oauth-secure.md

Secure Your API With OpenID Connect OAuth 2.0 Standard

Securing APIs with Red Hat Single Sign-on and OAuth

Describing OIDC Authentication Workflow in Red Hat 3scale API Management

You can configure 3scale API Management to require OpenID Connect (OIDC) as an authentication mechanism for your APIs. This means that 3scale API Management verifies the following:

• Each request contains a JSON Web Token (JWT).

• The JWT token is cryptographically signed by the configured OIDC provider.

• The JWT token is valid, for example not expired.

• The JWT token contains the necessary claims, such as the authorized party (azp) or audience (aud).

When you configure OIDC integration, APIcast reads the configuration of the OIDC provider by using the https://OIDC_PROVIDER_HOST/.well-known/openid-configuration discovery endpoint. APIcast caches information required for validating JWT tokens, such as public keys and signing algorithms.

Requests to the protected API then require a valid JWT token. The following diagram provides an example of an authentication request flow:

Integrating 3scale API Management with Red Hat Single Sign On (RHSSO)

When you configure OIDC integration in your product, 3scale API Management requires that the authorized party (azp) claim in the JWT token corresponds to the API credentials that you associate with an application in your product. However, RHSSO issues JWT tokens. Consequently, 3scale API Management must synchronize application credentials with RHSSO.

The Zync component is responsible for the credential synchronization with RHSSO. When you create a new application, the Sidekiq component schedules Zync to synchronize the data with RHSSO. Zync asynchronously communicates with RHSSO and creates the API credentials.

Steps

• 1. Configure SSO
• 2. Setting Authentication mode for API Product
• 3. Recreate Application
• 4. Testing

1. Configure SSO

You have to setup Zync client in SSO (Keycloak) so 3scale can integrate with SSO and call SSO APIs.

1. Login to Red Hat SSO web console using the URL and credential from step 4 above.

2. Click Clients menu from left panel.

   

3. Click Create button.

   

4. Click Select file button. Browse to zync-client.json file.

   

5. Click Save button.

   

6. Go to Service Account Roles tab. In the Client Roles section, select Realm Management. Click manage clients, then click Add selected button.

   

7. Go to Credentials tab. Look for Secret value, you will need this when setting up OAuth authentication in 3scale so keep this page open in web browser.

   

2. Setting Authentication mode for API Product

1. From main dashboard, click Human Resource Services link to open Product dashboard page.

   

2. Enter following details:

   • AUTHENTICATION section

     • Select OpenID Connect Use OpenID Connect for any OAuth 2.0 flow. option.

   • OPENID CONNECT (OIDC) BASICS section

     • OpenID Connect Issuer Type: Red Hat Single Sign-On

     • OpenID Connect Issuer: Enter a URL in this format: https://zync-client:<SECRET>@keycloak-sso.apps.<CLUSTER DOMAIN>/auth/realms/example

       • SECRET: Zync-client client secret get from Step 7 in Configure SSO step above.
       • CLUSTER DOMAIN: OpenShift cluster domain. (You can also run oc whoami --show-console|awk -F'apps.' '{print $2}' command in terminal to get cluster domain value)

       For example, https://zync-client:2IaLsOOTEZzTOBeTp5U8OfIeQiKYmNtI@keycloak-sso.apps.cluster-hrpdc.hrpdc.sandbox140.opentlc.com/auth/realms/example #gitleaks:allow

   • OIDC AUTHORIZATION FLOW section

     • Check Authorization Code Flow and Service Accounts Flow options.

   

3. Scroll down to bottom of the page then click Update Product button.

   

3. Recreate Application

Due to the authentication mode for API product has been changed to OpenID Connect OAuth 2.0 flow, so the existing applications (Test Corp HR Mobile app, in this case) can't call APIs using API Key or API Key-Pair anymore. So, we need to recreate the application which 3scale will generate a new client ID in SSO for the application to be used for authentication in OAuth flow.

1. Select Applications -> Listing menu from left panel. Then click Test Corp HR Mobile link to open application page.

   

2. Click Edit link.

   

3. Click Delete then OK button to confirm deletion.

   

4. You'll be directed to the Application dashboard. Click Create application button.

5. 

6. Enter following details then click Create application button.

   • Account: Test Corp
   • Product: Human Resource Services
   • Application plan: Free
   • Name: Test Corp HR Mobile
   • Description: Test Corp HR Mobile Application

   

7. A new application should be created with assigned Application Plan as well as an auto genereated Client ID and Client Secret. This will be used for authentication when calling APIs.

   

8. Go to SSO web console, Select Clients menu from left panel. You'll see a new client with the same Client ID in 3scale gets created automatically. This is done by Zync client component. Click on the client ID, you'll see the details.

   

   

9. Promote Configuration changes to Staging and Production.

   

4. Testing

1. Update client-id and client-secret variable in Postman Environments with Client ID and Client Secret generated when you recreate the application (see step 7 in Recreate Application) and click Save button.

   

2. Test the API secured with OAuth using 3Scale API Testing (OAuth) collection.

---