Red Hat 3Scale API Management — Check the role of an authenticated user via Red Hat SSO
This blog is to share how to use Red Hat 3Scale API Management and Red Hat SSO to check the role(s) of the login user after the user is authenticated successfully to access the API.
The steps required to install Red Hat 3Scale API Management and Red Hat SSO on openshift will not be covered.
Please refer to
[1] — Install Red Hat 3Scale API Management Operator
[2] — Install Red Hat SSO Operator
Please refer to sections 12.3.2 and 12.3.3 in [3] for the configuration to use Red Hat SSO with Red Hat 3Scale API Management for OpenID connect authentication.
After following the steps in 12.3.2, please do the following steps to add a new role and assign it to the user.
Click on [Add Role]
Set the role name as invoker. Click on [Save]
Edit the user-created earlier based on [3] section 12.3.2. Click on [Edit]
Click on the Role Mappings tab. Select Invoker and click on [Add selected].
After configured Red Hat 3Scale to use Red Hat SSO based on [3] section 12.3.3, please do the following
Click on Application -> Listing. Click on the Developer’s App.
Click on Edit and set its value to https://openidconnect.net/callback. Click on [Update]
Go back to the Red Hat SSO console. Click on Clients. Check that there is a new client with the same client ID as above.
Next is to test API. Before that, we need to get the JWT token with the postman. Set the URL as https://<sso url>/auth/realms/<your realm>/protocol/openid-connect/token.
Set the Body as x-www-form-urlencoded and keys and values below based on your environment. You can get the client_id and client_secret from the client_id (30b8c1d2) in the Red Hat SSO console. The username and password are based on the user-created earlier. Click on [Send]. Copy the access_token as the token to pass to API in Red Hat 3scale.
In Postman, please open another tab with the URL to the API in Red Hat 3scale. Copy and paste the token in the earlier step here. The call will be successful.
Let’s decode this access token via https://jwt.io/. You can see Invoker as one of the roles.
Go back to Red Hat 3Scale Console. Click on Add Policy.
Click on RH-SSO/Keycloak Role Check
Click on RH-SSO/Keycloak Role Check again and click on + below scopes.
Set the resource as the path of API and click on + and set How to evaluate ‘resource’ and How to evaluate ‘name’ as value and Name as Invoker / name of the role u set earlier.
Click on [Update Policy] and [Update Policy Chain].
Please try again with the same user with the Invoker role. It will be successful.
Use another user without the Invoke role. It will be an authentication failure.
