Important Note
This space contains files and text snippets that are used throughout the Scheer PAS documentation.
This content is not meant to be read independently from the rest of the documentation.
- Created by Annegret Bernhardt, last modified on Nov 16, 2023
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 25 Next »
Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.
The table is being loaded. Please wait for a bit ...
Chapter | Name | Excerpt | Usage | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
APIs | api_contracts_and_keys | Only public APIs can be accessed by any consumer. The only way for a client to consume a private API is by using an API contract. An API contract is a link between a client and an API through a plan offered by that API. API contracts can only be created between clients and published APIs which are offered through at least one plan. An API contract cannot be created between a client and a public API. When a client version is created, the system generates a unique API Key. This key is unique per client version and the same for all contracts of this version. All requests made to the API by a client through the gateway must include this API Key. The API Key is used to create the runtime policy chain from the policies configured on the API, plan and client. You can forward the X-API-Key to the service using the API Key policy. However, you cannot define your own value for the X-API-Key, since the gateway uses the key to identify the clients. However, the API Key is not a security feature! API Keys are not encrypted and visible:
So, API Keys need to be handled in a secure way - otherwise attackers may be able to use the API Key to gain access to your system. As per definition, API Keys are used to identify technical clients only and, subsequently, to apply related policies. Do not use API Keys to authenticate users. Authentication should always be implemented via a dedicated security policy (see Policy Configuration > Security Policies and chapter API Security: Authentication and Authorization). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Policies | keycloak_tokens | Working with Keycloak TokensWith PAS 23.1.1, the Scheer PAS installation comes with the default Keycloak client api-management-oauth. Keycloak clients are entities that can request Keycloak to authenticate a user. In most cases, Keycloak clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. However, clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network. If you use the Keycloak OAuth policy, we recommend to check against the default client api-management-oauth. Expert Advice If you need to create your own client in Keycloak, visit the official Keycloak documentation for further information. How to Get the SecretTo retrieve a Keycloak token, you need to know the secret of the used client.
How to Retrieve the Keycloak TokenThe token exchange in Keycloak is a very loose implementation of the IETF's OAuth Token Exchange specification. It is a simple grant call on the OpenID Connect token endpoint of a realm. It accepts form parameters ( The client_secret parameter is required for clients that use form parameters for authentication and use a client secret as credentials. A list of all form parameters can be found in the official Keycloak documentation > Form parameters. The token URL is composed as follows:
Example:
Send your request to the token URL. Example: Example Request curl --location 'https://scheer-acme.com/acme-test/keycloak/realms/PAS/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=<username>' \ --data-urlencode 'password=<password>' \ --data-urlencode 'client_id=api-management-oauth' \ --data-urlencode 'client_secret=<client-secret>' \ --data-urlencode 'grant_type=password' A successful response from an exchange call returns the HTTP 200 response code with a content type that depends on the Click here to view an example response Example Response { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", "expires_in": 300, "refresh_expires_in": 7200, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", "token_type": "Bearer", "not-before-policy": 0, "session_state": "f5dd0490-aaf8-42f7-87b5-df0c7b1cb4a7", "scope": "email profile pas_user" } Expert Advice For detailed information about the token exchange, refer to the official Keycloak documentation > Using token exchange. How to Use the Token for a RequestYou have to send the received token with each request as authorization header. If you use the PAS internal request UI (Swagger UI), the token is set automatically. Example: Example API Request curl --location 'https://scheer-acme.com/acme-test/gateway/test/hello-oauth/1.0' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Policies | policy_overview |
|
- No labels