Red Hat SummitChapter 9. OpenID Connect in JBoss EAP
Use the JBoss EAP native OpenID Connect (OIDC) client to secure your applications through an external OpenID provider. OIDC is an identity layer that enables clients, such as JBoss EAP, to verify a user’s identity based on OpenID provider authentication. For example, you can secure your JBoss EAP applications using Red Hat Single Sign-On as the OpenID provider.
9.1. OpenID Connect configuration in JBoss EAP
When you secure your applications using an OpenID provider, you do not need to configure any security domain resources locally. The elytron-oidc-client subsystem provides a native OpenID Connect (OIDC) client in JBoss EAP to connect with OpenID providers. JBoss EAP automatically creates a virtual security domain for your application, based on your OpenID provider configurations.
It is recommended to use the OIDC client with Red Hat Single Sign-On. You can use other OpenID providers if they can be configured to use access tokens that are JSON Web Tokens (JWTs) and can be configured to use the RS256, RS384, RS512, ES256, ES384, or ES512 signature algorithm.
To enable the use of OIDC, you can configure either the elytron-oidc-client subsystem or an application itself. JBoss EAP activates the OIDC authentication as follows:
-
When you deploy an application to JBoss EAP, the
elytron-oidc-clientsubsystem scans the deployment to detect if the OIDC authentication mechanism is required. -
If the subsystem detects OIDC configuration for the deployment in either the
elytron-oidc-clientsubsystem or the application deployment descriptor, JBoss EAP enables the OIDC authentication mechanism for the application. -
If the subsystem detects OIDC configuration in both places, the configuration in the
elytron-oidc-clientsubsystemsecure-deploymentattribute takes precedence over the configuration in the application deployment descriptor.
The keycloak-client-oidc layer to secure your applications with Red Hat Single Sign-On is deprecated in JBoss EAP XP 4.0.0. Use the native OIDC client provided by the elytron-oidc-client subsystem instead.
Deployment configuration
To secure an application with OIDC by using a deployment descriptor, update the application’s deployment configuration as follows:
Create a file called
oidc.jsonin theWEB-INFdirectory with the OIDC configuration information.Example
oidc.jsoncontents{ "client-id" : "customer-portal",1 "provider-url" : "http://localhost:8180/auth/realms/demo",2 "ssl-required" : "external",3 "credentials" : { "secret" : "234234-234234-234234"4 } }-
Set the
auth-methodproperty toOIDCin the application deployment descriptorweb.xmlfile.
Example deployment descriptor update
<login-config>
<auth-method>OIDC</auth-method>
</login-config>Subsystem configuration
You can secure applications with OIDC by configuring the elytron-oidc-client subsystem in the following ways:
- Create a single configuration for multiple deployments if you use the same OpenID provider for each application.
- Create a different configuration for each deployment if you use different OpenID providers for different applications.
Example XML configuration for a single deployment:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
<secure-deployment name="DEPLOYMENT_RUNTIME_NAME.war">
<client-id>customer-portal</client-id>
<provider-url>http://localhost:8180/auth/realms/demo</provider-url>
<ssl-required>external</ssl-required>
<credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" />
</secure-deployment
</subsystem>
To secure multiple applications using the same OpenID provider, configure the provider separately, as shown in the example:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
<provider name="${OpenID_provider_name}">
<provider-url>http://localhost:8080/auth/realms/demo</provider-url>
<ssl-required>external</ssl-required>
</provider>
<secure-deployment name="customer-portal.war">
<provider>${OpenID_provider_name}</provider>
<client-id>customer-portal</client-id>
<credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" />
</secure-deployment>
<secure-deployment name="product-portal.war">
<provider>${OpenID_provider_name}</provider>
<client-id>product-portal</client-id>
<credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" />
</secure-deployment>
</subsystem>9.2. Enabling the elytron-oidc-client subsystem
The elytron-oidc-client subsystem is provided in the standalone-microprofile.xml configuration file. To use it, you must start your server with the bin/standalone.sh -c standalone-microprofile.xml command. You can include the elytron-oidc-client subsystem in the standalone.xml configuration by enabling it using the management CLI.
Prerequisites
- You have installed JBoss EAP XP.
