app-services-sdk-js

Authentication

Authentication for SDK is divided between two types of sdks:

Authentication is done using OAuth Protocol

Authentication for Management SDK’s

Management SDKs are used to created instances of services. For those instances we can use OAuth protocol

All Management SDK’s are working with Red Hat Single Sign On (sso.redhat.com) server. Authentication to services can be done using Keycloak.js library, available at the following locations: NPM,Yarn

When authenticating please use following keycloak client configuration:

{
  "realm": "redhat-external",
  "auth-server-url": "https://sso.redhat.com/auth/",
  "ssl-required": "all",
  "resource": "cloud-services",
  "public-client": true,
  "confidential-port": 0
}

This client allows only following redirect urls:

.openshift.com/*, https://prod.foo.redhat.com/*, https://prod.food.redhat.com:1337/*

For more information about how to use Keycloak.js please refer to official documentation

NOTE: We are working on SDK for Authentication that will provide out of the box support for connections

Authentication for Instance SDK’s

To authenticate to the Instance SDK’s we need to create service account Service account can be created using RHOAS CLI or by UI (https://cloud.redhat.com) or by using Kafka Management SDK.

For code based access you can also create service account using ServiceAccount SDK

serviceAccountAPI.createServiceAccount(...)

Once we have created service account we can use it to obtain token to the instances SDK

curl --location --request POST 'https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=YOURSERVICEACCOUNT' \
--data-urlencode 'client_secret=YOURSERVICEACCOUNT_SECRET' \
--data-urlencode 'scope=email' \
--data-urlencode 'grant_type=client_credentials'

NOTE: We are working on SDK for Authentication that will provide out of the box support for connections