Chapter 12. OpenID Connect integration


3scale integrates with third-party Identity Providers (IdP) for authenticating the API requests using the OpenID Connect specification, with these features:

  • OpenID Connect is built on top of OAuth 2.0 that complements the OAuth 2.0 Authorization framework with an authentication mechanism.
  • With the OpenID Connect authentication option, the API requests are authenticated using the access tokens in the JSON Web Token (JWT) format (RFC 7519).

The integration consists of the following two parts:

Red Hat 3scale API Management fully supports both integration points with Red Hat Single Sign-On (RH-SSO) acting as the OpenID provider. See the supported version of RH-SSO on the Supported Configurations page. APIcast integration is also tested with ForgeRock.

In both cases, you can configure the integration by specifying the OpenID Connect Issuer field in the APIcast Configuration on the Integration page of the service using OpenID Connect authentication option. For instructions, see Integration of 3scale with Red Hat Single Sign-On.

12.1. JWT verification and parsing by APIcast

The API requests to the service using the OpenID Connect authentication mode should provide the access token in the JWT format, issued by the OpenID Provider, in the Authorization header using Bearer schema. The header should look like the following example:

Authorization: Bearer <JWK>

Example:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2lkcC5leGFtcGxlLmNvbSIsInN1YiI6ImFiYzEyMyIsIm5iZiI6MTUzNzg5MjQ5NCwiZXhwIjoxNTM3ODk2MDk0LCJpYXQiOjE1Mzc4OTI0OTQsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiQmVhcmVyIn0.LM2PSmQ0k8mR7eDS_Z8iRdGta-Ea-pJRrf4C6bAiKz-Nzhxpm7fF7oV3BOipFmimwkQ_-mw3kN--oOc3vU1RE4FTCQGbzO1SAWHOZqG5ZUx5ugaASY-hUHIohy6PC7dQl0e2NlAeqqg4MuZtEwrpESJW-VnGdljrAS0HsXzd6nENM0Z_ofo4ZdTKvIKsk2KrdyVBOcjgVjYongtppR0cw30FwnpqfeCkuATeINN5OKHXOibRA24pQyIF1s81nnmxLnjnVbu24SFE34aMGRXYzs4icMI8sK65eKxbvwV3PIG3mM0C4ilZPO26doP0YrLfVwFcqEirmENUAcHXz7NuvA

The JWT token contains a signature that the token’s receiver can verify and ensure that the token was signed by a known issuer and that its content has not been changed. 3scale supports RSA signature based on the public/private key pair. Here, the issuer signs the JWT token using a private key. APIcast verifies this token using a public key.

APIcast uses OpenID Connect Discovery for getting the JSON Web Keys (JWK) that can be used for verifying the JWT signature.

On each request, APIcast does the following:

  1. Verifies the JWT token using the public key.
  2. Validates the claims nbf and exp.
  3. Verifies that the issuer specified in the claim iss (Issuer) is the same as the one configured in the OpenID Connect Issuer field.
  4. Extracts the value of the azp or aud claim and uses it as the Client ID that identifies the application in 3scale to authorize the call through the Service Management API.

If any of the JWT validation or the authorization checks fail, APIcast returns an Authenication failed error. Otherwise, APIcast proxies the request to the API backend. The Authorization header remains in the request, so the API backend can also use the JWT token to check the user and client identity.

12.2. Client credentials synchronization by zync-que

3scale synchronizes the client (application) credentials between 3scale and the RH-SSO server when you are using the zync-que component. Configure this through the OpenID Connect Issuer setting.

When you create, update, or delete a service configured to use OpenID Connect, zync-que receives the corresponding event and communicate the change to the RH-SSO instance using RH-SSO API.

The Integration of 3scale with Red Hat Single Sign-On section provides the steps required to ensure that zync-que has the correct credentials to use the RH-SSO API.

