3scale API Management makes it easy to manage your APIs. Share, secure, distribute, control, and monetize your APIs on an infrastructure platform built for performance . In this article I will cover how to secure the 3scale API with Keycloak SSO and route the calls to micro-service .
Pre-Requisite : Install 3scale in Openshift using this article https://developers.redhat.com/blog/2017/05/22/how-to-setup-a-3scale-amp-on-premise-all-in-one-install/
Once installed login to 3scale . There will be a default ECHO-TEST API already configured .
In this article we will create a new API :
Go to Configuration and select APIcast as the gateway :
Select OpenID as the authentication:
Mention the mapping here. This should map to the context path of the application. For example all our spring boot project has a common context path as /geeks18/ hence I know that APIcast will redirect any request that starts with /geeks18 after the domain name .
The private base url is insignificant here as we will be routing the request based on the uri context .
Make a note of the staging public base url as this route needs to be open in the openshift cluster
Enter the Keycloak client details here. We created service-client in one of the previous article :
And add these 3 policies in policy chain :
we will have to put the regex expression of our recipe-service uri . It is /geeks18/recipe for all request in recipe-service .APIcast will route it based on the matching regex . Also note the url . This is the url of recipe service deployed in openshift .
We will be writing this policy only for user-service and recipe-service .
We do not need it for recipe-cost service because it is an internal service and will not be exposed to any 3rd party app. recipe-cost microservice can be called directly by the service name “recipe-cost” from recipe-service . Openshift will by default do the service discovery for all micro-services with the help of underlying kubernetes services.
We need to enable cross origin request handling as the client applications will be invoking the API from different origin . We need to let 3scale know what kind of methods , headers and origin requests are going to have .
I wanted to enable for any origin with ‘*’ but it did not work for me . However if I keep it blank , I saw it is working . Not sure if it is a bug or not .
Our API configuration is done . Now we will create an Application Plan and name as “recipe-app” and publish it .
You can set up metrics with the application plan if you wish .
Select the developer account for which the applications will be created :
Create an Application
Name the application as “recipe” and select the application plan created earlier “recipe-app”
Now your API gateway is ready with the proper application plan and metrics to monitor. Make a note of the client id and client secret. We will be using it from Postman .
Verify in Keycloak that the clientid got created :
From Angular App , we will be mentioning about this client id (c5912b69) and secret which will be authenticated in keycloak .
Lets validate the 3scale API from postman :
Enter the client id as c5912b69
client secret is present in credentials tab :
This is how all our microservices are now secured with keycloak and gated by 3scale APIcast gateway .
In next article we will be complete the end to end design by invoking the 3scale from Angular App .