Procedure
Add the
elytron-oidc-clientextension using the management CLI./extension=org.wildfly.extension.elytron-oidc-client:addEnable the
elytron-oidc-clientsubsystem using the management CLI./subsystem=elytron-oidc-client:addReload JBoss EAP.
reload
You can now use the elytron-oidc-client subsystem by starting the server normally, with the command bin/standalone.sh
9.3. Securing applications using OpenID Connect with Red Hat Single Sign-On
You can use OpenID Connect (OIDC) to delegate authentication to an external OpenID provider. The elytron-oidc-client subsystem provides a native OIDC client in JBoss EAP to connect with external OpenID providers.
To create an application secured with OpenID Connect using Red Hat Single Sign-On, follow these procedures:
9.3.1. Configuring Red Hat Single Sign-On as an OpenID provider
Red Hat Single Sign-On is an identity and access management provider for securing web applications with single sign-on (SSO). It supports OpenID Connect (an extension to OAuth 2.0).
Prerequisites
- You have installed the Red Hat Single Sign-On server. For more information, see Installing the Red Hat Single Sign-On server in the Red Hat Single Sign-On Getting Started Guide.
- You have created a user in your Red Hat Single Sign-On server instance. For more information, see Creating a user in the Red Hat Single Sign-On Getting Started Guide.
Procedure
Start the Red Hat Single Sign-On server at a port other than 8080 because JBoss EAP default port is 8080.
Syntax
$ RH_SSO_HOME/bin/standalone.sh -Djboss.socket.binding.port-offset=<offset-number>Example
$ /home/servers/rh-sso-7.4/bin/standalone.sh -Djboss.socket.binding.port-offset=100-
Log in to the Admin Console at
http://localhost:<port>/auth/. For example,http://localhost:8180/auth/. - To create a realm, in the Admin Console, hover over Master, and click Add realm.
-
Enter a name for the realm. For example,
example_realm. Ensure that Enabled is ON and click Create. - Click Users, then click Add user to add a user to the realm.
-
Enter a user name. For example,
jane_doe. Ensure that User Enabled is ON and click Save. - Click Credentials to add a password to the user.
-
Set a password for the user. For example,
janedoep@$$. Toggle Temporary to OFF and click Set Password. In the confirmation prompt, click Set password. - Click Clients, then click Create to configure a client connection.
-
Enter a client ID. For example,
my_jbeap. Ensure that Client Protocol is set toopenid-connect, and click Save. Click Installation, then select
Keycloak OIDC JSONas the Format Option to see the connection parameters.{ "realm": "example_realm", "auth-server-url": "http://localhost:8180/auth/", "ssl-required": "external", "resource": "my_jbeap", "public-client": true, "confidential-port": 0 }When configuring your JBoss EAP application to use Red Hat Single Sign-On as the identity provider, you use the parameters as follows:
"provider-url" : "http://localhost:8180/auth/realms/example_realm", "ssl-required": "external", "client-id": "my_jbeap", "public-client": true, "confidential-port": 0- Click Clients, click Edit next to my_jbeap to edit the client settings.
In Valid Redirect URIs, enter the URL where the page should redirect after authentication is successful.
For this example, set this value to
http://localhost:8080/simple-oidc-example/secured/*
9.3.2. Configuring a Maven project for creating a secure application
Create a Maven project with the required dependencies and the directory structure for creating a secure application.
Prerequisites
- You have installed Maven. For more information, see Downloading Apache Maven.
- You have configured your Maven repository for the latest release. For more information, see Maven and the JBoss EAP microprofile maven repository.
Procedure
Set up a Maven project using the
mvncommand. The command creates the directory structure for the project and thepom.xmlconfiguration file.Syntax
$ mvn archetype:generate \ -DgroupId=${group-to-which-your-application-belongs} \ -DartifactId=${name-of-your-application} \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=falseExample
$ mvn archetype:generate \ -DgroupId=com.example.oidc \ -DartifactId=simple-oidc-example \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=falseNavigate to the application root directory:
Syntax
$ cd <name-of-your-application>Example
$ cd simple-oidc-exampleUpdate the generated
pom.xmlfile as follows:Set the following properties:
<properties> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <failOnMissingWebXml>false</failOnMissingWebXml> <version.server.bom>4.0.0.GA</version.server.bom> <version.server.bootable-jar>4.0.0.GA</version.server.bootable-jar> <version.wildfly-jar.maven.plugin>4.0.0.GA</version.wildfly-jar.maven.plugin> </properties>Set the following dependencies:
<dependencies> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0.redhat-1</version> <scope>provided</scope> </dependency> </dependencies>Set the following build configuration to use
mvn widlfy:deployto deploy the application:<build> <finalName>${project.artifactId}</finalName> <plugins> <plugin> <groupId>org.wildfly.plugins</groupId> <artifactId>wildfly-maven-plugin</artifactId> <version>2.1.0.Final</version> </plugin> </plugins> </build>
Verification
In the application root directory, enter the following command:
$ mvn installYou get an output similar to the following:
[INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.440 s [INFO] Finished at: 2021-12-27T14:45:12+05:30 [INFO] ------------------------------------------------------------------------
You can now create your secure application.
9.3.3. Creating a secure application that uses OpenID Connect
You can secure an application by either updating its deployment configuration or by configuring the elytron-oidc-client subsystem. The following example demonstrates creating a servlet that prints a logged-in user’s Principal. For an existing application, only those steps that are related to updating the deployment configuration or the elytron-oidc-client subsystem are required.
In this example, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:
-
The
elytron-oidc-clientsubsystem attributeprincipal-attribute. -
The
oidc.jsonfile.
<application_root> in the procedure denotes the pom.xml file directory. The pom.xml file contains your application’s Maven configuration.
Prerequisites
- You have created a Maven project. For more information, see Configuring Maven project for creating a secure application .
- You have configured Red Hat Single Sign-On as the OpenID provider. For more information, see Configuring Red Hat Single Sign-On as an OpenID provider.
-
You have enabled the
elytron-oidc-clientsubsystem. For more information, see Enabling the elytron-oidc-client subsystem
Procedure
Create a directory to store the Java files.
Syntax
$ mkdir -p <application_root>/src/main/java/com/example/oidcExample
$ mkdir -p simple-oidc-example/src/main/java/com/example/oidcNavigate to the new directory.
Syntax
$ cd <application_root>/src/main/java/com/example/oidcExample
$ cd simple-oidc-example/src/main/java/com/example/oidcCreate a servlet "SecuredServlet.java" with the following content:
package com.example.oidc; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * A simple secured HTTP servlet. * */ @WebServlet("/secured") public class SecuredServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (PrintWriter writer = resp.getWriter()) { writer.println("<html>"); writer.println(" <head><title>Secured Servlet</title></head>"); writer.println(" <body>"); writer.println(" <h1>Secured Servlet</h1>"); writer.println(" <p>"); writer.print(" Current Principal '"); Principal user = req.getUserPrincipal(); writer.print(user != null ? user.getName() : "NO AUTHENTICATED USER"); writer.print("'"); writer.println(" </p>"); writer.println(" </body>"); writer.println("</html>"); } } }Add security rules for access to your application in the deployment descriptor
web.xmlfile located in theWEB-INFdirectory of the application.<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" metadata-complete="false"> <security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/secured</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>*</role-name> </security-role> </web-app>To secure the application with OpenID Connect, either update the deployment configuration or configure the
elytron-oidc-clientsubsystem.NoteIf you configure OpenID Connect in both the deployment configuration and the
elytron-oidc-clientsubsystem, the configuration in theelytron-oidc-clientsubsystemsecure-deploymentattribute takes precedence over the configuration in the application deployment descriptor.Updating the deployment configuration:
Create a file
oidc.jsonin theWEB-INFdirectory, like this:{ "provider-url" : "http://localhost:8180/auth/realms/example_realm", "ssl-required": "external", "client-id": "my_jbeap", "public-client": true, "confidential-port": 0 }Update the deployment descriptor
web.xmlfile with the following text to declare that this application uses OIDC:<login-config> <auth-method>OIDC</auth-method> </login-config>
Configuring the
elytron-oidc-clientsubsystem:To secure your application, use the following management CLI command:
/subsystem=elytron-oidc-client/secure-deployment=simple-oidc-example.war/:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)
In the application root directory, compile your application with the following command:
$ mvn packageDeploy the application.
$ mvn wildfly:deploy
Verification
-
In a browser, navigate to
http://localhost:8080/simple-oidc-example/secured. Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
Secured Servlet Current Principal '5cb0c4ca-0477-44c3-bdef-04db04d7e39d'You can now log in to the application using the credentials you configured in the Red Hat Single Sign-On as the OpenID provider.
