56

Securing WildFly Apps with OpenID Connect

 2 years ago
source link: https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

New elytron-oidc-client Subsystem

WildFly 25 introduced a new elytron-oidc-client subsystem that scans deployments to check if the OpenID Connect (OIDC) authentication mechanism is needed. If the subsystem detects that the OIDC mechanism is required for a deployment, the subsystem will activate this authentication mechanism automatically.

The configuration that indicates that the OIDC authentication mechanism is needed by an application can either be provided within the application itself or within the elytron-client-oidc subsystem.

Deployment Configuration

Two steps are needed to specify that the OIDC authentication mechanism should be used to secure an application using configuration within the deployment.

First, an oidc.json configuration file needs to be added to the application’s WEB-INF directory. There is a sample oidc.json configuration file in the documentation. (Note that with the exception of a couple new options, the options that can be specified in the oidc.json file are the same as the options that could previously be specified in the keycloak.json file that was used with the Keycloak client adapter.)

Next, the application’s web.xml file should also specify OIDC as the auth-method:

<login-config>
    <auth-method>OIDC</auth-method>
</login-config>

Subsystem Configuration

Instead of including the OIDC configuration directly in a deployment, it’s also possible to configure this via the elytron-oidc-client subsystem instead.

For each deployment that is to be secured with OIDC, a secure-deployment should be added. It is also possible to combine configuration that is common to multiple deployments using the provider resource.

Sample elytron-oidc-client subsystem configuration can also be found in the documentation. The various options that can be specified here correspond to the same options that can be specified in the oidc.json configuration above.

Required Configuration Options

Whether the OIDC configuration is being specified directly in the deployment or via the subsystem configuration, there are a couple configuration options that must be specified:

  • client-id - This is the client identifier for the application. This is the identifier that has been registered with the authorization server.

  • provider-url - The URL of the OpenID provider. WildFly will use provider-url/.well-known/configuration to discover more information about the OpenID provider. As an example, for Keycloak, the provider-url will look like http://localhost:8080/auth/realms/myrealm.

The rest of the configuration options are optional and are the same as the previous Keycloak client adapter.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK