THREESCALE-9884 - Add support for OAuth2/OIDC in the OpenAPI CRD

[valerymo]

WHAT

Jira: https://issues.redhat.com/browse/THREESCALE-9884
Add support for OAuth2/OIDC in the OpenAPI CRD
Design issue: #842

Changes in CRDs:

openapi_types.go
config/crd/bases/capabilities.3scale.net_openapis.yaml

In Validation section we describe how to integrate 3scale operator with RHSSO and check current development.

Validation

Prepare cluster (could be OSD)

Install RHSSO

1. Create project rhsso-test
2. Install RHSSO from OperatorHub into project rhsso-test
3. Create Instance of RHSSO
4. Open RHSSO portal
5. Create a realm for the petstore product
   In RH User SSO web console:

• Click Add realm. Add realm page will be opened
• Set name, as petstore
• Click Create. Petstore realm page will be opened. No changes required.

5. Create a client for 3scale

• In RH User SSO web console:

  • Choose Petstore realm (in top-left corner)
  • Select Configure -> Client
  • Click Create
  • Set Client ID: 3scale-zync
  • Click Save. Clients->3scale-zync page will be opened

• Client Settings:

3scale-zync Client setting will be as in the table below

Parameter	Value
Name	3scale-zync
Client Protocol	openid-connect
Access Type	confidential
Standard Flow Enabled	Off
Direct Access Grants Enabled	Off
Service Accounts Enabled	On

• Click Save
• Provide Realm-Management - manage-clients:
  • Enter Service Account Roles tab -> Client Roles
    • Choose realm-management -> manage-clients
    • Click Add selected

Install 3scale

1. Install and run 3scale operator

cd 3scale-operator
make install
oc new-project 3scale-test
make download
make run

2. Apply s3 secret

• Secret example (s3-creds-secret.yaml):

kind: Secret
apiVersion: v1
metadata: 
  name: s3-credentials
  namespace: 3scale-test
data: 
  AWS_ACCESS_KEY_ID: QU12345
  AWS_SECRET_ACCESS_KEY: aU12345=
  AWS_BUCKET: dm12345=
  AWS_REGION: ZX1234==
type: Opaque

oc apply -f s3-creds-secret.yaml

3. Apply Apimanager CR

• Apimanager CR example (apimanagerCR.yaml),
  please place your wildcardDomain

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
    name: example-apimanager
    namespace: 3scale-test
spec:
    wildcardDomain: apps.vmogilev01.cnbz.s1.devshift.org

oc apply -f apimanagerCR.yaml

6. Apply oidc issuer client secret
   This is the secret that contains URL for issuerEndpoint.
   The secret is referenced in OpenApi CR - field issuerEndpointRef.

kind: Secret
apiVersion: v1
metadata:
  name: oidc-issuer-client-secret
  namespace: 3scale-test
data:
  issuerEndpoint: https://3scale-zync:some-secret@keycloak-rhsso-test.apps.xxxxx.xxxx.s1.devshift.org/auth/realms/petstore
type: Opaque

oc apply -f oidc-issuer-client-secret.yaml

7. Apply Openapi CR
   Openapi CR example ():

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  generation: 1
  name: openapi-example
spec:
  openapiRef:
    url: https://raw.githubusercontent.com/valerymo/OpenAPI-Specification/test/examples/v3.0/petstore.yaml
  oidc:
    issuerType: keycloak
    issuerEndpointRef:
      name: oidc-issuer-client-secret
    jwtClaimWithClientID: azp
    jwtClaimWithClientIDType: plain
    authenticationFlow:
      standardFlowEnabled: true
      implicitFlowEnabled: true
      serviceAccountsEnabled: true
      directAccessGrantsEnabled: true

oc apply -f openapiCR.yaml

Notes

• openapiRef url is Swagger file with OIDC schema. It's based on original file (without security): https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml
  OIDC schema definitions were added.
• For reference: https://swagger.io/docs/specification/authentication/openid-connect-discovery/
• issuerEndpointRef - is reference to OIDC issuer client Secret that contains issuerEndpoint

Validate 3scale Portal

Look at 3scale Portal, to see how it was configured from OpenapiCR.

1. Product Swagger Petstore created
   • check that new Product Swagger Petstore creared
   • check Product Integration:
     • Setting page is set according to definitions in CR, like in image below:

    - Product Integration Mapping Rules - created
    - Product Integration Backend is like `Swagger Petstore Backend:  http://petstore.swagger.io:80`
    - Configuration Page:
            Staging APIcast URL is simiilar to `https://swagger-petstore-3scale-apicast-staging.apps.vmogilev01.giq5.s1.devshift.org:443` 

Optional validation steps: 8-13:

8. Create Application Plan and Application
   petstorePlan, petstoreApp
9. Check Application API Credentials (Audience / Applications / Listing/petsApp/ )
   9.1. Note Client and Client Secret
   for example: Client ID abcd1234
10. Check RHSSO - client with same name, as in application will be created in RHSSO (if not - configuration issue)
11. Save Product and Promote to staging/production
    Product/Integration/Configuration
12. Create Token for test.
    Example:

export SSO_CLIENT_ID=3scale-zync
export SSO_CLIENT_SECRET=vgDhfCZGAUKb7ixdI1w1f1LWcEbAVNQW
export SSO_URL=keycloak-rhsso-test.apps.vmogilev01.giq5.s1.devshift.org
export REALM_NAME=petstore
export TKN=$(curl -k -X POST \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "grant_type=client_credentials&client_id=${SSO_CLIENT_ID}&client_secret=${SSO_CLIENT_SECRET}" \
 https://$SSO_URL/auth/realms/${REALM_NAME}/protocol/openid-connect/token \
| sed 's/.*access_token":"//g' | sed 's/".*//g')

13. Run request, similar to following
    curl -v -H "Accept: application/json" -H "Authorization: Bearer $TKN" https://swagger-petstore-3scale-apicast-staging.apps.vmogilev01.giq5.s1.devshift.org

Priority of issuerEndpoint usage (issuerEndpoint vs issuerEndpointRef/Secret)

• Not encripted issuerEndpoint can be used for validation or other purposes.
• If IssuerEndpoint is defined, then the secret referenced by IssuerEndpointRef will be ignored.
• Edit OpenAPI CR - add issuerEndpoint: https://3scale-zync:test123@keycloak-rhsso-test.apps.vmogilev01.mjhc.s1.devshift.org/auth/realms/petstore, as in example below:

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  generation: 1
  name: openapi-example
spec:
  openapiRef:
    url: https://raw.githubusercontent.com/valerymo/OpenAPI-Specification/test/examples/v3.0/petstore.yaml
  oidc:
    issuerType: keycloak
    issuerEndpoint: https://3scale-zync:test123@keycloak-rhsso-test.apps.vmogilev01.mjhc.s1.devshift.org/auth/realms/petstore
    issuerEndpointRef:
      name: oidc-issuer-client-secret
    jwtClaimWithClientID: azp
    jwtClaimWithClientIDType: plain
    authenticationFlow:
      standardFlowEnabled: true
      implicitFlowEnabled: true
      serviceAccountsEnabled: false
      directAccessGrantsEnabled: true

oc apply -f openapiCR.yaml

OAUTH2 security scheme Validation

1. Use following OpenAPI CR for oauth2 security scheme validation:

apiVersion: capabilities.3scale.net/v1beta1
kind: OpenAPI
metadata:
  generation: 1
  name: openapi-example
spec:
  openapiRef:
    url: https://raw.githubusercontent.com/valerymo/OpenAPI-Specification/test/examples/v3.0/petstore_oauth2.yaml
  oidc:
    issuerType: keycloak
    issuerEndpointRef:
      name: oidc-issuer-client-secret
    jwtClaimWithClientID: azp
    jwtClaimWithClientIDType: plain

Notes

• Swagger URL is differ from OIDC: petstore_oauth2.yaml (see link in CR )
• authentication flows defined in Swagger, and Not in CR, as it for OIDC. Fragment from swagger file is below:

components:
  securitySchemes:
    openId:
      type: oauth2
      flows:
        implicit:
          authorizationUrl: "https://example.com/api/oauth/dialog"
          scopes:
            write:pets: "modify pets in your account"
            read:pets: "read your pets"

For current example - implicit flow is defined in swagger file.

• Relantions between oauth2 flows and authentication flows in 3scale portal:
  | oauth2 flow name /in swagger| 3scale / OIDC flow name |
  |-----------------------|--------------------|
  | Implicit | Implicit |
  | AuthorizationCode | StandardFlowEnabled |
  | Password | DirectAccessGrantsEnabled |
  | ClientCredentials | ServiceAccountsEnabled |
  see OpenAPI Specification for oauth2 flows reference.

oc apply -f openapiCR_oauth2.yaml

2. Check 3scale Portal
   Expected:

• OpenID Connect Issuer - issuerEndpoint set as defined in oidc-issuer-client-secretsecret
• Implicit Flow - selected, as defined in swagger file petstore_oauth2.yaml

References

• Desigh PR OpenAPI CRD: support for OIDC sec requirement #842
• https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
• https://swagger.io/docs/specification/authentication/openid-connect-discovery/
• https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml
• OpenAPI Custom Resource - 3scale User-Guide doc

References/ help for testing

• https://github.com/integr8ly/locust-integreatly-operator/blob/main/load_testing_locust.md
• https://gitlab.cee.redhat.com/rhcloudservices/integreatly-help/-/blob/master/guides/istio/istio-rhoam-integration-example.md (don't look at istio, but only 3scale - RHSSO integration)

[eguzki]

IMHO the OpenAPI CRD design needs further refinement

[eguzki]

more changes requested from the documentation

[valerymo]

more changes requested from the documentation

Updated. Thank you for comments.

[valerymo]

Hi @eguzki , could you please review/approve. Thank you!

[valerymo]

@eguzki , thank you very much for comments! Updated. cc @austincunningham

[qlty-cloud-legacy]

Code Climate has analyzed commit 71ff540 and detected 0 issues on this pull request.

View more on Code Climate.