9.3.4. Restricting access to applications based on user roles
You can restrict access to all, or parts, of your application based on user roles. For example, you can let users with the "public" role have access to the parts of your application that aren’t sensitive, and give users with the "admin" role access to those parts that are.
Prerequisites
- You have secured your application using OpenID Connect. For more information, see Creating a secure application that uses OpenID Connect.
Procedure
Update the deployment descriptor
web.xmlfile with the following text:Syntax
<security-constraint> ... <auth-constraint> <role-name><allowed_role></role-name> </auth-constraint> </security-constraint>Example
<security-constraint> ... <auth-constraint> <role-name>example_role</role-name>1 </auth-constraint> </security-constraint>- 1
- Allow only those users with the role
example_roleto access your application.
In the application root directory, recompile your application with the following command:
$ mvn packageDeploy the application.
$ mvn wildfly:deploy
Verification
-
In a browser, navigate to
http://localhost:8080/simple-oidc-example/secured. Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
ForbiddenBecause you have not assigned the required role to the user "jane_doe," jane_doe can’t log in to your application. Only the users with the required role can log in.
To assign users the required roles, see Creating and assigning roles to users in Red Hat Single Sign-On.
9.3.5. Creating and assigning user roles in Red Hat Single Sign-On
Red Hat Single Sign-On is an identity and access management provider for securing your web applications with single sign-on (SSO). You can define users and assign roles in Red Hat Single Sign-On.
Prerequisites
- You have configured Red Hat Single Sign-On. For more information, see Configuring Red Hat Single Sign-On as an OpenID provider.
Procedure
-
Log in to the admin console at
http://localhost:<port>/auth/. For example,http://localhost:8180/auth/. - Click the realm you use to connect with JBoss EAP. For example, example_realm.
-
Click Clients, then click the
client-nameyou configured for JBoss EAP. For example, my_jbeap. - Click Roles, then Add Role.
- Enter a role name, such as example_role, then click Save. This is the role name you configure in JBoss EAP for authorization.
- Click Users, then View all users.
- Click an ID to assign the role you created. For example, click the ID for jane_doe.
-
Click Role Mappings. In the Client Roles field, select the
client-nameyou configured for JBoss EAP. For example, my_jbeap. - In Available Roles, select a role to assign. For example, example_role. Click Add selected.
Verification
- In a browser, navigate to the application URL.
Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
Secured Servlet Current Principal '5cb0c4ca-0477-44c3-bdef-04db04d7e39d'Users with the required role can log in to your application.
9.4. Developing JBoss EAP bootable jar application with OpenID Connect
You can use OpenID Connect (OIDC) to delegate authentication to an external OpenID provider. The elytron-oidc-client galleon layer provides a native OIDC client in JBoss EAP bootable jar applications to connect with external OpenID providers.
To create an application secured with OpenID Connect using Red Hat Single Sign-On, follow these procedures:
9.4.1. Configuring Red Hat Single Sign-On as an OpenID provider
Red Hat Single Sign-On is an identity and access management provider for securing web applications with single sign-on (SSO). It supports OpenID Connect (an extension to OAuth 2.0).
Prerequisites
- You have installed the Red Hat Single Sign-On server. For more information, see Installing the Red Hat Single Sign-On server in the Red Hat Single Sign-On Getting Started Guide.
- You have created a user in your Red Hat Single Sign-On server instance. For more information, see Creating a user in the Red Hat Single Sign-On Getting Started Guide.
Procedure
Start the Red Hat Single Sign-On server at a port other than 8080 because JBoss EAP default port is 8080.
Syntax
$ RH_SSO_HOME/bin/standalone.sh -Djboss.socket.binding.port-offset=<offset-number>Example
$ /home/servers/rh-sso-7.4/bin/standalone.sh -Djboss.socket.binding.port-offset=100-
Log in to the Admin Console at
http://localhost:<port>/auth/. For example,http://localhost:8180/auth/. - To create a realm, in the Admin Console, hover over Master, and click Add realm.
-
Enter a name for the realm. For example,
example_realm. Ensure that Enabled is ON and click Create. - Click Users, then click Add user to add a user to the realm.
-
Enter a user name. For example,
jane_doe. Ensure that User Enabled is ON and click Save. - Click Credentials to add a password to the user.
-
Set a password for the user. For example,
janedoep@$$. Toggle Temporary to OFF and click Set Password. In the confirmation prompt, click Set password. - Click Clients, then click Create to configure a client connection.
