Page History
Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
api_contracts_and_keys
Info | ||
---|---|---|
| ||
Multiexcerpt | ||||
---|---|---|---|---|
| ||||
Only public APIs can be accessed by any consumer. The only way for a client to consume a private API is by using an API contract. An API contract is a link between a client and an API through a plan offered by that API. API contracts can only be created between clients and published APIs which are offered through at least one plan. An API contract cannot be created between a client and a public API. When a client version is created, the system generates a unique API Key. This key is unique per client version and the same for all contracts of this version. All requests made to the API by a client through the gateway must include this API Key to identify the used client version.
However, the API Key is not a security feature! API Keys are not encrypted and visible:
So, API Keys need to be handled in a secure way - otherwise attackers may be able to use the API Key to gain access to your system.
|
DEPRECATED: unable_to_render_definition
Delete when API Guide 24.1 is published.
Info | ||
---|---|---|
| ||
Multiexcerpt | ||
---|---|---|
| ||
|
keycloak_tokens_get_secret
Info | ||
---|---|---|
| ||
Multiexcerpt | ||
---|---|---|
|
...
Working with Keycloak Tokens
With PAS 23.1.1, the Scheer PAS installation comes with the default Keycloak client api-management-oauth. Keycloak clients are entities that can request Keycloak to authenticate a user. In most cases, Keycloak clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. However, clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network.
If you use the Keycloak OAuth policy, we recommend to check against the default client api-management-oauth.
Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
How to Get the Secret
| ||||||||
To retrieve a Keycloak token, you need to know the secret of the used client.
|
...
keycloak_tokens_retrieve_token
Info | ||
---|---|---|
| ||
Multiexcerpt | ||
---|---|---|
|
...
The token exchange in Keycloak is a very loose implementation of the IETF's OAuth Token Exchange specification. It is a simple grant call on the OpenID Connect token endpoint of a realm. It accepts form parameters ( The client_secret parameter is required for clients that use form parameters for authentication and use a client secret as credentials. A list of all form parameters can be found in the official Keycloak documentation > Form parameters. The token URL is composed as follows:
Example: Send your request to the token URL. Example:
|
...
A successful response from an exchange call returns the HTTP 200 response code with a content type that depends on the
|
How to Use the Token for a Request
You have to send the received token with each request as authorization header. If you use the PAS internal request UI (Swagger UI), the token is set automatically.
Example:
Code Block | ||
---|---|---|
| ||
curl --location 'https://scheer-acme.com/acme-test/gateway/test/hello-oauth/1.0' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' |
policy_overview
Info | ||
---|---|---|
| ||
Multiexcerpt | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Panel | ||
---|---|---|
| ||
|