This guide explains how to enable or disable API Authentication and Authorization on the CX Tenant /cx-tenant/tenant* endpoint by using the Application Gateway (APISIX) in combination with the IAM (Keycloak).
Keycloak Configurations / Prerequisites
Before enabling authentication and authorization, make sure you have completed all the steps mentioned in Keycloak Multitenancy Portal Guide. Once those steps are done, verify the following Keycloak configurations.
Users & Roles
Make sure you have mtt-admin and mtt-viewer users, and mtt-admin and mtt-viewer roles present, and that the roles are assigned to the users respectively (Master Realm > Users / Realm roles).
Client
Make sure you have the multitenancy client available (Master Realm > Clients > Clients list > multitenancy).
Authorization Entities
Make sure you have following authorization entities present in Master Realm > Clients > Clients list > multitenancy > Authorization.
1. Resources
-
mtt-apisresource
2. Scopes
Ensure the following 5 scopes exist:
-
GET -
PUT -
PATCH -
POST -
DELETE
3. Policies
Ensure the following 5 policies exist:
-
mtt-apis - GET - policy -
mtt-apis - PUT - policy -
mtt-apis - PATCH - policy -
mtt-apis - POST - policy -
mtt-apis - DELETE - policy
4. Permissions
Ensure the following 5 permissions exist and are linked to the corresponding policies:
-
mtt-apis - GET - permission -
mtt-apis - PUT - permission -
mtt-apis - PATCH - permission -
mtt-apis - POST - permission -
mtt-apis - DELETE - permission
-> Once all of the above items are in place, your Keycloak configuration is ready for enabling authentication and authorization.
APISIX Configurations
To configure authentication and authorization in the Application Gateway, you must complete the following steps:
-
On your server where CX is deployed, go to the folder that contains deployment files.
-
Navigate to
/kubernetes/helm/apisix. -
Inside this folder, you’ll find a file named
values.yaml. -
In this file, under
apisixStandalone.routes, locate the CX Tenant route (/cx-tenant/tenant*) given below:YAML- id: cx-tenant-tenant-secured uris: ["/cx-tenant/tenant*"] hosts: ["{{ .Values.global.ingressRouter }}"] priority: 10 service_id: svc-cx-tenant status: 1 plugins: # openid-connect: ... # authz-keycloak: ... -
You’ll find
openid-connectandauthz-keycloakplugins under thepluginssection of the route. -
By default, the plugins are disabled (commented out) in the routes. To enable or disable authentication or authorization, simply uncomment or comment the relevant lines.
-
To enable authentication, uncomment the
openid-connectplugin block:YAMLopenid-connect: enable: true discovery: "http://keycloak.ef-external.svc/auth/realms/master/.well-known/openid-configuration" realm: "master" client_id: "multitenancy" client_secret: "6YBV9HqdGqOTrHVf6TkS0uzlWxHDxacm" bearer_only: true token_signing_alg_values_expected: "RS256" set_access_token_header: false set_userinfo_header: false audience: ["multitenancy", "account", "realm-management"] required_scopes: ["email", "profile"]-> To disable authentication, comment out this block again.
-
To enable authorization, uncomment the
authz-keycloakplugin block:YAMLauthz-keycloak: lazy_load_paths: true http_method_as_scope: true resource_registration_endpoint: "http://keycloak.ef-external.svc/auth/realms/master/authz/protection/resource_set" discovery: "http://keycloak.ef-external.svc/auth/realms/master/.well-known/uma2-configuration" client_id: "multitenancy" client_secret: "6YBV9HqdGqOTrHVf6TkS0uzlWxHDxacm"-> To disable authorization, comment out this block again.
-
After enabling or disabling a plugin, exit
/helmdirectory and go back to/kubernetesdirectory. Run the following command:helm upgrade --install --namespace ef-external --values apisix/values.yaml apisix expertflow/apisix --version 5.1.0 -
You’ve successfully enabled or disabled the authentication/authorization.
To disable authentication or authorization, you don’t need to make any changes in Keycloak. You only need to comment out the relevant plugin in the APISIX configuration file and run the helm upgrade ... command.
Token Lifespan Configuration
By default, the Master realm uses a 60-second access token lifespan. To learn more about configuring access token lifespan, refer to the Token Lifespan Configuration Guide. To change the access token lifespan, you can update it in either the Realm settings (Steps 2 & 3) or the multitenancy Client settings (Steps 5, 6 & 7). The guide references the Expertflow realm, but you will be using the Master realm. Note that you only need to update the Access Token lifespan, not the Refresh Token.
Access Levels
Following table provides the access levels for various HTTP methods used with /tenant* endpoint.
|
Endpoint |
HTTP Methods (Scopes) |
Allowed Role(s) |
|---|---|---|
|
|
GET |
|
|
PUT, PATCH, POST, DELETE |
|
-> The * sign at the end of an API endpoint means that any path following that prefix is secured. For example, if the secured path is /tenant*, then /tenants, /tenant/anything and all other subpaths under /tenant are secured.
Verify The Enablement
-
Generate an access token for the user you want to test authentication/authorization with, using the adapter configurations mentioned at the end of this guide.
-
Copy the “token” value from the response.
-
Embed the access token in the Authorization header and send a request to the URL or endpoint you want to test.
Examples:
|
Role |
Authorized |
HTTP Request |
HTTP Response |
|---|---|---|---|
|
|
Yes |
Bash
|
Bash
|
|
|
Yes |
Bash
|
Bash
|
|
|
No |
Bash
|
Bash
|