Securing APIs using OIDC in Red Hat 3scale API Management with Red Hat Single Sign-On
This article talks about:
- Setting up Red Hat Single Sign-On.
- Configuring APIs as products.
- Creating Application
- Testing APIs.
Setting up Red Hat Single Sign-On
- Make sure the Red Hat Single Sign-On Operator operator is deployed.
- Create keycloak.
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
labels:
app: sso
name: sso-keycloak
spec:
externalAccess:
enabled: true
instances: 1
- Get the route and login into it.
bash-3.2$ oc get route keycloak -n sso-3scale -o jsonpath={.spec.host}
keycloak-sso-3scale.itzroks-XXXX.eu-gb.containers.appd
oc get secret credential-sso-keycloak -n sso-3scale -o json | jq -r .data.ADMIN_USERNAME | base64 -d
admin
oc get secret credential-sso-keycloak -n sso-3scale -o json | jq -r .data.ADMIN_PASSWORD | base64 -d
5oWM5R81c3a2mA==
- Login & configure the security realm as described in the documentation.
- Add user(testuser) as described in the documentation.
Configuring APIs as products
- Create a backend.
apiVersion: capabilities.3scale.net/v1beta1
kind: Backend
metadata:
name: backend-echo
spec:
name: "backend api for echo"
systemName: backend-echo
privateBaseURL: "https://echo-api.3scale.net/"
- Create a product.
apiVersion: capabilities.3scale.net/v1beta1
kind: Product
metadata:
name: product-echo
spec:
name: "product-echo"
systemName: "product-echo"
applicationPlans:
plan01:
name: "My Plan 01"
setupFee: "14.56"
appsRequireApproval: false
published: true
plan02:
name: "My Plan 02"
trialPeriod: 3
costMonth: "3"
appsRequireApproval: false
published: true
mappingRules:
- httpMethod: GET
pattern: "/"
increment: 1
metricMethodRef: hits
backendUsages:
backend-echo:
path: /
deployment:
apicastHosted:
authentication:
oidc:
issuerType: "keycloak"
issuerEndpoint: "https://zync-client:ZN7e7xGgAWsCGlKBNtWgrAmvLkbxEgcO@keycloak-sso-3scale.itzroks-XXXX.eu-gb.containers.appdomain.cloud/auth/realms/tenant-realm"
authenticationFlow:
standardFlowEnabled: true
implicitFlowEnabled: false
serviceAccountsEnabled: false
directAccessGrantsEnabled: false
jwtClaimWithClientID: "azp"
jwtClaimWithClientIDType: "plain"
credentials: "headers"
- Create the developer account and other prerequisites described in my other blog.
- Promote the Apis
apiVersion: capabilities.3scale.net/v1beta1
kind: ProxyConfigPromote
metadata:
name: product-echo-promote-staging
spec:
productCRName: product-echo
Creating Application
- Create an Application.
- This application creates a client in keycloak with the clientid mentioned below.
- Open the keycloak browser. Change the valid redirect URI to “*”
- Note the secret from this client.
Testing APIs
- Configure Postman to retrieve a token. Specify the above clientid and secret.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL: https://keycloak-sso-3scale.itzroks-XXXX.eu-gb.containers.appdomain.cloud/auth/realms/tenant-realm/protocol/openid-connect/auth
Access Token URL: https://keycloak-sso-3scale.itzroks-XXXX.eu-gb.containers.appdomain.cloud/auth/realms/tenant-realm/protocol/openid-connect/token
- Click on Get new Access Token. Specify the username & Password configured in keycoak for this realm.
- Click on use token.
- Get the URL to access the APi
- Specify the above URL in postman and hit send.
- Analyze the final result.