy migration from legacy API authentication schemes (Basic, Digest etc.)
Client Credential grant flow
1. Client ID & Client Secret
2. Access token
#LRDEVCON
2. Resource Owner Password Credentials
3. Access token
Resource Owner Credentials grant flow
1. Resource Owner Password
Credentials
Simple authentication by providing username & password
Exchanged for access token, no password storage. Suitable for trusted
first party clients.
Stian Sigvartsen | @stiansigvartsen
#LRDEVCON
User’s trust boundary
What happened to my users?
User trust issues with providing password
Only suitable for 1st party web and mobile applications
2. Resource Owner Password Credentials
3. Access token
1. Resource Owner Password
Credentials
#LRDEVCON
Authorization Code grant flow
Best option for webserver and
User agent apps
No username & password
given to app
Can be used for mobile apps,
but requires popping a web
browser
User’s trust boundary
5. Access token
2. User
authenticates &
authorizes
4. Authorization Code &
Redirect URI
1. Client ID &
Redirect URI
3. Authorization
code
#LRDEVCON
Pre-Authorized tokens for devices
Building a unified experience across multiple devices
• Maintaining a fully native experience for each
device
• Generate pre-authorized tokens via a web portal
• Mobile app receives the token via
• Onscreen QR code scanned with camera
Stian Sigvartsen | @stiansigvartsen
#LRDEVCON
One protocol to unify them all!
OAuth 2.0 provider allows API authentication
via all new and existing web SSO solutions
available to Liferay Portal
• Authorization Code grant flow
• Pre-Authorised tokens
#LRDEVCON
Your server resources are valuable, protect them
Service Access Quotas
#LRDEVCON
Service Access Quotas
• Important for building large scale systems with untrusted clients
• Protect against service abuse
• Extracts characteristics of API requests and matches against
configured quotas
• For example
• allow 100 requests
• to a service method
• within 5 minutes
• for each client IP address and User ID combination
Stian Sigvartsen | @stiansigvartsen
@jorgeferrer #LSNA17
Best of Breed APIs
@jorgeferrer #LSNA17
PARTNER API
PRIVATE API
PLATFORM
PUBLIC API
FOR ALL MODERN API NEEDS
@jorgeferrer #LSNA17
1Very easy to use
for any
developer
@jorgeferrer #LSNA17
Reduce the
need for
documentation
Embrace

REST

Best Practices
Adopt

Standards
Abstract
Liferay
Internals
HOW?
Promote

Reusability
@jorgeferrer #LSNA17
2
Designed to
evolve
@jorgeferrer #LRDEVCON
How?
REST
Hypermedia
Standard Models
Controls
Best Practices
Decoupling Consumer and
API Provider
API
@jorgeferrer #LRDEVCON
Hypermedia Controls
Single Endpoint
Consumers only know the
home URL
And are able to interpret the
listed resources
Standardized Link Types
Consumers can follow links
whose type is known
IANA standardizes many of them
We can add more on top
@jorgeferrer #LSNA17
{
"resources": {
"people": {
"href": "http://api.domain.io/o/api/p/people"
},
"organizations": {
"href": "http://api.domain.io/o/api/p/organizations"
},
[..]
"sites": {
"href": "http://api.domain.io/o/api/p/sites",
"hints": {
"media-type": "application/ld+json"
}
}
}
}
A Single Home Endpoint
http://api.domain.io/o/api
Consumers become
inmune to changes
in URLs
JSON Home Internet Draft
@jorgeferrer #LSNA17
{
"_embedded": {...},
"total": 43,
"count": 30,
"_links": {
"first": {
"href": "http://localhost:8080/o/api/p/groups?page=1&per_page=30"
},
"next": {
"href": "http://localhost:8080/o/api/p/groups?page=2&per_page=30"
},
"last": {
"href": "http://localhost:8080/o/api/p/groups?page=2&per_page=30"
}
}
}
Hypermedia pagination
Consumers become
simpler, leaving
logic to the server
IANA Link Relations Standard
@jorgeferrer #LSNA17
{
..
"actions": [
{
"name": "add-blog-posting",
"title": "Add Blog Posting",
"method": "POST",
"href": "http://localhost:8080/o/p/blogs",
"type": "application/json",
"fields": [
{ "name": "headline", "type": "text" },
{ "name": "author", "type": "Person" },
]
}
],
…
}
Forms in APIs
Consumers don’t
hardcode the fields
or types
Siren
@jorgeferrer #LRDEVCON
Standard Models (aka Shared Vocabularies)
schema.org and others
schema.org: 597 types and 867
properties
ActivityStreams, microformats,
…
Well defined custom Models
Don’t just expose your internal
models
Thinking terms through
@jorgeferrer #LSNA17
Mapping internal terms to standards
Internal schema.org
User	+	Contact Person
birthday birthDate
middleName additionalName
screenName alternateName
emailAddress email
lastName familyName
firstName givenName
fullName name
Internal schema.org
BlogsEntry BlogPosting
headline title
alternativeHeadline subtitle
description description
user creator
user author
articleBody content
aggregateRating ratings
@jorgeferrer #LSNA17
Consumer devs
don’t need to know
Liferay internals,
which are now free
to evolve
Mapping internal terms to standards
Internal schema.org	+	custom		
Group	(site=1) WebSite
name name
groupKey alternateName
user creator
Ratings	Service aggregateRatings
friendlyURL (_self)	/	(@id)
BlogsEntry	Service blogs
manualMembership (open	question)
@jorgeferrer #LSNA17
3
Ready for real
world needs
@jorgeferrer #LSNA17
Ready for real world needs
Multi-language1
2
3
Embed multiple resources to
avoid chattiness
Decide which fields to return
Very efficient
HTTP caching



