{"id":22268161,"url":"https://github.com/curityio/3scale-openid-integration-service","last_synced_at":"2025-03-25T14:45:37.340Z","repository":{"id":74437416,"uuid":"228351344","full_name":"curityio/3scale-openid-integration-service","owner":"curityio","description":"An integration service that allows 3Scale to create OAuth clients using the Curity RESTCONF API","archived":false,"fork":false,"pushed_at":"2024-05-21T05:44:16.000Z","size":45,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-01-30T13:31:07.336Z","etag":null,"topics":["3scale","devops","oauth2","restconf"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-16T09:35:20.000Z","updated_at":"2023-04-27T11:20:05.000Z","dependencies_parsed_at":"2024-12-03T11:11:51.292Z","dependency_job_id":"d85cac90-38a6-4c32-a013-36a38a51f8b9","html_url":"https://github.com/curityio/3scale-openid-integration-service","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2F3scale-openid-integration-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2F3scale-openid-integration-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2F3scale-openid-integration-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2F3scale-openid-integration-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/3scale-openid-integration-service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245486048,"owners_count":20623239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["3scale","devops","oauth2","restconf"],"created_at":"2024-12-03T11:11:46.119Z","updated_at":"2025-03-25T14:45:32.912Z","avatar_url":"https://github.com/curityio.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## 3Scale OpenID Integration Service\n\n[![Quality](https://img.shields.io/badge/quality-demo-red)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\nThis sample python application acts as a wrapper of 3Scale's Red Hat SSO integration with OpenID Connect.\nIt translates incoming requests to RESTCONF which is used by Curity's configuration admin API.\n\n### Setup Explanation\n\n3Scale communicates with an OpenID provider using one of two proprietary ways:\n - [Rest API](https://github.com/3scale/zync/tree/master/examples/rest-api) (unsupported by this repository)\n - Red Hat SSO, using the ClientRepresentation found [here](https://access.redhat.com/webassets/avalon/d/red-hat-single-sign-on/version-7.0.0/restapi/) (supported by this repository)\n\nBoth these ways use the OpenID Issuer as base url. Since Curity's Rest API is served under another port than the OpenID Server, we would need to proxy those requests to the RESTCONF API.\n\nThis can be done using several techniques, as an example, we ll use nginx. So the full picture will look like this:\n```\n+------------+            +------------+\n|   3Scale   | -------- \u003e |   Nginx    | -------------------\n+------------+            +------------+                    |\n                        8443    |                           | 8443 (\u003cissuer\u003e/clients-registrations)\n                                |                           |\n                                ↓                           ↓\n                          +------------+     6749   +-------------+   \n                          |   Curity   | \u003c -------- |   Wrapper   | \n                          +------------+            +-------------+\n```\nThe Ngnix configuration for this example looks like this:\n```\n        location /~/clients-registrations/default {\n            proxy_pass \"http://\u003cwrapper_host\u003e:5555\";\n        }\n\n        location / {\n            proxy_pass \"https://\u003ccurity_ip\u003e:\u003ccurity_port\u003e\";\n        }\n```\n\n### Configuration\n\nFirst, install the requirements `pip install -r requirements.txt`\n\nEdit the server.py file and configure the corresponding values in the config section:\n```\nrestconf_api_host = \"https://localhost:6749\"        # Admin API base url\nrestconf_api_username = \"admin\"                     # Admin user username\nrestconf_api_password = \"Password1\"                 # Admin user password\nintrospection_host = \"http://localhost:8443\"        # Curity base URL\noauth_profile_id = \"authorization\"                  # Name of the Token Profile\ndefault_scopes = \"read write\"                       # Default scopes in a space separated string(can be empty)\nallowed_authenticators = \"html1 bankid\"             # Allowed authenticators in a space separated string(can be empty)\nissuer_path  = \"/~\"                                 # Curity's oauth-anonymous endpoint path\nintrospection_path = \"/oauth/v2/oauth-introspect\"   # Curity's introspection endpoint path\nintrospection_client_id = \"3scale_rest_api_wrapper\" # Client ID for introspection\nintrospection_client_secret = \"Password2\"           # Client secret\nverify_ssl = True                                   # Verify ssl certificate for introspection and RESTCONF API\ndebug = False                                       # Run in debug mode\n```\nThe client configured in this section must be allowed to do introspection.\n\nAnother client will be needed, that can do client_credentials. This second client will be used by 3Scale to get an access token for further communication with this wrapper.\n\nAlternatively, the following environment variables can be set (i.e in a container environment):\n\n* ADMIN_API_BASE_URL\n* ADMIN_API_USERNAME\n* ADMIN_API_PASSWORD\n* CURITY_BASE_URL\n* OAUTH_PROFILE_ID\n* SCOPES\n* ALLOWED_AUTHENTICATORS\n* CURITY_TOKEN_ANONYMOUS_PATH\n* CURITY_INTROSPECTION_PATH\n* INTROSPECTION_CLIENT_ID\n* INTROSPECTION_CLIENT_SECRET\n* VERIFY_SSL\n* DEBUG\n\n#### Curity configuration\n- Curity's Base URL has to be the one that nginx proxies (configure it under System/General)\n- Create 2 clients, one for introspection which is configured in the python app and one with client_credentials which is configured in 3Scale\n- Change the token endpoint path to be `\u003cissuer\u003e/token_endpoint` this is because currently there is a bug in 3Scale where the token_endpoint is not properly read from the openid-metadata\n\nIn order to be able to issue tokens for applications created in 3Scale, the access tokens have to be in JWT format.\nTo enable this, set the flag \"Use Access Token As JWT\" in the Token Profile/Token Issuers page.\n\n\n### Supported Requests\n\n1. Create/Update a client\n\n3Scale calls `\u003copenid_issuer\u003e/clients-registrations/default/\u003cclient_id\u003e`\n\nThis is translated to a PUT to \n`http(s)://\u003ccurity_host\u003e:\u003cadmin_port\u003e/admin/api/restconf/data/base:profiles/base:profile=\u003ctoken_profile_id\u003e,oauth-service/base:settings/profile-oauth:authorization-server/profile-oauth:client-store/profile-oauth:config-backed/client=\u003cclient_id\u003e\"`\n\nKeep in mind that the clients created have a basic configuration (i.e. no authenticator-filters, template-areas etc), so if you need to add more specific configuration you can modify the corresponding JSON Object as needed in `server.py`.\n\n2. Delete a client\n\n3Scale calls `\u003copenid_issuer\u003e/clients-registrations/default/\u003cclient_id\u003e` with HTTP DELETE.\nThis is translated to a DELETE request on Curity's RESTCONF API.\n\n`http(s)://\u003ccurity_host\u003e:\u003cadmin_port\u003e/admin/api/restconf/data/base:profiles/base:profile=\u003ctoken_profile_id\u003e,oauth-service/base:settings/profile-oauth:authorization-server/profile-oauth:client-store/profile-oauth:config-backed/client=\u003cclient_id\u003e\"`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2F3scale-openid-integration-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2F3scale-openid-integration-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2F3scale-openid-integration-service/lists"}