Chapter 2. 3scale integration with Red Hat Single Sign-On using OpenID Connect

3scale can synchronize client credentials between 3scale (Application credentials) and a Red Hat Single Sign-On server using OpenID Connect (OIDC). 3scale utilizes a service called Zync to synchronize calls to the Red Hat Single Sign-On server.

2.1. Prerequisites:

In order to connect 3scale and Red Hat Single Sign-On, perform the following configurations in your Red Hat Single Sign-On server and 3scale:

2.2. Configure Red Hat Single Sign-On

  1. Create a realm
  2. Create a client:

    1. Specify a client ID
    2. Select the openid-connect client protocol
  3. Configure client permissions, setting the following:

    1. Access Type to confidential
    2. Standard Flow Enabled to OFF
    3. Direct Access Grants Enabled to OFF
    4. Service Accounts Enabled to ON
  4. Set service account roles for your client

    1. Navigate to the service account roles tab of your client
    2. In the client roles dropdown, select realm management
    3. In the available roles pane, select the manage-clients list item and assign the role by clicking Add Roles
  5. Note client credentials

    1. Take note of the client ID
    2. Navigate to the Credentials tab of your client and take note of the secret

2.3. Configure 3scale

Once you have created and configured a server and client in Red Hat Single Sign-On, you must configure 3scale to work with Red Hat Single Sign-On:

  1. Enable OIDC

    1. Select the service on which you want to enable Red Hat Single Sign-On, navigate to the APIs → <your_service_name> → integration page
    2. On that page, select edit integration settings
    3. Under the Authentication deployment options, select OpenID Connect
    4. Update the service
  2. Edit Your APIcast Configuration

    1. navigate to the APIs → <your_service_name> → integration page
    2. On that page, select edit APIcast configuration
    3. Under the Authentication Settings expandable heading, in the OpenID Connect Issuer field, enter your previously noted client credentials with the URL of your Red Hat Single Sign-On server:

      https://<CLIENT_ID>:<CLIENT_SECRET>@<HOST>:<PORT>/auth/realms/<REALM_NAME>
    4. Save your configuration

2.4. Test Integration

Peform the following procedures in 3scale and verify the results in Red Hat Single Sign-On to test your integration:

3scale ProcedureRed Hat Single Sign-On Result

Create an application for the service where you configured the OpenID Connect Issuer. Note the Client ID and client secret generated for the application

The new client appears in the Red Hat Single Sign-On realm you are using

Change the Redirect URL on the application in 3Scale

The Redirect URL was updated

Delete the application

The client is deleted from the realm