In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.
Audience: API Owners, Product Managers, Developers, Architects
Overview
Once you have APIs in your organization and have applications being written, you also want to be sure in many cases that the various types of users of the APIs are correctly authenticated. In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.
Why Red Hat?
The Red Hat SSO product provides important functionality for managing identities at scale. In this lab you will see how it fits together with 3scale and OpenShift.
Credentials:
Your username is: {user-username}
Your password is: openshift
-
Launch a new tab on your web browser.
-
Navigate to the Solution Explorer on that tab.
-
Click on the Red Hat Single Sign-On link.
-
Log in to SSO Admin web console using
{user-username}
and password:openshift
. Click on Log in. -
Select Clients from the left menu.
A 3scale-admin client and service account was already created for you.
-
Click on the 3scale-admin link to view the details.
-
Click the Credentials tab.
-
Take note of the client Secret. Copy and save it or write it down as you will use it to configure 3scale.
The secret is set to
clientsecret
for this lab. -
Click on Service Account Roles tab of the 3scale-Admin client:
NoteIf you do not see the Service Account Roles tab, make sure Service Accounts Enabled is ON, Standard Flow Enabled is OFF and click on Save. -
In Client Roles, enter realm-management. Select all the available roles and click on Add Selected to move to the Assigned Roles text box. Ignore if the roles are already under the Assigned Roles text box.
Were you able configure the Red Hat SSO correctly?
Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the RH-SSO application.
-
Click on the Users menu on the left side of the screen.
-
Click the Add user button.
-
Type
apiuser
as the Username. -
Click on the Save button.
-
Click on the Credentials tab to reset the password. Type
apipassword
as the New Password and Password Confirmation. Turn OFF the Temporary to avoid the password reset at the next login. -
Click on Set Password.
-
Click on the Set password button in the pop-up dialog.
Were you able to add a user?
Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the RH-SSO application.
Now you have a user to test your SSO integration.
-
Log in to 3scale Admin web console using
{user-username}
and password:openshift
. -
The first page you will land is the API Management Dashboard. Click on the kebab menu of the LOCATION API and select Integration
-
Click on the Settings to edit the API settings for the gateway.
-
Scroll down the page, under the AUTHENTICATION deployment options, select OpenID Connect.
-
Set the following values for Authentication Settings:
-
OpenID Connect Issuer Type:
Red Hat Single Sign-On
-
OpenID Connect Issuer:
https://3scale-admin:clientsecret@keycloak-sso.{openshift-app-host}/auth/realms/{user-username}-realm
-
-
Scroll down to the CREDENTIALS LOCATION and select As HTTP Headers.
-
Scroll down to the bottom and click on Update Product.
-
Notice that the Configuration has a warning indicating the API configuration changes are updated. Click on Configuration link.
-
Click on the Promote v.2 to Staging APIcast button.
-
Promote to Production by clicking the Promote v.2 to Production APIcast button.
Were you able to reconfigure APIcast?
Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the 3scale API Management application.
-
Go to the Audience dropdown and click on Developers.
-
Click on the Applications link.
-
Click on dev_location_app link.
-
Check the API Credentials section. Click on Add Random Key for Client Secret.
NOTE: If the Client ID & Secret are not seen, navigate to the Application page again and you should see the secret generated.
-
Edit the Redirect URL and enter the value
http://www-{user-username}.{openshift-app-host}/
-
Note the Client ID and the Client Secret, which is required later to test your integration.
-
Navigate back to the SSO portal and click on Clients list. You should see the new client with same client id as in 3scale created in SSO.
Were you able to update an application?
Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the 3scale API Management application.
Congratulations! You have now created an application to test your OpenID Connect Integration.
Now that you can secure your API using three-leg authentication with Red Hat Single Sign-On, you can leverage the current assets of your organization like current LDAP identities or even federate the authentication using other IdP services.
For more information about Single Sign-On, you can check its page.
You can now proceed to Lab 5