Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

HOW-TO setup 3scale OpenID Connect (OIDC) Integration with RH SSO

November 21, 2017
Hugo Guerrero
Related topics:
Developer Tools
Related products:
Red Hat 3scale API ManagementRed Hat Enterprise Linux

Share:

    This step-by-step guide is a follow-up to the Red Hat 3scale API Management new 2.1 version announcement. As many of you will know, this new version simplifies the integration between APIcast gateway and Red Hat Single Sign-On through OpenID Connect (OIDC) for API authentication. As a result, now you can select OpenID Connect as your authentication mechanism besides API Key, App Key pair, and OAuth. Also, the on-premise version adds a new component that synchronizes the client creation on the Red Hat Single Sign-On domain.

    Introduction

    Like most guides of this type, this one is intended to be used ONLY for local development or just demoing the new features. By no means, it is intended to be used in a production environment as it could bypass security and/or high availability recommendations.

    First, you need a running 3scale on-premise instance. I would recommend using the openshift CDK to set up a local environment that can run on your laptop or VM. If you don't have a running environment, you can follow my HOW-TO setup 3scale on-premise guide to set up one from scratch. Remember to increase the number of resources in case you're deploying Red Hat Single Sign-On (RH-SSO) in the same minishift instance. The first step allows you to set up an RH-SSO instance from scratch. If you already have a running instance, skip to section 2 - Configuring RH-SSO.

    Setting up Red Hat Single Sign-On

    If you don't have a running instance of Red Hat Single Sign-On or just want to set up an additional instance just for this integration follow the next steps.

    1. Login to the running instance using the system:admin user:
      $ oc login -u system:admin --insecure-skip-tls-verify=true <your-master-url>
    2. If you haven't, add the JBoss image streams:
      $ oc create -f https://raw.githubusercontent.com/jboss-openshift/application-templates/master/jboss-image-streams.json -n openshift
    3. Add the RH-SSO templates:
      $ for i in {https,mysql,mysql-persistent,postgresql,postgresql-persistent}; do oc create -f https://raw.githubusercontent.com/jboss-openshift/application-templates/master/sso/sso71-$i.json -n openshift; done
    4. Create a new project called rh-sso:
      $ oc new-project rh-sso
    5. Create the service account and secrets for the TLS secured route:
      $ oc create -f https://raw.githubusercontent.com/jboss-openshift/application-templates/ose-v1.4.7/secrets/sso-app-secret.json -n rh-sso
    6. Add the view role to the service accounts sso-service-account:
      $ oc policy add-role-to-user view system:serviceaccount:rh-sso:sso-service-account
    7. Create a new app in the project processing the persistent mysql template:
      $ oc new-app sso71-mysql-persistent -p HTTPS_NAME=jboss -p HTTPS_PASSWORD=mykeystorepass -p SSO_ADMIN_USERNAME=keyadmin -p SSO_ADMIN_PASSWORD=keypassword
    8. While most of the time, there are no problems with this version, if you notice in the web console that your SSO deployment does not start, edit the deployment configuration to change the image stream with the version available at the Red Hat container catalog.Red Hat Container Catalog

      sso Deployment Configuration

    9. Access from your browser to the secured route: https://secure-sso-rh-sso.<YOUR-CDK-IP>.nip.io/auth/admin/
    10. Accept the self-signed certificate.

      self-signed certificate

    11. Log in to the console using username: ssoUser and password: ssoPassword. 

      login

    12. Done! You now have a running instance of Red Hat Single Sign-On.

      sso realm

    Configure RH-SSO for OpenId Connect

    Now that you have a running RH-SSO instance, we will need to add some configuration steps to allow 3scale synchronization.

    1. Create a new realm named 3scale-sso.

      add realm

      3scale-sso realm

    2. Disable Require SSL for the realm (to simplify the Zync connection to RH-SSO self-signed certificate) under the Login tab.

      disable ssl

    3. Sign out.
    4. Login to the unsecured RH-SSO web console at http://sso-rh-sso.nip.io/auth/admin/ to validate it's now working without SSL.

      unsecured login

    5. Click on the Clients menu on the left side and click the Create button.

      clients

    6. Type 3scale-admin as the Client ID, select openid-connect as the Client Protocol and click on the Save button.

      add client

    7. As this will be the service account used by 3scale to perform client synchronization, in the client settings select confidential as Access Type, turn OFF Standard Flow Enabled and Direct Access Grants Enabled and turn ON Service Accounts Enabled. Finally, click the Save button.

      service account settings

    8. If the page did not refresh automatically, refresh it. This will enable the Service Account Roles tab for the client. Click on it.

      service account roles tab

    9. Select realm-management from the Client Roles.

      realm-management

    10. Add manage-clients to the account.

      manage-clients

    11. Finally, click on the Credentials tab and take notice of the Secret. Write it down as you will use it to configure 3scale.

      client credentials

    12. Add a user to the realm.
      1. Click on the Users menu on the left side of the screen and click the Add user button.

