Redhat 3Scale integration with ForgeRock using OpenID Connect

In the last blog, I wrote about how API and Identity Management works together and how Redhat 3scale API Management helps to deliver the solution.

ForgeRock is one of the popular growing Identity Management company and helps organizations interact securely with customers, employees, devices, and things.

For this tutorial, below installers are used:

Below are the components

Figure 1: Architecture Diagram


  1. Client App sends requests to APIcast API gateway with desired request parameters
  2. APIcast verifies the credentials with API Manager, and stores in cache if valid
  3. APIcast sends the request to Forgerock where it authenticates the user, obtain end user consent/authorization
  4. ForgeRock sends the End-User back to the Client with an id_tokenand, if requested, an access_token.
  5. For every API call, the JWT token is sent via APIcast to API backend where it verifies the incoming JWT with ForgeRock public key. If valid, then proxy the call to API backend
  6. The backend API extracts the JWT, verify the scope for the user and sends back API response to client application

Sequence Diagram

To complete the integration end-to-end integration we should setup all pieces one by one. Below are the components and the instructions

Setting up API backend

For this demo, I will be using the echo API service hosted by 3scale. You can always write a service that will extract the JWT, parse the JSON payload, extract the user profile and send back the product subscription status for that user.

Setting up API Manager

  1. Login to 3scale admin portal
  2. Select the service you want to enable OpenId Connect integration with Forgerock. Click on the APIs tab, select the Service and click on the Integration link. We are using the default Echo API.

3. Click on edit integration settings

4. Select OpenID Connect and click on Update Service

5. Go back to the integration page, and click on edit APIcast configuration

6. Enter the Staging and Production base URL. We will deploy the APIcast gateway locally on docker, so name it as http://localhost:8080

7. Finally, click on Update Staging Environment. You can also promote it to Production (optional)

8. Create anapplication and get the client_id and client_secret .

8.1 Go to the Developers tab and click on Developers

8.2 Click on Application

8.3 Click on Create Application link

8.4 Select the Application Plan for the service and then click on Create Application

8.5 Note down the client_id and client_secret . Enter the redirect_uri of your app. For this example, I am using postman redirect_uri as ``

That’s all!! Let’s move towards Forgerock setup.

Setting up Forgerock

Installation of ForgeRock is outside the scope of this tutorial. Please refer ForgeRock documentation for installation. After installing ForgeRock, make sure you are able to access the URL on

  1. Create Realm

2. Click on Configure Oauth ProviderConfigure OpenID Connect

3. Click on Create

4. Creating (or syncing) the 3scale client_id with Forgerock.

Our lead developer, Michal Cichra, wrote a tool Zync to synchronize all 3scale client_ids to IDP. So every time when an application is created i.e client_id and client_secret , the same is automatically created on the IDP side. For this exercise, I have manually created the client_ids using the below registration. If you prefer to create the ids runtime, edit the tool with the client registration endpoint of Forger. PRs are welcome.

4.1 Click on AgentsOauth2.0/OpenID Connect ClientNew

4.2 Copy the 3scale client_id and client_secret from admin portal that you created earlier. Enter Name as client_id and Password as client_secret. Click Create.

4.3 Enter Redirection URIs and Scope → openid. Click Save.

5. Creating an End user that will Authenticate against the IDP.

5.1 Goto RealmsSubjects. Click on New.

5.2 Enter `ID: apiUser` and `password: 12345678`

All set for Forgerock!!

Setting up APIcast API gateway

Make sure to install docker and docker-compose before executing next commands. We will be running APIcast API gateway locally and it will accept all incoming requests from the client.

1. git clone
2. Edit the .env file per your setup
3. docker-compose up

Send Request to APIcast

  1. Send Authorize request to APIcast
GET http://localhost:8080/authorize?client_id=21657b2d&scope=openid&response_type=token id_token&nonce=1234&redirect_uri=
client_id = 3scale client id
scope = openid
response_type = token id_token
nonce = 1234
redirect_uri =
realm = internal

2. A login page is shown from Forgerock. Enter the credentials that we created earlier for End User.

Enter credentials as: apiUser / 12345678

Click on Allow

An access_token and id_tokenis redirected back to the application. The id_token is the JWT token generated by the IDP.

Paste the token on website to decrypt the contents (optional)

The above token is sent to the APIcast gateway for every call. The gateway will verify the signature of JWT using the public key. If valid, the call is proxied to the API backend along with the JWT. It’s then the backend responsibility to base64 decode the JWT, extract the user profile from JSON payload, and then depending on the profile send back the API response. [Refer How microservices verify a JWT for in-depth details]

Request and Response from APIcast

curl -H "Authorization: Bearer eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJUcUd5c2dRZURsWDhIOFNHR1FjcEF3IiwgInN1YiI6ICJhcGlVc2VyIiwgImlzcyI6ICJodHRwOi8vdmJoYWxlcmEub3NlY2xvdWQuY29tOjgwODAvb3BlbmFtL29hdXRoMi9pbnRlcm5hbCIsICJ0b2tlbk5hbWUiOiAiaWRfdG9rZW4iLCAibm9uY2UiOiAiMTIzNCIsICJhdWQiOiBbICIyMTY1N2IyZCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNjk2YmRlNTYtZmNiZi00ZTFkLWIzOGItYmMzNzQ4OGVhODRiIiwgImF6cCI6ICIyMTY1N2IyZCIsICJhdXRoX3RpbWUiOiAxNTE2OTE3NTQwLCAicmVhbG0iOiAiL2ludGVybmFsIiwgImV4cCI6IDE1MTY5MjEyMzUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTUxNjkxNzYzNSB9.SuYI1tP5uJ94y8XRc6QQClXlmuLzMFEcE1LlW_31GafXv91jg3QwbRI-1RV1XOISfWnLW7l-1eGyKZtK_P8nroLjXYs2c-HrIgTwK16FBTcM9-Gt_jzbntwN4hiLD4PbhVb562fTkdqQCA4ZlNR9QOmQUE0ZKlMSwB3b0bNSmys" http://localhost:8080/subscriptions -v
* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /subscriptions HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJUcUd5c2dRZURsWDhIOFNHR1FjcEF3IiwgInN1YiI6ICJhcGlVc2VyIiwgImlzcyI6ICJodHRwOi8vdmJoYWxlcmEub3NlY2xvdWQuY29tOjgwODAvb3BlbmFtL29hdXRoMi9pbnRlcm5hbCIsICJ0b2tlbk5hbWUiOiAiaWRfdG9rZW4iLCAibm9uY2UiOiAiMTIzNCIsICJhdWQiOiBbICIyMTY1N2IyZCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNjk2YmRlNTYtZmNiZi00ZTFkLWIzOGItYmMzNzQ4OGVhODRiIiwgImF6cCI6ICIyMTY1N2IyZCIsICJhdXRoX3RpbWUiOiAxNTE2OTE3NTQwLCAicmVhbG0iOiAiL2ludGVybmFsIiwgImV4cCI6IDE1MTY5MjEyMzUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTUxNjkxNzYzNSB9.SuYI1tP5uJ94y8XRc6QQClXlmuLzMFEcE1LlW_31GafXv91jg3QwbRI-1RV1XOISfWnLW7l-1eGyKZtK_P8nroLjXYs2c-HrIgTwK16FBTcM9-Gt_jzbntwN4hiLD4PbhVb562fTkdqQCA4ZlNR9QOmQUE0ZKlMSwB3b0bNSmys
< HTTP/1.1 200 OK
< Server: openresty/
< Date: Thu, 25 Jan 2018 22:03:31 GMT
< Content-Type: application/json
< Content-Length: 1480
< Connection: keep-alive
< Cache-control: private
< Set-Cookie: d8c1dd0e39ac4456ed39ce5889b9a5a5=e3380f4380dfce29d71b1a31cd3dd973; path=/; HttpOnly
< Vary: Origin
< X-Content-Type-Options: nosniff
"method": "GET",
"path": "/subscriptions",
"args": "",
"body": "",
"headers": {
"HTTP_HOST": "",
"HTTP_ACCEPT": "*/*",
"HTTP_AUTHORIZATION": "Bearer eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJUcUd5c2dRZURsWDhIOFNHR1FjcEF3IiwgInN1YiI6ICJhcGlVc2VyIiwgImlzcyI6ICJodHRwOi8vdmJoYWxlcmEub3NlY2xvdWQuY29tOjgwODAvb3BlbmFtL29hdXRoMi9pbnRlcm5hbCIsICJ0b2tlbk5hbWUiOiAiaWRfdG9rZW4iLCAibm9uY2UiOiAiMTIzNCIsICJhdWQiOiBbICIyMTY1N2IyZCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNjk2YmRlNTYtZmNiZi00ZTFkLWIzOGItYmMzNzQ4OGVhODRiIiwgImF6cCI6ICIyMTY1N2IyZCIsICJhdXRoX3RpbWUiOiAxNTE2OTE3NTQwLCAicmVhbG0iOiAiL2ludGVybmFsIiwgImV4cCI6IDE1MTY5MjEyMzUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTUxNjkxNzYzNSB9.SuYI1tP5uJ94y8XRc6QQClXlmuLzMFEcE1LlW_31GafXv91jg3QwbRI-1RV1XOISfWnLW7l-1eGyKZtK_P8nroLjXYs2c-HrIgTwK16FBTcM9-Gt_jzbntwN4hiLD4PbhVb562fTkdqQCA4ZlNR9QOmQUE0ZKlMSwB3b0bNSmys",
"HTTP_USER_AGENT": "curl/7.43.0",
"HTTP_X_3SCALE_PROXY_SECRET_TOKEN": "secret_token_vinay_demo",
"HTTP_FORWARDED": "for=;;proto=https"
"uuid": "4b100977-4b31-4dc7-9b45-bf5dadb50d97"
* Connection #0 to host localhost left intact

Thanks for taking time and reading the tutorial. In next blog post, I will cover how to integrate 3scale with PingFederate using OpenID Connect.