12.3. Integration of 3scale with Red Hat Single Sign-On

As an API provider, integrating 3scale with Red Hat Single Sign-On (RH-SSO) as the identity provider (IdP) is an option for authenticating API requests. Integration consists of configuring the following elements:

12.3.1. Configuring Zync to use custom CA certificates

You must establish an SSL connection between Zync and Red Hat Single Sign-On (RH-SSO), because Zync operates with RH-SSO to exchange tokens. If you do not configure the SSL connection between Zync and RH-SSO, the tokens would be open for anyone listening.

3scale 2.2 and above supports custom CA certificates for RH-SSO with the SSL_CERT_FILE environment variable. This variable points to the local path of the certificates bundle.

Prerequisites

  • You must be able to serve RH-SSO over https and make sure it is reachable by zync-que. To test this type the following:

    curl https://rhsso-fqdn
Note
  • Some versions of OpenSSL accept -showcerts instead of --showcerts. Modify the following command accordingly to the version you are using.
  • The command in step 1 of the below procedure mentions <rhsso_fqdn>. The Fully Qualified Domain Name (FQDN) is the human-readable domain name, for example, host.example.com.

Procedure

  1. Run the following command to get a proper certificate chain:

    echo -n | openssl s_client -connect <rhsso_fqdn>:<rhsso_port> -servername <rhsso_fqdn> --showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > customCA.pem
  2. Validate the new certificate with the following cURL command. The expected response is a JSON configuration of the realm. If validation fails it is an indicator that your certificate may not be correct.

    curl -v https://<secure-sso-host>/auth/realms/master --cacert customCA.pem
  3. Add the certificate bundle to the Zync pod:

    1. Gather the existing content of the /etc/pki/tls/cert.pem file on the Zync pod. Run:

      oc exec <zync-que-pod-id> cat /etc/pki/tls/cert.pem > zync.pem
    2. Append the contents of the custom CA certificate file to zync.pem:

      cat customCA.pem >> zync.pem
    3. Attach the new file to the Zync pod as ConfigMap:

      oc create configmap zync-ca-bundle --from-file=./zync.pem
      oc set volume dc/zync-que --add --name=zync-ca-bundle --mount-path /etc/pki/tls/zync/zync.pem --sub-path zync.pem --source='{"configMap":{"name":"zync-ca-bundle","items":[{"key":"zync.pem","path":"zync.pem"}]}}'
  4. After deployment, verify that the certificate is attached and the content is correct:

    oc exec <zync-pod-id> cat /etc/pki/tls/zync/zync.pem
  5. Configure the SSL_CERT_FILE environment variable on Zync to point to the new CA certificate bundle:

    oc set env dc/zync-que SSL_CERT_FILE=/etc/pki/tls/zync/zync.pem

12.3.2. Configuring Red Hat Single Sign-On

After you have created and configured Zync to use custom CA certificates, you must configure the client in Red Hat Single Sign-On (RH-SSO).

Procedure

  1. Create a realm (<realm_name>).
  2. Create a client:

    1. Specify a client ID.
    2. In the Client Protocol field, select openid-connect.
  3. To configure the client permissions, set the following values:

    1. Access Type to confidential.
    2. Standard Flow Enabled to OFF.
    3. Direct Access Grants Enabled to OFF.
    4. Service Accounts Enabled to ON.
  4. Set the service account roles for the client:

    1. Navigate to the Service Account Roles tab of the client.
    2. In the Client Roles dropdown list, click realm-management.
    3. In the Available Roles pane, select the manage-clients list item and assign the role by clicking Add selected >>.
  5. Note the client credentials:

    1. Make a note of the client ID (<client_id>).
    2. Navigate to the Credentials tab of the client and make a note of the Secret field (<client_secret>).
  6. Add a user to the realm:

    1. Click the Users menu on the left side of the window.
    2. Click Add user.
    3. Type the username, set the Email Verified switch to ON, and click Save.
    4. On the Credentials tab, set the password. Enter the password in both the fields, set the Temporary switch to OFF to avoid the password reset at the next login, and click Reset Password.
    5. When the pop-up window displays, click Change password.

12.3.3. Configuring 3scale with Red Hat Single Sign-On

After you have created and configured the client in Red Hat Single Sign-On (RH-SSO), you must configure 3scale to work with RH-SSO.

