Securing WildFly Apps with OpenID Connect
source link: https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
New elytron-oidc-client Subsystem
WildFly 25 introduced a new elytron-oidc-client
subsystem that scans deployments to check if the
OpenID Connect (OIDC) authentication mechanism is needed. If the subsystem detects that the OIDC
mechanism is required for a deployment, the subsystem will activate this authentication mechanism
automatically.
The configuration that indicates that the OIDC authentication mechanism is needed by an
application can either be provided within the application itself or within the elytron-client-oidc
subsystem.
Deployment Configuration
Two steps are needed to specify that the OIDC authentication mechanism should be used to secure an application using configuration within the deployment.
First, an oidc.json
configuration file needs to be added to the application’s WEB-INF
directory.
There is a sample oidc.json
configuration file in the documentation.
(Note that with the exception of a couple new options, the options that can be specified in the oidc.json
file are the same as the options that could previously be specified in the keycloak.json
file that was used
with the Keycloak client adapter.)
Next, the application’s web.xml
file should also specify OIDC
as the auth-method
:
<login-config>
<auth-method>OIDC</auth-method>
</login-config>
Subsystem Configuration
Instead of including the OIDC configuration directly in a deployment, it’s also possible to configure
this via the elytron-oidc-client
subsystem instead.
For each deployment that is to be secured with OIDC, a secure-deployment
should be added.
It is also possible to combine configuration that is common to multiple deployments using
the provider
resource.
Sample elytron-oidc-client
subsystem configuration can also be found in the documentation.
The various options that can be specified here correspond to the same options that can be specified in the
oidc.json
configuration above.
Required Configuration Options
Whether the OIDC configuration is being specified directly in the deployment or via the subsystem configuration, there are a couple configuration options that must be specified:
-
client-id - This is the client identifier for the application. This is the identifier that has been registered with the authorization server.
-
provider-url - The URL of the OpenID provider. WildFly will use
provider-url/.well-known/configuration
to discover more information about the OpenID provider. As an example, for Keycloak, theprovider-url
will look like http://localhost:8080/auth/realms/myrealm.
The rest of the configuration options are optional and are the same as the previous Keycloak client adapter.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK