walkthrough.adoc

Integrator Lab 4 - API Security

In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.

Audience: API Owners, Product Managers, Developers, Architects

Overview

Once you have APIs in your organization and have applications being written, you also want to be sure in many cases that the various types of users of the APIs are correctly authenticated. In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.

Why Red Hat?

The Red Hat SSO product provides important functionality for managing identities at scale. In this lab you will see how it fits together with 3scale and OpenShift.

Credentials:

Your username is: {user-username}
Your password is: openshift

SSO Console

• Console

3scale Admin Console

• Console

Sign-in to Red Hat SSO

1. Launch a new tab on your web browser.

2. Navigate to the Solution Explorer on that tab.

3. Click on the Red Hat Single Sign-On link.

4. Log in to SSO Admin web console using {user-username} and password: openshift. Click on Log in.

   

5. Select Clients from the left menu.

   

   A 3scale-admin client and service account was already created for you.

6. Click on the 3scale-admin link to view the details.

   

7. Click the Credentials tab.

   

8. Take note of the client Secret. Copy and save it or write it down as you will use it to configure 3scale.

   

   The secret is set to clientsecret for this lab.

9. Click on Service Account Roles tab of the 3scale-Admin client:

   

   Note	If you do not see the Service Account Roles tab, make sure Service Accounts Enabled is ON, Standard Flow Enabled is OFF and click on Save.

10. In Client Roles, enter realm-management. Select all the available roles and click on Add Selected to move to the Assigned Roles text box. Ignore if the roles are already under the Assigned Roles text box.

    

Were you able configure the Red Hat SSO correctly?

Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the RH-SSO application.

Add User to Realm

1. Click on the Users menu on the left side of the screen.

   

2. Click the Add user button.

   

3. Type apiuser as the Username.

   

4. Click on the Save button.

5. Click on the Credentials tab to reset the password. Type apipassword as the New Password and Password Confirmation. Turn OFF the Temporary to avoid the password reset at the next login.

   

6. Click on Set Password.

7. Click on the Set password button in the pop-up dialog.

   

Were you able to add a user?

Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the RH-SSO application.

Now you have a user to test your SSO integration.

Configure 3scale Integration

1. Log in to 3scale Admin web console using {user-username} and password: openshift.

   

2. The first page you will land is the API Management Dashboard. Click on the kebab menu of the LOCATION API and select Integration

   

3. Click on the Settings to edit the API settings for the gateway.

   

4. Scroll down the page, under the AUTHENTICATION deployment options, select OpenID Connect.

   

5. Set the following values for Authentication Settings:

   • OpenID Connect Issuer Type: Red Hat Single Sign-On

   • OpenID Connect Issuer: https://3scale-admin:clientsecret@keycloak-sso.{openshift-app-host}/auth/realms/{user-username}-realm

     

6. Scroll down to the CREDENTIALS LOCATION and select As HTTP Headers.

   

7. Scroll down to the bottom and click on Update Product.

8. Notice that the Configuration has a warning indicating the API configuration changes are updated. Click on Configuration link.

   

9. Click on the Promote v.2 to Staging APIcast button.

   

10. Promote to Production by clicking the Promote v.2 to Production APIcast button.

    

Were you able to reconfigure APIcast?

Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the 3scale API Management application.

Create a Test App

1. Go to the Audience dropdown and click on Developers.

   

2. Click on the Applications link.

   

3. Click on dev_location_app link.

   

4. Check the API Credentials section. Click on Add Random Key for Client Secret.

   

   NOTE: If the Client ID & Secret are not seen, navigate to the Application page again and you should see the secret generated.

5. Edit the Redirect URL and enter the value http://www-{user-username}.{openshift-app-host}/

6. Note the Client ID and the Client Secret, which is required later to test your integration.

   

7. Navigate back to the SSO portal and click on Clients list. You should see the new client with same client id as in 3scale created in SSO.

   

Were you able to update an application?

Try to redo this section, if any problem persists have your instructor check the Kubernetes pod that contains the 3scale API Management application.

Congratulations! You have now created an application to test your OpenID Connect Integration.

Summary

Now that you can secure your API using three-leg authentication with Red Hat Single Sign-On, you can leverage the current assets of your organization like current LDAP identities or even federate the authentication using other IdP services.

For more information about Single Sign-On, you can check its page.

You can now proceed to Lab 5

Notes and Further Reading

• Red Hat 3scale API Management

• Red Hat Single Sign On

• Setup OIDC with 3scale