Lab 05 - API Security

Return to Workshop

Lab 5

API Security

Securing APIs with OpenID Connect and Red Hat Single Sign On




Overview

Once you have APIs in your organization and have applications being written, you also want to be sure in many cases that the various types of users of the APIs are correctly authenticated. In this lab you will discover how to set up the widely used OpenID connect pattern for Authentication.

Why Red Hat?

The Red Hat SSO product provides important functionality for managing identities at scale. In this lab you will see how it fits together with 3scale and OpenShift.

##Lab Instructions

Step 1: Get Red Hat Single Sign On Service Account Credentials

  1. Open a browser window and navigate to your SSO Console. Please check with your instructor for the link. It should be similar to the following. Replace userX with your assigned user and OCP_URL.

    http://sso-sso.apps.[OCP_URL]/auth/admin/[userX]/console/
    

    Remember to replace the X with your user number.

  2. Log into Red Hat Single Sign On using your designated user and password. Click on Sign In.




  3. Select Clients from the left menu.




    A 3scale-admin client and service account was already created for you.

  4. Click on the 3scale-admin link to view the details.




  5. Click the Credentials tab.




  6. Take notice of the service account Secret. Copy and save it or write it down as you will use it to configure 3scale.




Step 2: Add User to Realm

  1. Click on the Users menu on the left side of the screen.




  2. Click the Add user button.




  3. Type apiuser as the Username.




  4. Click on the Save button.

  5. Click on the Credentials tab to reset the password. Type apipassword as the New Password and Password Confirmation. Turn OFF the Temporary to avoid the password reset at the next login.




  6. Click on Reset Password.

  7. Click on the Change password button in the pop-up dialog.




    Now you have a user to test your integration.

Step 3: Configure 3scale Integration

  1. Open a browser window and navigate to:

    https://userX-admin.apps.ocp-ai.redhatgov.io/p/login
    

    Remember to replace the X with your user number.

  2. Accept the self-signed certificate if you haven't.

  3. Log into 3scale using your designated user and password. Click on Sign In.




  4. The first page you will land is the API Management Dashboard. Click on the API menu link.




  5. This is the API Overview page. Here you can take an overview of all your services. Click on the Integration link.




  6. Click on the edit integration settings to edit the API settings for the gateway.




  7. Scrolll down the page, under the Authentication deployment options, select OpenID Connect.




  8. Click on the Update Service button.

  9. Dismiss the warning about changing the Authentication mode by clicking OK.




  10. Back in the service integration page, click on the edit APIcast configuration.




  11. Scroll down the page and expand the authentication options by clicking the Authentication Settings link.




  12. In the OpenID Connect Issuer field, type in your previously noted client credentials with the URL of your Red Hat Single Sing On instance:

    http://3scale-admin:CLIENT_SECRET@sso-sso.apps.ocp-ai.redhatgov.io/auth/realms/userX
    

    Remember to replace the X with user number




  13. Scroll down the page and click on the Update Staging Environment button.




  14. After the reload, scroll down again and click the Back to Integration & Configuration link.




  15. Promote to Production by clicking the Promote to Production button.




Step 4: Create a Test App

  1. Go to the Developers tab and click on Developers.


    <img src="../images/09-developers.png "Developers")

  2. Click on the Applications link.




  3. Click on Create Application link.




  4. Select Basic plan from the combo box. Type the following information:

    • Name: Secure App
    • Description: OpenID Connect Secured Application




  5. Finally, scroll down the page and click on the Create Application button.




  6. Update redirect link to your locations application link.

    • Please update userX and OCP_URL http://www-[userX].apps.[OCP_URL]/
    • And note the API Credentials. Write them down as you will need the Client ID and the Client Secret to test your integration.


Congratulations! You have now an application to test your OpenID Connect Integration.

Steps Beyond

So, you want more? Login to the Red Hat Single Sign On admin console for your realm if you are not there already. Click on the Clients menu. Now you can check that 3scale zync component creates a new Client in SSO. This new Client has the same ID as the Client ID and Secret from the 3scale admin portal.

Summary

Now that you can secure your API using three-leg authentication with Red Hat Single Sign-On, you can leverage the current assets of your organization like current LDAP identities or even federate the authentication using other IdP services.

For more information about Single Sign-On, you can check its page.

Notes and Further Reading

Return to Workshop