Nicolas Fränkel

Nicolas Fränkel

Developer Advocate with 15+ years experience consulting for many different customers, in a wide range of contexts (such as telecoms, banking, insurances, large retail and public sector). Usually working on Java/Java EE and Spring technologies, but with focused interests like Rich Internet Applications, Testing, CI/CD and DevOps. Also double as a trainer and triples as a book author.

729 posts
authentication OpenID Connect OAuth Apache APISIX

Authenticate with OpenID Connect and Apache APISIX

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure. OpenID Connect The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2
Spring Security Open Policy Agent Architecture Solution Architecture

Make your security policy auditable

Last week, I wrote about putting the right feature at the right place. I used rate limiting as an example, moving it from a library inside the application to the API Gateway. Today, I’ll use another example: authentication and authorization. Securing a Spring Boot application I’ll keep using Spring Boot in the following because I’m familiar with it. The Spring Boot application offers a REST endpoint to check employees' salaries. The specific use case is taken from the Open
Architecture Software Architecture System Architecture Solution Architecture

The right feature at the right place

Before moving to Developer Relations, I transitioned from Software Architect to Solution Architect long ago. It’s a reasonably common career move. The problem in this situation is two-fold: You know perfectly well software librariesYou don’t know well infrastructure components It seems logical that people in this situation try to solve problems with the solutions they are most familiar with. However, it doesn’t mean it’s the best approach. It’s a bad one in most ca
Java Kotlin

Null safety: Kotlin vs. Java

Last week, I was at the FOSDEM conference. FOSDEM is specific in that it has multiple rooms, each dedicated to a different theme and organized by a team. I had two talks: Practical Introduction to OpenTelemetry Tracing, in the Monitoring and Observability devroomWhat I miss in Java, the perspective of a Kotlin developer, in the Friends of OpenJDK devroom The second talk is from an earlier post. Martin Bonnin did a tweet from a single slide, and it created quite a stir, even attracting Brian Goe
Apache APISIX security

Securing Admin access to Apache APISIX

API Gateways are critical components in one’s infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance. In this short blog post, I’ll list a couple of ways to secure your Apache APISIX admin access. Change admin toke
Rust HTTP API

Learning by doing: An HTTP API with Rust

When I started working on this post, I had another idea in mind: I wanted to compare the developer experience and performance of Spring Boot and GraalVM with Rust on a demo HTTP API application. Unfortunately, the M1 processor of my MacBook Pro had other ideas. I'm trying to compile a *very* simple #SpringBoot #Kotlin webapp with #GraalVM native image. I'm using Liberica NIK via Docker on a M1 Mac. Compilation seems to be stuck. Anybody has a clue about what happens/how to pinpoint the i
REST Web APIs HATEOAS HAL

The quest for REST

Since I started working for Apache APISIX, I have tried to deepen my understanding of REST via various means. Did you read my review of API Design Patterns book? In the current literature, REST is generally promoted as the best thing since sliced bread. Yet, it comes with lots of challenges. In 2010(!), Martin Fowler wrote a post on the glory of REST. He lists three steps for an API to become truly REST: In each of these steps, issues lurk. This blog post focuses on listing some of them an
API design pattern

API Design Patterns

I already mentioned how I’m trying to get to speed in the API world: reading books, viewing relevant YouTube videos and reading relevant IETF RFCs. Facts 30 chapters, $35.00The author is a Principal Software Engineer at GoogleHe’s also the author behind https://google.aip.dev/ Chapters IntroductionDesign principlesNamingResource scope and hierarchyData types and defaultsFundamentalsResource identification: How to identify resources in an APIStandard methods: The set of standard
blog

2022 in retrospective

2022 is over, and not a moment too soon. I’ll never forget it: some of my friends had to flee their own country; others are fighting for their freedom as I write this post. I hope they will be safe and that their wishes will come true in 2023. On the personal and technical side, here’s a summary of the past year from my perspective. Job change First and foremost, I changed jobs. I worked for Hazelcast for 3½ years. However, I started to become dissatisfied with the company
mastodon twitter

An immutable Mastodon handle

Whether Twitter crumbles remains to be seen, though some signs are telling. Whatever happens, I’m continuing to invest a bit in Mastodon. Last week, I showed how to sync one’s content between Twitter and Mastodon. This week, I’ve set up a Mastodon handle on my domain that redirects to my profile page: I want to explain how I achieved it and the problems I’m still having. Mastodon 101 Mastodon is different from Twitter in that it’s not centralized: it’s a fe