OAuth2 Implicit Grant with 3Scale and Red Hat SSO

fpx021911–06 / Dennis Hill

This post demonstrates the OAuth2 Implicit Grant with 3Scale SaaS, APICast Gateway, and Red Hat SSO v7.1. In the last post, we introduced these components and demonstrated a functioning OAuth2 Authorization Code Grant (and OpenID Connect Authorization Code Flow). This is all part of my 3Scale API Management & Red Hat SSO Series.

If you are interested in using the OAuth2 Implicit Grant with just Red Hat SSO v7.1, check out this post.

This brief post demonstrates the OAuth2 Implicit Grant with 3Scale using the OAuth2 + OIDC Debugger available here. We will authenticate an end user with the Implicit Grant and then use the access token obtained to make a secure API call to an Echo API that is protected by 3Scale and a self-managed APICast Gateway.

The OAuth2 Implicit Grant is used with applications that require end user authentication, but are not able to keep a client secret secure (ie, a confidential client). This is typically going to be a SPA or javascript application running a browser, but could also be used by other application types that fit this description. Check out this blog post regarding which OAuth2 Grant should be used when.

Do the following:

  • Configure 3Scale, APICast, and Red Hat SSO as described here. You can stop at the “OAuth2 + OIDC Debugger” Section. This tutorial picks up at that point.
  • Follow the instructions here to setup the OAuth2 + OIDC Debugger app on your local machine. This is a simple test application that simulates the interaction between a real app and an IdP using the OAuth2 or OIDC protocols.
  • Open a web browser.
  • Go to “http://localhost:3000”.


  • Change the Authorization Grant type to OAuth2 Implicit Grant.


  • The State field is automatically populated with a UUID.
  • The Nonce field is automatically populated with a UUID.
  • Add the Client ID for your client to the Client ID field.
  • Add “http://localhost:3000/callback” to the Redirect URL field.
  • Add “openid profile User” to the Scope field.
  • Click the Authorize button.
  • This makes the following OAuth2 call to the APICast Gateway.
GET http://localhost:8080/authorize?
state=1a82b49c-8537-4d84-9cac-1409ebc60415&
nonce=be0a88c1-ace8-4ddf-939b-a2f614b06067&
response_type=token&
client_id=379fbeeb&
redirect_uri=http://localhost:3000/callback&
scope=User
  • This results in the browser being redirected to a login workflow.


  • Enter the username and password.
  • Click the Login button.
  • The username and password is validated by Red Hat SSO and an access token returned to the debugger.


{
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "Echo API",
"description": "A sample echo API"
},
"host": "echo-api.3scale.net",
"basePath": "/",
"schemes": [
"http"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"securityDefinitions": {
"oauth": {
"type": "oauth2",
"authorizationUrl": "http://localhost:8080/authorize",
"tokenUrl": "http://localhost:8080/oauth/token",
"flow": "accessCode",
"scopes": {
"openid profile User": "Perform user related functions"
}
}
},
"paths": {
"/": {
"get": {
"description": "Echo API with no parameters",
"operationId": "echo_no_params",
"produces": [
"application/json",
"application/xml",
"text/xml",
"text/html"
],
"parameters": [
{
"name": "user_key",
"in": "query",
"description": "Your API access key",
"required": true,
"x-data-threescale-name": "user_keys",
"type": "string"
}
],
"responses": {
"200": {
"description": "response",
"schema": {
"$ref": "#/definitions/ResponseModel"
}
},
"default": {
"description": "unexpected error",
"schema": {
"$ref": "#/definitions/ErrorModel"
}
}
},
"security": [
{ "oauth": ["openid profile User"] }
]
}
},
"/{echo}": {
"get": {
"description": "Echo API with parameters",
"operationId": "echo_with_params",
"produces": [
"application/json",
"application/xml",
"text/xml",
"text/html"
],
"parameters": [
{
"name": "echo",
"in": "path",
"description": "The string to be echoed",
"required": true,
"type": "string"
},
{
"name": "user_key",
"in": "query",
"description": "Your API access key",
"required": true,
"x-data-threescale-name": "user_keys",
"type": "string"
}
],
"responses": {
"200": {
"description": "response",
"schema": {
"$ref": "#/definitions/ResponseModel"
}
},
"default": {
"description": "unexpected error",
"schema": {
"$ref": "#/definitions/ErrorModel"
}
}
}
}
}
},
"definitions": {
"ResponseModel": {
"type": "object",
"required": [
"method",
"path",
"args",
"headers"
],
"properties": {
"method": {
"type": "string"
},
"path": {
"type": "string"
},
"args": {
"type": "string"
},
"headers": {
"type": "object"
}
}
},
"ErrorModel": {
"type": "object",
"required": [
"code",
"message"
],
"properties": {
"code": {
"type": "integer",
"format": "int32"
},
"message": {
"type": "string"
}
}
}
}
}
  • Paste the swagger definition into the editor.
  • Give the editor a moment to refresh the current view.
  • You will see something similar to the following on the right-hand side.


  • Click the Authenticate button.


  • Enter the access token from the OAuth2 + OIDC Debugger “Access Token” field above.
  • Click the Authenticate button.
  • Scroll down to the ‘/’ Path on the right-hand pane.


  • Click the Send Request.
  • A few moments later, you should see something similar to the following.


That concludes our tutorial. In future posts, we will continue to look at the other OAuth2 Authorization Grants with 3Scale and APICast.

Image: fpx021911–06 / Dennis Hill

Leave a Reply

Your email address will not be published. Required fields are marked *