Authentication for SDK is divided between two types of sdks:
- Management SDKs - authentication using sso.redhat.com (redhat accounts)
- Instance SDK - typically require service accounts that can be created using KafkaSDK service account API
Authentication is done using OAuth Protocol
Management SDKs are used to created instances of services. For those instances we can use OAuth protocol
All Management SDK's are working with Red Hat Single Sign On (sso.redhat.com) server. Authentication to services can be done using Keycloak.js library, available at the following locations: NPM,Yarn
When authenticating please use following keycloak client configuration:
{
"realm": "redhat-external",
"auth-server-url": "https://sso.redhat.com/auth/",
"ssl-required": "all",
"resource": "cloud-services",
"public-client": true,
"confidential-port": 0
}
This client allows only following redirect urls:
.openshift.com/*, https://prod.foo.redhat.com/*, https://prod.food.redhat.com:1337/*
For more information about how to use Keycloak.js please refer to official documentation
NOTE: We are working on SDK for Authentication that will provide out of the box support for connections
To authenticate to the Instance SDK's we need to create service account Service account can be created using RHOAS CLI or by UI (https://cloud.redhat.com) or by using Kafka Management SDK.
For code based access you can also create service account using ServiceAccount SDK
serviceAccountAPI.createServiceAccount(...)Once we have created service account we can use it to obtain token to the instances SDK
curl --location --request POST 'https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=YOURSERVICEACCOUNT' \
--data-urlencode 'client_secret=YOURSERVICEACCOUNT_SECRET' \
--data-urlencode 'scope=email' \
--data-urlencode 'grant_type=client_credentials'NOTE: We are working on SDK for Authentication that will provide out of the box support for connections