Create an API in OpenShift API Management to be configured using OpenID Connect

In this part of the learning resource, you will configure an API on Red Hat OpenShift API Management and secure it with OpenID Connect. The backend for this new API is the Quarkus application that you used in previous labs:.

Log in to OpenShift API Management as discussed in the previous parts.
Navigate to the dashboard, select the Products tab, and click Create Product (Figure 21).

Figure 21: Create a new product.

On the New Product page (Figure 22):
- Select Define manually.
- Enter a Name of RHOAM API OIDC.
- Enter a System Name of rhoam_api_oidc.

Figure 22: Choose to add the new product manually.

Select Create Product to complete creation of the product. You will be taken to the product details page (Figure 23).

Figure 23: The overview page of the newly created product lists its details.

Choose Create Application Plan to create a plan for the new API, enter the following details, and click Create Application Plan (Figure 23):
- Name: RHOAM OIDC Basic Plan
- System Name: rhoam_oidc/basic

Figure 24: The “Create new Application Plan” wizard lets you fill out fields to specify parameters.

Publish the application plan (Figure 25).

Figure 25: Publish the new application plan.

Add a backend to the API by clicking the Integration→Backends link in the menu. On the backend page, click Add Backend (Figure 26).

Figure 26: Add a backend on the Backend page of the product.

Select the rhoam-quarkus-openapi Backend backend and set the path to /. Click Add to Product (Figure 27) to add the backend to the API (Figure 28).

Choose the backend and add it to the product.Choose the backend and add it to the product.

Figure 27: Choose the backend and add it to the product.

Figure 28: The new backend has been successfully added.

The default mapping rules allow all GET operations, which is sufficient for this learning resource. Navigate to the Settings page under Integration and make the following selections (Figure 29):
- Select APIcast 3scale managed.
- Leave Staging Public Base URL and Production Public Base URL at their default values.

Figure 29: Ensure that the deployment is APIcast 3scale managed.

In the Authentication section, select OpenID Connect (Figure 30).

Figure 30: Ensure that the authentication is OpenID Connect.

Scroll down and fill in the details for the authentication settings:
- Set the OpenID Connect Issuer Type to Red Hat Single Sign-On.
- Set the value of OpenID Connect Issuer to the URL of your realm’s SSO server, to which you add the information needed for authentication. The structure of the URL is:
  https://<ZYNC_SSO_CLIENT_ID>:<ZYNC_SSO_CLIENT_SECRET>@<RHSSO_HOSTNAME>/auth/realms/<SSO_REALM>

The values you fill in to this URLare:

<ZYNC_SSO_CLIENT_ID>: Client ID of the SSO client you created in the previous part of this learning resource.
<ZYNC_SSO_CLIENT_SECRET>: Client secret of the SSO client you created in the previous part of this learning resource.
<RHSSO_HOSTNAME>: Host name of the SSO server. This name looks something like: SSO_REALMkeycloak-redhat-rhoam-user-sso.apps.<OPENSHIFT_BASE_URL>
<SSO_REALM: Name of the realm you created in Part 3.

An example of a valid URL is:

https://zync-sso:49ddbd02-680f-4e26-97dc-deeb441cbb4b@keycloak-redhat-rhoam-user-sso.apps.rhoam-sb-eu1.aut6.p1.openshiftapps.com/auth/realms/rhoam-demo

This URL serves the following purposes:

It provides Zync with the URL to add or update SSO clients in Red Hat’s SSO.
It provides APIcast with the URL to Red Hat’s SSO to retrieve the public key of the SSO realm in order to verify the JSON Web Token (JWT) token used during authentication.

In the OIDC AUTHORIZATION FLOW section, ensure that the Authorization Code Flow checkbox is checked (Figure 31).

Figure 31: Enable the Authorization Code Flow.

Scroll down and change the Credentials Location to As HTTP Headers (Figure 32).

Figure 32: Credentials are located in the HTTP headers.

Click Update Product at the bottom of the page to update the settings