Cloud-native API Administration with Red Hat 3scale API Management
After completing this section, you should be able to secure APIs by using API keys and API key-pair authentication.
Every call you make to an API managed by 3scale API Management requires authentication. Authenticating API calls provides a number of advantages, such as:
Monitoring API usage for each application.
Enforcing application plans and rate limits for each application.
Providing a security layer for your APIs without the need to change or redeploy your application.
3scale API Management implements the following authentication patterns:
API key
App_ID and App_Key Pair (key-ID pair)
Open ID Connect (OIDC) integration
For more information about OIDC, see the section called “Securing APIs with Red Hat Single Sign-on and OAuth”.
When you use the API key authentication pattern, each call to the API requires you to provide a key, such as:
API_KEY = a6548169babc4d7847268ba63db15b65
An API key is a string that uniquely identifies each application that communicates with APIs managed by the 3scale Application Manager. The API key serves both as the ID and a secret token that is necessary to authenticate an API call. This is the simplest form of authentication, suitable for testing and environments with low security requirements.
The application key-ID pair decouples the API key from the application ID. Each call to the API that uses the key-ID authentication pattern requires the following information:
APP_ID = 76b49d63 APP_KEY = d2fe3c9494f34a306b91c8e78f11a5f6
Consequently, each API call is identified by a unique ID and a unique secret token. Because the ID and secret token are decoupled from each other, you can create multiple application keys for a single application ID.
This is useful when regenerating your token. You can provision a new secret token, update your application, and then decommission the original secret token. Consequently, this means you can avoid disrupting your service due to regenerating a secret token.
You can configure an authentication pattern implementation for each product in your 3scale API Management.
In the Admin Portal, select the product you want to configure. Then, click → and see the section.
 |
Products use the API key authentication pattern by default. Select the option to require authentication by using a key-ID pair.
You can also configure:
The name of your authentication parameters
The way you pass authentication to your application
By default, each API call expects the user_key query parameter with the value of your API key, for example:
[user@host ~]$ curl "https://example-product-3scale-apicast-staging.apps.ocp4.example.com:443/?user_key=a6548169babc4d7847268ba63db15b65"If you enforce authentication by using the key-ID authentication pattern in the headers named app_key and app_id respectively, then the API call will look as follows:
[user@host ~]$ curl "https://example-product-3scale-apicast-staging.apps.ocp4.example.com:443/" \ --header 'app_id: 76b49d63' \ --header 'app_key: 0a5eb0c64bd6748b6e37a7084a273e07'
Credentials in 3scale API Management are represented by the application objects. The application object maps to an application that communicates with your APIs. Each application object is mapped to a 3scale API Management account. Each application object is also associated with an application plan.
To create a new application object that is associated with your product, select your product in the Admin Portal. Then, click → and click .
After you create the application object, see the section to view the API key or the key-ID pair generated for your application.
If your product uses the key-ID authentication pattern, then you can click the or to associate multiple keys with your application ID. You can associate at most five keys with each application object.
 |
References
For more information, refer to the API authentication chapter in the Administering the API Gateway guide at https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/administering_the_api_gateway/index#authentication-patterns
