Create an API in OpenShift API Management to be configured using OpenID Connect
In this part of the learning resource, you will configure an API on Red Hat OpenShift API Management and secure it with OpenID Connect. The backend for this new API is the Quarkus application that you used in previous labs:.
- Log in to OpenShift API Management as discussed in the previous parts.
- Navigate to the dashboard, select the Products tab, and click Create Product (Figure 21).
- On the New Product page (Figure 22):
- Select Define manually.
- Enter a Name of RHOAM API OIDC.
- Enter a System Name of rhoam_api_oidc.
- Select Create Product to complete creation of the product. You will be taken to the product details page (Figure 23).
- Choose Create Application Plan to create a plan for the new API, enter the following details, and click Create Application Plan (Figure 23):
- Name: RHOAM OIDC Basic Plan
- System Name: rhoam_oidc/basic
- Publish the application plan (Figure 25).
- Add a backend to the API by clicking the Integration→Backends link in the menu. On the backend page, click Add Backend (Figure 26).
- Select the rhoam-quarkus-openapi Backend backend and set the path to /. Click Add to Product (Figure 27) to add the backend to the API (Figure 28).
- The default mapping rules allow all GET operations, which is sufficient for this learning resource. Navigate to the Settings page under Integration and make the following selections (Figure 29):
- Select APIcast 3scale managed.
- Leave Staging Public Base URL and Production Public Base URL at their default values.
- In the Authentication section, select OpenID Connect (Figure 30).
- Scroll down and fill in the details for the authentication settings:
- Set the OpenID Connect Issuer Type to Red Hat Single Sign-On.
- Set the value of OpenID Connect Issuer to the URL of your realm’s SSO server, to which you add the information needed for authentication. The structure of the URL is:
The values you fill in to this URLare:
- <ZYNC_SSO_CLIENT_ID>: Client ID of the SSO client you created in the previous part of this learning resource.
- <ZYNC_SSO_CLIENT_SECRET>: Client secret of the SSO client you created in the previous part of this learning resource.
- <RHSSO_HOSTNAME>: Host name of the SSO server. This name looks something like: SSO_REALMkeycloak-redhat-rhoam-user-sso.apps.<OPENSHIFT_BASE_URL>
- <SSO_REALM: Name of the realm you created in Part 3.
An example of a valid URL is:
This URL serves the following purposes:
- It provides Zync with the URL to add or update SSO clients in Red Hat’s SSO.
- It provides APIcast with the URL to Red Hat’s SSO to retrieve the public key of the SSO realm in order to verify the JSON Web Token (JWT) token used during authentication.
- In the OIDC AUTHORIZATION FLOW section, ensure that the Authorization Code Flow checkbox is checked (Figure 31).
- Scroll down and change the Credentials Location to As HTTP Headers (Figure 32).
Click Update Product at the bottom of the page to update the settings