API First: From Zero to Hero (Part 3)

Securing the API with OpenID Connect (Authentication)

We now have end-to-end integration testing of our API, however, we also need to protect our API from unauthenticated access.

  • Build the custom Kong image from the Dockerfile we created
  • Use our generated image of Kong instead of the official image

Provisioning IAM

We need to provision the Keycloak (IAM) locally so that we can request access tokens from our client (newman) and validate them at the gateway (Kong).

make -k run-integration-tests

Enable the plugin in the API

We now have the IAM configured and provisioned along with our test suite, gateway and mock.

  1. Enable the Prometheus metrics plugin for all Routes (this setting is the default for swagger-to-kong and is defined via the kong-route-config-default.json file
  2. For Route swagger-petstore.showPetById, swagger-petstore.listPets and swagger-petstore.createPets (via the .* Regex) configure the security plugin (jwt-keycloak) already pointing to the IAM (keycloak) and also stating that the Access Token can be extracted from the HTTP Cookie oauthtoken (to facilitate integration with oidc-proxy)
  3. For Route swagger-petstore.listPets configure the additional CORS plugin.

CORS plugin

The configuration of the CORS plugin demonstrated in the previous item, was extracted directly from the Konga interface.

  1. In Konga, select the desired Service or Route and browse Plugins
  2. Click the Raw view icon (eye icon)
  3. Copy the generated JSON
  4. Remove unnecessary attributes and use JSON in the kong-route-config.json file

Configuring swagger-to-kong in the Makefile

We now need to change the Makefile to reflect the necessary changes, passing to swagger-to-kong the plugin’s configuration file:

make -k run-integration-tests

Configuring authentication on the client

For our integration test to work again, we need to configure our collection in Postman so it:

  • Have the credentials (client_id and client_secret) as a Variable in the environment localhost
  • Invoke a Pre-request Script for all operations, which will talk to the IAM (Keycloak) to negotiate the credentials for an Access Token
  • Propagate the Access Token for all operations as Header Authorization: Bearer $TOKEN
  • Use an oauthtoken cookie for one of the operations instead of the Header to propagate the Access Token
  1. Click on Manage Environments
  2. In the Popup, select the environment localhost
  3. Add the variable client_id with the value newman
  4. Add the variable client_secret with the value 5b7aad6a-9efc-4d14–9fd4–641ed48754c5
  5. Add the tenant variable with the value http://keycloak:8083/auth/realms/test/protocol/openid-connect/token
  6. Click Update to make the changes effective
  7. Export the environment as done in the step Creating an environment and exporting

Creating the Pre-script in the collection

Now we will create a pre-script directly in the Collection Swagger Petstore, which will cause it to be executed before each execution.

  1. In the Postman side navigation menu, right click on the collection Swagger Petstore and then click Edit
  2. In the popup, select the Pre-request Scripts tab
  3. Add the script below:

Configuring authentication on the collection

Now we will set up Bearer authentication directly in the Collection Swagger Petstore, which will make it used together with each run.

  1. In the Postman side navigation menu, right click on the collection Swagger Petstore and then click Edit
  2. In the popup, select the Authorization tab
  3. In the Type combo, select Bearer Token
  4. In the Token field, enter the value {{token}}
  5. Click Update to make the changes effective

Configuring authentication on requests (Bearer)

As our openapi spec is not secure, by default Postman does not define the authentication configuration, leaving it as In Auth, we have to change this configuration in all requests:

  1. In the collection Swagger Petstore, in the folder pets select the requests (List all pets and Create a pet) and one by one navigate to the tab Authorization
  2. In the TYPE combo select the type Inherit auth from parent
  3. Click Save to make the changes

Configuring authentication on requests (cookie)

We will configure one of the requests so that it uses Cookie oauthtoken to authenticate instead of Header Authorization, for this:

  1. In the collection Swagger Petstore, in the folder pets select the request Info for a specific pet and navigate to the tab Authorization
  2. In the TYPE combo select the type No Auth
  3. Navigate to the Headers tab
  4. Add a Header with KEY oauthtoken and VALUE {{token}}
  5. Click Save to make the changes effective

Exporting the collection

Now we can export the collection again, according to the steps described in Exporting the collection

Finishing

Now if everything went correctly, when executing our Makefile we will have the desired result with the API authenticated in Keycloak and validated by Kong.

  • Use Postman to import and execute definitions from an openapi spec
  • How to create automated tests (collection) from Postman and export them for execution via the command line
  • How to create API mocks with Prism
  • How to use the swagger-to-kong tool to import openapi definitions into Kong (automatically creating Service and Route)
  • How to use the swagger-to-kong tool to configure plugins in the generated routes
  • How to use newman to run the collection created in Postman
  • How to protect the API (authentication) with Keycloak, Kong + plugin jwt-keycloak and swagger-to-kong (plugins)
  • How to run integration tests with Kong + Postgres, Keycloak, Prism, swagger-to-kong and newman

Next steps

For the next steps, we will address the API authorization theme based on the Keycloak openapi x Realm roles spec, completing the API first cycle without a backend code implemented!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
3Bit Technologies

3Bit Technologies

Cloud Specialists providing professional services with DevOps, BigData, Cloud Native Applications and Security. https://www.3bit.com.br/3bit