Roadmap
A capability demo for the WSO2 stack — APIM, Identity Server, Micro Integrator — sequenced into 9 phases. Phase 1 (Bootstrap) is complete; the rest run autonomously.
Phase status
| # | Milestone | Status | Issues |
|---|---|---|---|
| 1 | Bootstrap | ✅ Closed | view |
| 2 | Backend MVP | ⏳ In progress | view |
| 3 | IS integration | ⬜ Queued | view |
| 4 | APIM publish | ⬜ Queued | view |
| 5 | SPA + CLI | ⬜ Queued | view |
| 6 | Advanced security | ⬜ Queued | view |
| 7 | Async + webhooks (MI) | ⬜ Queued | view |
| 8 | Analytics | ⬜ Queued | view |
| 9 | Polish | ⬜ Queued | view |
Sequencing
Phase 1 ─► Phase 2 ─► Phase 3 ─► Phase 4 ─► Phase 5
│ │
▼ ▼
Phase 8 ◄── Phase 7 ◄── Phase 6
│
▼
Phase 9- Phases 2–5 are the backbone: code → identity → API gateway → user surfaces. Each phase needs the previous to be functionally complete.
- Phase 6 layers MFA / federated / adaptive auth on top of the working OIDC flow from Phase 3.
- Phase 7 adds MI integrations that depend on tickets-api existing and on APIM being able to onboard Async APIs.
- Phase 8 turns on analytics — works as soon as APIM is publishing real traffic, so it can run in parallel with Phase 7.
- Phase 9 is documentation/runbook polish and runs last.
What "done" looks like
- A user can sign up at the SPA, log in (with optional Google federation), see role-appropriate UI
- Admin actions trigger MFA via adaptive auth
- All API calls go through APIM with token validation, scope enforcement, throttling, and analytics
- Webhooks via MI deliver ticket events with retry + DLQ
- A scheduled MI flow pulls GitLab issues into the tickets table
- All of the above is observable in Kibana with WSO2 dashboards
- A presenter can walk the demo in 20 minutes from the runbook
Decision log
Locked decisions captured during planning:
| Decision | Choice | Why |
|---|---|---|
| Backend stack | Spring Boot 3.x / Java 21 / Maven | Most WSO2 reference docs use Spring Boot — fewer surprises wiring OAuth2 resource-server to IS |
| Frontend | React + Vite + TypeScript | Standard SPA shape, plays well with oidc-client-ts |
| Repo | Single GitHub monorepo zeshaq/wso2-demo-app | One CI lane, easy cross-cutting refactors |
| Persistence | Postgres on spoke-dc | Application data co-located with the application; rke2 DBs reserved for platform |
| Analytics | Self-hosted ELK on rke2 | Out-of-the-box WSO2 dashboards; no SaaS dependency |
| Docs | VitePress on Cloudflare Pages | Lightweight wiki-style fit; matches the existing CF account's direct-upload pattern |