Binary response formats
Consumers control
the response
Accept-Language header
@jorgeferrer #LSNA17
APIs that achieve the Glory of REST
Source: martinfowler.com/articles/richardsonMaturityModel.html
@jorgeferrer #LSNA17
Let’s see it in action
@jorgeferrer #LSNA17
@jorgeferrer #LSNA17
@jorgeferrer #LSNA17
Build your Custom APIs
@jorgeferrer #LSNA17
1Customize 

out-of-the-box
API
• Turn resources on and off as
desired
• Develop custom response
formats
@jorgeferrer #LSNA17
2Implement your
custom APIS
• Leverage JAX-RS
• Use Vulcan Architect to
simplify:
• Mapping to standard
models
• Creation of links to other
resources
@jorgeferrer #LSNA17
Build any type of consumer
@jorgeferrer #LSNA17
Bots
Mobile Apps
Microservices
Optimal for all types of consumers
Web Applications
SPA
Kiosks
Smart Watches
@jorgeferrer #LSNA17
Amazing results with our first Mobile App
80%+ of the code is
reusable
Vulcan Consumer
Thing Screenlet
Much easier to
provide offline
support
@jorgeferrer #LRDEVCON
02
03
Guidelines
Well documented guidance to build APIs
designed to evolve
01
Sharing with we have learned and built
Project codename Vulcan
Architect
Making a breeze to build modular
Hypermedia APIs
Consumer
Does all the repetitive work for
consuming a Hypermedia API
@jorgeferrer #LSNA17
PLAN FORWARD
@jorgeferrer #LRDEVCON
New API Infrastructure 01
New Breed of APIs 02
OAuth 2 03
THE PLAN
Now
7.1 (2018)
@jorgeferrer #LSNA17
Decoupled
Evolvable
Efficient
Easy
Customizable
Strong 

Security
Strong

Control
@jorgeferrer #LSNA17
You choose
Liferay with its UI Headless Liferay
Both
@jorgeferrer #LSNA17
Jorge Ferrer
@jorgeferrer
Did you like it?
Vote for it in
the Events
App!
Michael Han
@jorgeferrer #LSNA17
Image Credits
This presentation has photos from Pana
Vasquez , Oumaima Ben Chebtit, Patrick
Tomasso, jesse orrico, Toa Heftiba, Jeremy
Thomas, John Mark Arnold, Linda Xu, 35mm, Todd
Quackenbush, Sawyer Bengtson, Jorge
Gonzalez, Justin Main, Vadim Sherbakov, Kimon
Maritz and Matt Jones on Unsplash
Thanks so much, for your amazing photos.

More Related Content

PDF
Azure Machine Learning
PPTX
Regulating Generative AI - LLMOps pipelines with Transparency
PPTX
AWS VS AZURE VS GCP.pptx
PDF
Vertex AI - Unified ML Platform for the entire AI workflow on Google Cloud
PDF
Neural Language Generation Head to Toe
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
PDF
[기술 트렌드] Gartner 선정 10대 전략 기술
PDF
How will development change with LLMs
Azure Machine Learning
Regulating Generative AI - LLMOps pipelines with Transparency
AWS VS AZURE VS GCP.pptx
Vertex AI - Unified ML Platform for the entire AI workflow on Google Cloud
Neural Language Generation Head to Toe
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
[기술 트렌드] Gartner 선정 10대 전략 기술
How will development change with LLMs

What's hot (20)

