Securing 3scale API Gateway

3scale

3scale API Management makes it easy to manage your APIs. Share, secure, distribute, control, and monetize your APIs on an infrastructure platform built for performance . In this article I will cover how to secure the 3scale API with Keycloak SSO and route the calls to micro-service .

Pre-Requisite : Install 3scale in Openshift using this article https://developers.redhat.com/blog/2017/05/22/how-to-setup-a-3scale-amp-on-premise-all-in-one-install/

Once installed login to 3scale . There will be a default ECHO-TEST API already configured .

In this article we will create a new API :

Go to Configuration and select APIcast as the gateway :

Select OpenID  as the authentication:

Mention the mapping here. This should map to the context path of the application. For example all our spring boot project has a common context path as /geeks18/ hence I know that APIcast will redirect any request that starts with /geeks18 after the domain name .

The private base url is insignificant here as we will be routing the request based on the uri context .

Make a note of the staging public base url as this route needs to be open in the openshift cluster

Enter the Keycloak client details here. We created service-client in one of the previous article :

And add these 3 policies in policy chain  :

UpStream Policy

we will have to put the regex expression of our recipe-service uri . It is /geeks18/recipe for all request in recipe-service .APIcast will route it based on the matching regex . Also note the url . This is the url of recipe service deployed in openshift .

We will be writing this policy only for user-service and recipe-service .

We do not need it for recipe-cost service because it is an internal service and will not be exposed to any 3rd party app. recipe-cost microservice can be called directly by the service name “recipe-cost” from recipe-service . Openshift will by default do the service discovery for all micro-services with the help of underlying kubernetes services.

CORS Policy

We need to enable cross origin request handling as the client applications will be invoking the API from different origin . We need to let 3scale know what kind of methods , headers and origin requests are going to have .

I wanted to enable for any origin with ‘*’ but it did not work for me . However if I keep it blank , I saw it is working . Not sure if it is a bug or not .

Our API configuration is done . Now we will create an Application Plan and name as “recipe-app” and publish it .

You can set up metrics with the application plan if you wish .

Select the developer account for which the applications will be created :

Create an Application

Name the application as “recipe” and select the application plan created earlier “recipe-app”

Now your API gateway is ready with the proper application plan and metrics to monitor. Make a note of the client id and client secret. We will be using it from Postman .

Verify in Keycloak that the clientid got created :

From Angular App , we will be mentioning about this client id (c5912b69) and secret which will be authenticated in keycloak .

Lets validate the 3scale API from postman :

Enter the client id as c5912b69

client secret is present in credentials tab :

This is how all our microservices are now secured with keycloak and gated by 3scale APIcast gateway .

In next article we will be complete the end to end design by invoking the 3scale from Angular App .

Digiprove sealCopyright secured by Digiprove © 2020 Geeks 18

Be the first to comment

Leave a Reply

Your email address will not be published.


*