Prerequisites

Procedure

  1. Enable OpenID Connect:

    1. Select the service on which you want to enable the OpenID Connect authentication, navigate to [your_product_name] > Integration > Settings.
    2. Under the Authentication options, select OpenID Connect Use OpenID Connect for any OAuth 2.0 flow.
  2. Edit the APIcast Configuration. Once you select the option for OpenID Connect, you will see a new section OpenID Connect (OIDC) Basics:

    1. Choose the OpenID Connect Issuer Type.
    2. Specify the OpenID Connect Issuer field, enter the previously noted client credentials with the URL of your RH-SSO server, located at host <rhsso_host> and port <rhsso_port>, as indicated in the following URL template:

        https://<client_id>:<client_secret>@<rhsso_host>:<rhsso_port>/auth/realms/<realm_name>
    3. To save the configuration, click Update Product.

12.4. Configure HTTP integration with third-party Identity Providers

You can configure HTTP integration of OpenID Connect (OIDC) to facilitate syncing credentials with third-party identity providers (IdPs). This means that it is possible to integrate different IdPs other than Red Hat Single Sign-On (RH-SSO), by implementing the OpenAPI specifications we provide.

12.4.1. Prerequisites

12.4.2. Procedure

To configure HTTP integration of OIDC with third-party identity providers, follow these steps in the Admin Portal:

  1. Navigate to [Your_product_name] > Integration > Settings.
  2. Under AUTHENTICATION, select OpenID Connect Use OpenID Connect for any OAuth 2.0 flow.
  3. Under AUTHENTICATION SETTINGS indicate the OpenID Connect (OIDC) Basics

    1. In OpenID Connect Issuer Type, specify the type of your OpenID Provider.
    2. In OpenID Connect Issuer, indicate the location of your OpenID Provider.
  4. To save your changes, click Update Product.

12.4.3. Zync REST API example

This example project implements Zync REST API protocol to synchronize OAuth2.0 clients. When a 3scale application is created, updated or deleted Zync tries to replicate that change to http://example.com/api.

12.4.3.1. Prerequisites

3scale must be configured to use:

12.4.3.2. Creating, updating and deleting clients

Zync makes the following requests to create, update or delete clients:

  • Create and update PUT /clients/:client_id
  • Delete DELETE /clients/:client_id

All endpoints must reply with a 2xx status code. Otherwise, the request will be retried.

12.4.3.3. Payload

The request payload in case of create and update is application/json:

{
  "client_id": "ee305610",
  "client_secret": "ac0e42db426b4377096c6590e2b06aed",
  "client_name": "oidc-app",
  "redirect_uris": ["http://example.com"],
  "grant_types": ["client_credentials", "password"]
}

The request to delete a client has no payload.

12.4.3.4. Using OAuth2 authentication

Zync sends GET requests to the /.well-known/openid-configuration endpoint and expects an application/json response. The response payload should contain the following:

{
  "token_endpoint": "http://idp.example.com/auth/realm/token"
}

With the OAuth2 protocol, Zync uses token_endpoint to exchange the client_id and client_secret provided in the OpenID Connect Issuer address, in order to request an access token. If the API responds with an unsuccessful response, Zync will fallback to HTTP Basic/Digest authentication using the provided credentials.

12.5. OAuth 2.0 supported flows

The API clients must get access tokens from the OpenID Connect (OIDC) issuer configured in 3scale, using any OAuth 2.0 flow that is supported by this OpenID provider. In case of Red Hat Single Sign-On (RH-SSO), the following flows are supported (the terms used in RH-SSO clients are specified in parenthesis):

  • Authorization Code (Standard Flow)
  • Resource Owner Password Credentials (Direct Access Grants Flow)
  • Implicit (Implicit Flow)
  • Client Credentials (Service Accounts Flow)

In 3scale, if you create a client for which OIDC authentication is enabled, the corresponding clients created by Zync in RH-SSO have only the Authorization Code flow enabled. This flow is recommended as the most secure and suitable for most cases. However, it is possible to enable other flows.