PDF
LLMOps for Your Data: Best Practices to Ensure Safety, Quality, and Cost
PDF
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
PDF
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
PPTX
Taxonomy Fundamentals Workshop 2013
PDF
AI 2023.pdf
PDF
Microservices Architecture
PDF
Linked Data의 RDF 어휘 이해하고 체험하기 - FOAF, SIOC, SKOS를 중심으로 -
PPTX
How does ChatGPT work: an Information Retrieval perspective
PDF
MLOps with Kubeflow
PPTX
Generative AI_ The force-multiplier for SDLC.pptx
PPT
PDF
Large Language Models, Data & APIs - Integrating Generative AI Power into you...
PDF
presentation.pdf
PDF
Hands on Explainable Recommender Systems with Knowledge Graphs @ RecSys22
PDF
AWS Partner Data Analytics on AWS_Handout.pdf
PDF
UNLEASHING INNOVATION Exploring Generative AI in the Enterprise.pdf
PDF
Unlocking the Power of Generative AI An Executive's Guide.pdf
PPTX
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
PDF
Mother of Language`s Langchain
PPTX
Generative AI
LLMOps for Your Data: Best Practices to Ensure Safety, Quality, and Cost
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
Taxonomy Fundamentals Workshop 2013
AI 2023.pdf
Microservices Architecture
Linked Data의 RDF 어휘 이해하고 체험하기 - FOAF, SIOC, SKOS를 중심으로 -
How does ChatGPT work: an Information Retrieval perspective
MLOps with Kubeflow
Generative AI_ The force-multiplier for SDLC.pptx
Large Language Models, Data & APIs - Integrating Generative AI Power into you...
presentation.pdf
Hands on Explainable Recommender Systems with Knowledge Graphs @ RecSys22
AWS Partner Data Analytics on AWS_Handout.pdf
UNLEASHING INNOVATION Exploring Generative AI in the Enterprise.pdf
Unlocking the Power of Generative AI An Executive's Guide.pdf
Oracle EBS Journey to the Cloud - What is New in 2022 (UKOUG Breakthrough 22 ...
Mother of Language`s Langchain
Generative AI
Ad

Similar to Liferay as a headless platform (20)

PPTX
End to End Security with MVC and Web API
PPTX
SSO Agility Made Possible - November 2014
PDF
OAuth in the Real World featuring Webshell
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
PDF
Demystifying AuthN/AuthZ Using OIDC & OAuth2
PDF
API Security with OAuth2.0.
PDF
Layer 7: 2010 RSA Presentation on REST and Oauth Security
PDF
01/2009 - Portral development with liferay
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PPTX
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
PDF
Access Management for Cloud and Mobile
PDF
De la bonne utilisation de OAuth2
PPTX
Let's shield Liferay
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
PDF
Applications of the REST Principle
PDF
OAuth2
PDF
Authentication and authorization in res tful infrastructures
PPTX
DDD Melbourne 2014 security in ASP.Net Web API 2
End to End Security with MVC and Web API
SSO Agility Made Possible - November 2014
OAuth in the Real World featuring Webshell
Enterprise Access Control Patterns for Rest and Web APIs
Identity Management: Using OIDC to Empower the Next-Generation Apps
Demystifying AuthN/AuthZ Using OIDC & OAuth2
API Security with OAuth2.0.
Layer 7: 2010 RSA Presentation on REST and Oauth Security
01/2009 - Portral development with liferay
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
JDD2015: Security in the era of modern applications and services - Bolesław D...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Access Management for Cloud and Mobile
De la bonne utilisation de OAuth2
Let's shield Liferay
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Applications of the REST Principle
OAuth2
Authentication and authorization in res tful infrastructures
DDD Melbourne 2014 security in ASP.Net Web API 2
Ad

Recently uploaded (20)

PDF
An introduction to the IFRS (ISSB) Stndards.pdf
PDF
The Internet -By the Numbers, Sri Lanka Edition
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
PDF
Behind the Smile Unmasking Ken Childs and the Quiet Trail of Deceit Left in H...
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
PDF
“Google Algorithm Updates in 2025 Guide”
PPTX
Funds Management Learning Material for Beg
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
PPTX
Introuction about WHO-FIC in ICD-10.pptx
PPTX
innovation process that make everything different.pptx
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
PPTX
cyber security Workshop awareness ppt.pptx
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
PDF
Sims 4 Historia para lo sims 4 para jugar
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
An introduction to the IFRS (ISSB) Stndards.pdf
The Internet -By the Numbers, Sri Lanka Edition
Unit-1 introduction to cyber security discuss about how to secure a system
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
Behind the Smile Unmasking Ken Childs and the Quiet Trail of Deceit Left in H...
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
“Google Algorithm Updates in 2025 Guide”
Funds Management Learning Material for Beg
Slides PPTX World Game (s) Eco Economic Epochs.pptx
QR Codes Qr codecodecodecodecocodedecodecode
Introuction about WHO-FIC in ICD-10.pptx
innovation process that make everything different.pptx
INTERNET------BASICS-------UPDATED PPT PRESENTATION
cyber security Workshop awareness ppt.pptx
Job_Card_System_Styled_lorem_ipsum_.pptx
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
Sims 4 Historia para lo sims 4 para jugar
RPKI Status Update, presented by Makito Lay at IDNOG 10

Liferay as a headless platform