Cloud-native API Administration with Red Hat 3scale API Management

Procedure 4.3. Instructions

1. Verify that the books_api_v2 backend does not require Open ID Connect for authentication.

   1. Get the application ID for the current application plan:

      [student@workstation ~]$ 3scale application list 3scale-tenant \
        --service=secure_oauth
      ID	NAME	STATE	ENABLED	ACCOUNT_ID	SERVICE_ID	PLAN_ID
      7	secure_oauth_app	live	true	3	3	10

   2. Get the user key for the application, for example for an application with the ID 7:

      [student@workstation ~]$ 3scale application show 3scale-tenant 7 \
       -o json | jq -r '.user_key'
      acaa2950a6124cd27a45194c023d2a3d

   3. Use the key to call the books-api service:

      [student@workstation ~]$ curl \
        "https://secure-oauth-3scale-apicast-staging.apps.ocp4.example.com/books?user_key=acaa2950a6124cd27a45194c023d2a3d" \
        | jq
      ...output omitted...

      The API call succeeds without a JWT token.

2. Add the RHSSO certificate chain to the 3scale API Management certificate chain.

   Note

   This step is necessary because the 3scale API Management Zync pod does not trust the self-signed certificates of RHSSO.

   1. Examine the /home/student/DO240/labs/secure-oauth/inject_rhsso_ca.sh script.

   2. Execute the script:

      [student@workstation ~]$ sh \
        /home/student/DO240/labs/secure-oauth/inject_rhsso_ca.sh
      ...output omitted...
      configmap/zync-new-ca-bundle created
      deploymentconfig.apps.openshift.io/zync-que volume updated
      deploymentconfig.apps.openshift.io/zync-que updated

   3. Verify that the zync pod in the 3scale project is in the Running state:

      [student@workstation ~]$ oc -n 3scale get pods \
        -l threescale_component_element=zync-que
      NAME               READY   STATUS    RESTARTS   AGE
      zync-que-3-jmsst   1/1     Running   0          8s

3. Create the zync-client RHSSO client.

   Use the pre-created zync-client.json file. The zync-client.json file creates a client configured as a service account in RHSSO.

   1. Execute the following command to get the RHSSO password:

      [student@workstation ~]$ oc -n rhsso get secret \
        credential-keycloak --template={{.data.ADMIN_PASSWORD}} \
        | base64 -d ; echo
      7jpffNJgZTG8yA==

   2. In a web browser, navigate to the following URL:

      https://keycloak-rhsso.apps.ocp4.example.com/auth/admin/master/console/#/realms/do240

      Log in as admin with the password from the previous step.

   3. Click Clients, then click Create.

   4. Click Select file and select the /home/student/DO240/labs/secure-oauth/zync-client.json file.

      Then, click Save.

   5. Click the Service Account Roles tab. In the Client Roles section, select Realm Management.

      Click manage clients, then click Add selected.

   6. Click the Credentials tab. You will require the Secret value later.

      Keep the browser tab open.

4. Integrate the secure_oauth product with RHSSO.

   1. In a new browser tab, log in to the the 3scale API Management Administration Portal as the admin user.

      Execute the following command to see the ADMIN_PASSWORD:

      [student@workstation ~]$ oc get secret system-seed -n 3scale \
        -o json | jq -r .data.ADMIN_PASSWORD | base64 -d; echo
      ...output omitted...

   2. In the Products section, click the secure_oauth product.

   3. Click Integration → Settings.

   4. In the Authentication section, select OpenID Connect Use OpenID Connect for any OAuth 2.0 flow.

   5. In the OpenID Connect (OIDC) Basics section, construct the OpenID Connect Issuer URL in the following format:

      https://CLIENT-ID:CLIENT-SECRET@RHSSO-URL

      Use the following parameters:

      • Client-id: zync-client

      • Client-secret: Copy the Secret value from the RHSSO web console.

      • RHSSO URL: keycloak-rhsso.apps.ocp4.example.com/auth/realms/do240

      For example:

      https://zync-client:f6f0..7dd4@keycloak-rhsso.apps.ocp4.example.com/auth/realms/do240

   6. Click Update Product. Then, click Configuration and click Promote v. 2 to Staging APIcast.

5. Create a new Application.

   1. Click Applications → Listing. Then, click Create Application.

   2. Select the Developer account, secure_oauth product, and the secure_oauth_basic application plan.

   3. Enter the following:

      • Name: sso_app

      • Description: sso_app

      Then, click Create Application.

      Note the Client ID number of your application, for example 7308b6b9.

6. Change the sso_app RHSSO client visibility.

   Use the following configuration:

   • Access Type: public

     Public access type is for client-side clients that perform a browser login. This means the application requires only the client ID to authenticate the request.

   • Valid Redirect URIs: *

     RHSSO can redirect a request that is authenticated by this client to any URL.

   • Web Origins: *

     RHSSO configures the Access-Control-Allow-Origin header for responses that are authenticated by this client. This is important for browser Cross-Origin Resource Sharing (CORS) configuration.

   The RHSSO client configuration is simplified for testing purposes.

   1. In the RHSSO Administration Console browser tab, click Clients.

   2. Click the newly created client, for example 7308b6b9. Verify that the name of the client is sso_app.

   3. Change the following properties:

      • Access Type: public

      • Valid Redirect URIs: *

      • Web Origins: *

      Then, click Save.

7. Modify the front end application to use the sso_app client.

   1. Edit the book-config configuration map in the secure-oauth project, and change the REACT_APP_CLIENT_ID property to the client ID of the sso_app

      [student@workstation ~]$ oc edit cm book-config -n secure-oauth
      apiVersion: v1
      data:
        REACT_APP_CLIENT_ID: 7308b6b9
      ...output omitted...

   2. Delete the front end pod.

      The new pod receives the updated REACT_APP_CLIENT_ID value.

      [student@workstation ~]$ oc -n secure-oauth delete pod \
        -l app=books-frontend
      pod "books-frontend-v2-f5658556-57vqh" deleted

8. Enable CORS for the secure_oauth product.

   1. In the 3scale API Management Administration Portal, open the secure_oauth product.

   2. Click Integration → Policies. Then, click Add policy and select the CORS Request Handling policy.

   3. Move the CORS Request Handling policy to the start of the policy chain.

      Warning

      Failure to put the CORS policy as the first policy in the policy chain might result in the front end application not working.

   4. Click the CORS Request Handling policy. Enter the following configuration:

      • allow_origin: *

      Then, click Update Policy, and Update Policy Chain.

   5. Promote the configuration to the staging APIcast.

9. In a web browser, visit the following URL:

   http://books-frontend-secure-oauth.apps.ocp4.example.com

   Log in with the user student and password redhat.

   You can examine the RHSSO student user by viewing the /home/student/DO240/labs/secure-oauth/04_user.yml file.

   Figure 4.12: A working front end