12.5.1. How OAuth 2.0 supported flows work

The client gets the access token using the authorization request, or the token request, or both. The URLs that receive these requests can be discovered using the .well-known/openid-configuration endpoint of the OpenID provider, in the "authorization_endpoint" and "token_endpoint", accordingly. Example: https://<RHSSO_HOST>:<RHSSO_PORT>/auth/realms/<REALM_NAME>/.well-known/openid-configuration.

12.5.2. Configuring OAuth 2.0 supported flows

You can configure allowed OAuth 2.0 flows for the 3scale API in the Admin Portal. When you create a new application, the basic integration is finished, including the OpenId Connect (OIDC) configuration.

To configure OAuth 2.0 supported flows, perform these steps:

  1. Navigate to the Authentication Settings section: [Your_product_name] > Integration > Settings
  2. Under AUTHENTICATION, choose OpenID Connect Use OpenID Connect for any OAuth 2.0 flow. The corresponding flows are enabled:

    • standardFlowEnabled (Authorization Code flow) [selected by default]
    • implicitFlowEnabled (Implicit flow)
    • serviceAccountsEnabled (Service Accounts Flow)
    • directAccessGrantsEnabled (Direct Access Grant Flow)
  3. Choose one or multiple flows.
  4. To save your changes, click Update Product.

12.6. Test the integration

To test the integration, you must perform the steps listed in the following sections.

12.6.1. Test the client synchronization

To test the client synchronization, take the following steps:

  1. Create an application for the service where you configured the OpenID Connect integration.
  2. Note the client ID and the client Secret of the generated application.
  3. Verify that the client with the same client ID and client secret is now present in the configured Red Hat Single Sign-On realm.
  4. Update the Redirect URL of the application in the 3scale admin portal. Redirect URLs should be as specific as possible.
  5. Verify that the Valid Redirect URIs field of the client in Red Hat Single Sign-On has been updated accordingly.

12.6.2. Test the API authorization flow

To test the API authorization flow, take the following steps:

  1. Get the access token from the Red Hat Single Sign-On server using an OAuth 2.0 flow that is enabled on the corresponding RH-SSO client.
  2. Use the value of the access_token retrieved from RH-SSO in the Authorization header as follows: Authorization: Bearer <access_token>

If the token is correct and the corresponding application in 3scale is authorized, APIcast gateway returns a response from the API backend.

12.7. Example of the integration

The service "API" in 3scale is configured to use the OpenID Connect authentication. The Public Base URL on the service "API" is configured to be https://api.example.com and the Private Base URL is configured to be https://internal-api.example.com.

The OpenID Connect Issuer field is set to https://zync:41dbb98b-e4e9-4a89-84a3-91d1d19c4207@idp.example.com/auth/realms/myrealm in the API integration and the client zync in the realm myrealm has the correct Service Account roles.

In 3scale, there is an application having the myclientid client ID, myclientsecret client secret, and a https://myapp.example.com Redirect URL. In Red Hat Single Sign-On, in the myrealm realm, there also exists a client having a myclientid client ID, myclientsecret secret, and https://myapp.example.com Valid Redirect URIs. Standard Flow is enabled on this client. There is a user configured in the myrealm realm having the myuser username and mypassword password.

The flow is as follows:

  1. Using the endpoint https://idp.example.com/auth/realms/myrealm/protocol/openid-connect/auth, the application sends an Authorization request to RH-SSO. Within the request, the application provides these parameters: myclientid client ID, and https://myapp.example.com Redirect URL.
  2. RH-SSO shows the login window, where the user must provide the user’s credentials: Username myuser and password mypassword.
  3. Depending on the configuration, and if it is the first time that the user is authenticating in this specific application, the consent window displays.
  4. After the user is authenticated, the applciation sends a Token request to RH-SSO using the endpoint https://idp.example.com/auth/realms/myrealm/protocol/openid-connect/token and providing the client ID myclientid, client secret myclientsecret and Redirect URL https://myapp.example.com.
  5. RH-SSO returns a JSON with an "access_token" field eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lk…​xBArNhqF-A.
  6. The application sends an API request to https://api.example.com with the header Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lk…​xBArNhqF-A.
  7. The application should receive a successful response from https://internal-api.example.com.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.