The goal of this blog post is to provide a basic understanding of how to use the ManageIQ REST API when configured with OpenID-Connect authentication.

All the content in this blog post is only relevant when ManageIQ is configured for OpenID-Connect Authentication.

Contents:

Configure ManageIQ For OpenID-Connect Authentication


ManageIQ uses Apache’s mod_auth_openidc module to support OpenID-Connect authentication. The instructions for configuring Apache’s mod_auth_openidc for ManageIQ differ for the appliance deployment and the podified (Kubernetes) deployment.

Using The ManageIQ REST API


Please see the ManageIQ REST API documentation for an overview and detailed reference.

The OpenID-Connect REST API Authentication Modes


When configured for OpenID-Connect there are three different authentication modes:

  • A Java Web Token (JWT) obtained from the OpenID-Connect provider for a non-admin user.
  • A ManageIQ API Auth Token for a non-admin user. A JWT is required to obtain the ManageIQ API Auth Token but performance is improved using the ManageIQ API Auth Token for consecutive API requests
  • Basic authentication, username:password format, is only supported for the admin user.

Examples


The below examples are BASH(1) shell script commands. They assume the JQ(1) Command-line JSON processor is available, the client has been created in Keycloak with the realm name miq and the following variables are defined:

# The user to be authenticated
user="user1"

# The password for the user being authenticated
password="user1s_password"

# The password for the admin user
admin_password="admins_password"

# The ManageIQ server name. ServerName from the config file without the https:// prefix
miq_server_name="my-miq.example.com"

# OIDCClientSecret from the OpenID-Connect configuration.
oidc_client_secret="12345678-1234-1234-1234-01234567abcd"

# OIDCClientID from the OpenID-Connect configuration.
oidc_client_id="my-oidc-client"

# OIDCOauthIntrospectionEndpoint from the OpenID-Connect configuration
oidc_auth_introspection_endpoint="https://keycloak.example.com/auth/realms/miq/protocol/openid-connect/token/introspect"

# OIDCProviderTokenEndpoint from the OpenID-Connect configurationt
# Sometimes OIDCOauthIntrospectionEndpoint without the trailing "introspect"
oidc_provider_token_endpoint="https://keycloak.example.com/auth/realms/miq/protocol/openid-connect/token/"

Example: Using a JWT Token


This example details the steps for using a Java Web Token (JWT) obtained from the OpenID-Connect provider for a non-admin user.

The steps are:

  1. Request the JWT Token from the OpenID-Connect provider
  2. Retrieve the access_token from the JWT
  3. (OPTIONAL) Use the access_token to do an introspection to get the details for the user associated with the JWT
  4. Accessing MiQ API using the access_token in the header

The bash example commands:

# Accessing the ManageIQ API with the access_token from a JWT Token

   # Step 1: Request the JWT Token from the OpenID-Connect provider
   jwt_token=$(curl -k -L --user ${user}:${password} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password" -d "client_id=${oidc_client_id}" -d "client_secret=${oidc_client_secret}" -d "username=${user}" -d "password=${password}" ${oidc_provider_token_endpoint} )

   # Step 2: Retrieve the access_token from the JWT
   access_token=$(echo $jwt_token | jq -r '.access_token')

   # Step 3 (OPTIONAL) Use the access_token to do an introspection to get the details for the user associated with the JWT
   curl -k -L --user ${oidc_client_id}:${oidc_client_secret} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "token=${access_token}" ${oidc_auth_introspection_endpoint}

   # Step 4: Accessing MiQ API using the access_token in the header
   curl -L -vvv -k -X GET -H "Authorization: Bearer ${access_token}" https://${miq_server_name}/api/users | jq

Example: Using a ManageIQ API Auth Token


This example details the steps for using a ManageIQ API Auth Token for a non-admin user.

The steps are:

  1. Request the JWT Token from the OpenID-Connect provider
  2. Retrieve the access_token from the JWT
  3. Request an MiQ API Authentication Token using the access_token in the header:
  4. Retrieve the API authentication token from the result
  5. Accessing MiQ API Using the MiQ API Auth Token

The bash example commands:

# Accessing the ManageIQ API using a ManageIQ API Auth Token

   # Step 1: Request the JWT Token from the OpenID-Connect provider
   jwt_token=$(curl -k -L --user ${user}:${password} -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password" -d "client_id=${oidc_client_id}" -d "client_secret=${oidc_client_secret}" -d "username=${user}" -d "password=${password}" ${oidc_provider_token_endpoint} )

   # Step 2: Retrieve the access_token from the JWT
   access_token=$(echo $jwt_token | jq -r '.access_token')

   # Step 3: Request an MiQ API Authentication Token:
   result=$(curl -L -vvv -k -X GET -H "Authorization: Bearer ${access_token}" https://${miq_server_name}/api/auth)

   # Step 4: Retrieve the API authentication token from the result
   api_auth_token=`echo $result | jq -r '.auth_token'`

   # Step 5: Accessing MiQ API Using the MiQ API Auth Token:
   curl -L -vvv -k -X GET  -H "Accept: application/json" -H "X-Auth-Token: ${api_auth_token}" https://${miq_server_name}/api/users | jq

Example: Using Basic Auth For Admin


The ManageIQ OpenID-Connect is configured to treat the admin user as a special case. The admin user is not authenticated by the OpenID-Connect provider.

More examples of basic and token based auth in the API can be found in the REST API Authentication Documentation Keep in mind that, when configured for OpenID-Connect authentication, the admin user is the only user where basic authentication is supported.

The bash example command:

# Accessing the MiQ API Using basic admin:password

  # Using basic authentication for the admin user.
   curl -L -vvv -k --user admin:${admin_password} -X GET -H 'Accept: application/json' https://${miq_server_name}/api/users | jq