        add user

      2. Type apiUser as the Username. Click on the Save button.

        username

      3. Click on the Credentials tab to reset the password. Type apiPassword as the New Password and Password Confirmation. Turn OFF the Temporary to avoid the password reset at the next login.

        user credentials

      4. Click on the Change password button in the pop-up dialog.

        change password dialog

      5. Done! Now you have a user to test your integration.

    Configure 3scale Integration

    1. Login to your 3scale admin portal.
    2. Select the service you want to enable OpenId Connect integration with RH-SSO. Click on the APIs tab, select the Service and click on the Integration link. We are using the default API.

      service integration

    3. On that page, click on edit integration settings.  

      edit integration settings

    4. Under the Authentication deployment options, select OpenID Connect. Click on the Update Service button.

      openid connect authentication

    5. Back in the service integration, click on the edit APIcast configuration.

      edit apicast configuration

    6. Expand the authentication options by clicking Authentication Settings.

      openid connect issuer

    7. In the OpenID Connect Issuer field, enter your previously noted client credentials with the URL of your RH-SSO server.
      http://3scale-admin:<CLIENT-SECRET>@sso-rh-sso.<YOUR-CDK-IP>.nip.io/auth/realms/3scale-sso
    8. Finally, click on the Update Staging Environment button.
    9. (OPTIONAL) Promote to Production by clicking the Promote to Production button.
    10. Create a new application so 3scale can synchronize it with RH-SSO:
      1. Go to the Developers tab and click on Developer.

        developers

      2. Click on the Applications link.

        applications

      3. Click on Create Application link.

        create application

      4. Select an application plan from the service you are securing. In our case is the Echo API. Type Secure App in the Name field. Type OpenID Connect Secured Application in the Description box. Finally, click on the Create Application button.

        application details

      5. Note the API Credentials. Write them down as you will need the Client ID and the Client Secret to test your integration. Click on the Change link from Redirect URL.

        api credentials

      6. We will use the Postman to test our integration so we will fill in the callback information with a fixed link. Type in https://openidconnect.net/callback in the Redirect URL field. Click on the Update button.

      7. Congratulations! You have now an application to test your OpenId Connect integration.
    11. Login to the RH-SSO console if you are not there already and click on the Clients menu. Now you can check that 3scale zync component creates a new Client in RH-SSO. This new Client has the same ID as the Client ID from the 3scale admin portal.app client id

      rhsso client id

    Test the integration

    After checking that our application client is already created in RH-SSO, we can go ahead and test the integration using Postman.

    1. Open Postman and click on create a new Request.

      postname new request

    2. Type Secure API in the Request Name field. Click on + Create Collection button.

      create collection

    3. Type Secure API Collection in the editable field. Click on the checkmark.

      collectio name

    4. Click on Save to Secure API Collection button.

      save request

    5. Select OAuth 2.0 from the Authorization TYPE combobox.

      oauth

    6. Click on Get New Access Token button.
    7. Fill in the settings configuration with the following information:
      • Callback URL: https://openidconnect.net/callback
      • Auth URL: http://sso-rh-sso.<YOUR-OPENSHIFT-IP>.nip.io/auth/realms/3scale-sso/protocol/openid-connect/auth
      • Access Token URL: http://sso-rh-sso.<YOUR-OPENSHIFT-IP>.nip.io/auth/realms/3scale-sso/protocol/openid-connect/token
      • Client ID: <YOUR-CLIENT-ID>
      • Client Secret: <YOUR-CLIENT-SECRET> 

        auth config

    8. Click on the Request Token button. You will be redirected to the RH-SSO login page. Log in with your user credentials created in the previous steps: apiUser/apiPassword. 

      rhsso login

    9. Click on the Login button.
    10. If successful, you will see a page with the generated token. Scroll to the bottom of the page and click on the Use Token button.

      use token

    11. Enter the request URL in the GET field for the staging endpoint for your secured API:staging url

      secured api url

    12. Click on the blue Send button to execute the request using the selected token. You will see the return from the Echo API.

      request response

    13. If your token has expired or is incorrect, you will get an Authorization error.
    14. Congratulations, your API is now secured using 3scale API Management OpenID Connect integration.

    Next Steps

    Now that you can secure your API using three-leg authentication with Red Hat Single Sign-On, you can leverage the current assets of your organization like current LDAP identities or even federate the authentication using other IdP services.

    For more information about Single Sign-On, you can check its page.

    For insights of 3scale API management, you can review the following link.


    If you know the basic commands of Linux then download the Advanced Linux Commands Cheat Sheet, this cheat sheet can help you take your skills to the next level.

    Last updated: November 2, 2023

    Recent Posts

    • Exploring Llama Stack with Python: Tool calling and agents

    • Enhance data security in OpenShift Data Foundation

    • AI meets containers: My first step into Podman AI Lab

    • Live migrating VMs with OpenShift Virtualization

    • Storage considerations for OpenShift Virtualization

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue