lab04

Lab 4

API Security

Securing APIs with OpenID Connect and Red Hat Single Sign On

• Duration: 20 mins
• Audience: API Owners, Product Managers, Developers, Architects

Overview

Once you have APIs in your organization and have applications being written, you also want to be sure in many cases that thee various types of users of the APIs are correctly authenticated. In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.

Why Red Hat?

The Red Hat SSO product provides important functionality for managing identities at scale. In this lab you can see how it fits together with 3scale and OpenShift.

Skipping The Lab

We know sometime we don't have enough time to go over step by step on the labs. So here is a short video where you can see how to configure OpenID Connect for your service using Red Hat Single Sign On.

If you are planning to follow to the next lab, there is an already running OpenID Connect secured API proxy for the Location API Service in this endpoint:

https://location-service-sso.amp.apps.GUID.openshiftworkshop.com

Environment

URLs:

Check with your instruction the GUID number of your current workshop environment. Replace the actual number on all the URLs where you find GUID.

Example in case of GUID = 1234:

https://master.GUID.openshiftworkshop.com

becomes =>

https://master.1234.openshiftworkshop.com

Credentials:

Your username is your asigned user number. For example, if you are assigned user number 1, your username is:

user1

The password to login is always the same:

openshift

Lab Instructions

Step 1: Get Red Hat Single Sign On Service Account Credentials

1. Open a browser window and navigate to:

   http://sso-rh-sso.apps.GUID.openshiftworkshop.com/auth/admin/userX/console/

   Remember to replace the GUID with your environment value and your user number.

2. Log into Red Hat Single Sign On using your designated user and password. Click on Sign In.

   

3. Select Clients from the left menu.

   

   A 3scale-admin client and service account was already created for you.

4. Click on the 3scale-admin link to view the details.

   

5. Click the Credentials tab.

   

6. Take notice of the service account Secret. Copy and save it or write it down as you will use it to configure 3scale.

   

Step 2: Add User to Realm

1. Click on the Users menu on the left side of the screen.

   

2. Click the Add user button.

   

3. Type apiuser as the Username.

   

4. Click on the Save button.

5. Click on the Credentials tab to reset the password. Type apipassword as the New Password and Password Confirmation. Turn OFF the Temporary to avoid the password reset at the next login.

   

6. Click on Reset Password.

7. Click on the Change password button in the pop-up dialog.

   

   Now you have a user to test your integration.

Step 3: Configure 3scale Integration

1. Open a browser window and navigate to:

   https://userX-admin.apps.GUID.openshiftworkshop.com/

   Remember to replace the GUID with your environment value and your user number.

2. Accept the self-signed certificate if you haven't.

   

3. Log into 3scale using your designated user and password. Click on Sign In.

   

4. The first page you will land is the API Management Dashboard. Click on the API menu link.

   

5. This is the API Overview page. Here you can take an overview of all your services. Click on the Integration link.

   

6. Click on the edit integration settings to edit the API settings for the gateway.

   

7. Scrolll down the page, under the Authentication deployment options, select OpenID Connect.

   

8. Click on the Update Service button.

9. Dismiss the warning about changing the Authentication mode by clicking OK.

   

10. Back in the service integration page, click on the edit APIcast configuration.

    

11. Scroll down the page and expand the authentication options by clicking the Authentication Settings link.

    

12. In the OpenID Connect Issuer field, type in your previously noted client credentials with the URL of your Red Hat Single Sing On instance:

    http://3scale-admin:[email protected]/auth/realms/userX

    Remember to replace the GUID with your environment value, your user number and the CLIENT_SECRET you get in the Step 1.

    

13. Scroll down the page and click on the Update Staging Environment button.

    

14. After the reload, scroll down again and click the Back to Integration & Configuration link.

    

15. Promote to Production by clicking the Promote to Production button.

    

Step 4: Create a Test App

1. Go to the Developers tab and click on Developer.

   

2. Click on the Applications link.

   

3. Click on Create Application link.

   

4. Select Basic plan from the combo box. Type the following information:

   • Name: Secure App
   • Description: OpenID Connect Secured Application

   

5. Finally, scroll down the page and click on the Create Application button.

   

6. Note the API Credentials. Write them down as you will need the Client ID and the Client Secret to test your integration.

   

Congratulations! You have now an application to test your OpenId Connect integration.

Steps Beyond

So, you want more? Login to the Red Hat Single Sign On admin console for your realm if you are not there already. Click on the Clients menu. Now you can check that 3scale zync component creates a new Client in SSO. This new Client has the same ID as the Client ID and Secret from the 3scale admin portal.

Test the integration

You can try to use Postman or OpenID Connet playground to test your integration. Remember to update the Redirect URL.

Summary

Now that you can secure your API using three-leg authentication with Red Hat Single Sign-On, you can leverage the current assets of your organization like current LDAP identities or even federate the authentication using other IdP services.

For more information about Single Sign-On, you can check its page.

You can now proceed to Lab 5

Notes and Further Reading

• Red Hat 3scale API Management
• Red Hat Single Sign On
• Setup OIDC with 3scale