-
Enter a client ID. For example,
my_jbeap. Ensure that Client Protocol is set toopenid-connect, and click Save. Click Installation, then select
Keycloak OIDC JSONas the Format Option to see the connection parameters.{ "realm": "example_realm", "auth-server-url": "http://localhost:8180/auth/", "ssl-required": "external", "resource": "my_jbeap", "public-client": true, "confidential-port": 0 }When configuring your JBoss EAP application to use Red Hat Single Sign-On as the identity provider, you use the parameters as follows:
"provider-url" : "http://localhost:8180/auth/realms/example_realm", "ssl-required": "external", "client-id": "my_jbeap", "public-client": true, "confidential-port": 0- Click Clients, click Edit next to my_jbeap to edit the client settings.
In Valid Redirect URIs, enter the URL where the page should redirect after authentication is successful.
For this example, set this value to
http://localhost:8080/simple-oidc-layer-example/secured/*
9.4.2. Configuring a Maven project for a bootable jar OIDC application
Create a Maven project with the required dependencies and the directory structure for creating a bootable jar application that uses OpenID Connect. The elytron-oidc-client galleon layer provides a native OpenID Connect (OIDC) client to connect with OpenID providers.
Prerequisites
- You have installed Maven. For more information, see Downloading Apache Maven.
- You have configured your Maven repository for the latest release. For more information, see Maven and the JBoss EAP microprofile Maven repository.
Procedure
Set up a Maven project using the
mvncommand. The command creates the directory structure for the project and thepom.xmlconfiguration file.Syntax
$ mvn archetype:generate \ -DgroupId=${group-to-which-your-application-belongs} \ -DartifactId=${name-of-your-application} \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=falseExample
$ mvn archetype:generate \ -DgroupId=com.example.oidc \ -DartifactId=simple-oidc-layer-example \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=falseNavigate to the application root directory.
Syntax
$ cd <name-of-your-application>Example
$ cd simple-oidc-layer-exampleUpdate the generated
pom.xmlfile as follows:Set the following repositories:
<repositories> <repository> <id>jboss</id> <url>https://maven.repository.redhat.com/ga</url> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories>Set the following plugin repositories:
<pluginRepositories> <pluginRepository> <id>jboss</id> <url>https://maven.repository.redhat.com/ga</url> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> </pluginRepositories>Set the following properties:
<properties> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <bootable.jar.maven.plugin.version>6.1.2.Final-redhat-00001</bootable.jar.maven.plugin.version> <jboss.xp.galleon.feature.pack.version>4.0.0.GA-redhat-00002</jboss.xp.galleon.feature.pack.version> </properties>Set the following dependencies:
<dependencies> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0.redhat-1</version> <scope>provided</scope> </dependency> </dependencies> <dependencyManagement> <dependencies> <dependency> <groupId>org.jboss.bom</groupId> <artifactId>jboss-eap-jakartaee8</artifactId> <version>7.3.4.GA</version> <type>pom</type> <scope>import</scope> </dependency> <dependency> <groupId>org.jboss.spec.javax.servlet</groupId> <artifactId>jboss-servlet-api_4.0_spec</artifactId> <scope>provided</scope> </dependency> </dependencies> </dependencyManagement>Set the following build configuration in the
<build>element of thepom.xmlfile:<finalName>${project.artifactId}</finalName> <plugins> <plugin> <groupId>org.wildfly.plugins</groupId> <artifactId>wildfly-jar-maven-plugin</artifactId>1 <version>${bootable.jar.maven.plugin.version}</version> <configuration> <feature-pack-location>org.jboss.eap:wildfly-galleon-pack:${jboss.xp.galleon.feature.pack.version}</feature-pack-location> <layers> <layer>jaxrs-server</layer> <layer>elytron-oidc-client</layer>2 </layers> <context-root>false</context-root>3 </configuration> <executions> <execution> <goals> <goal>package</goal> </goals> </execution> </executions> </plugin> </plugins>- 1
- JBoss EAP Maven plug-in to build the application as a bootable JAR
- 2
- The
elytron-oidc-clientlayer provides a native OpenID Connect (OIDC) client to connect with external OpenID providers. - 3
- Register the application in the
simple-oidc-layer-exampleresource path. The servlet is then available at the URLhttp://server-url/application_name/servlet_path, for example:http://localhost:8080/simple-oidc-layer-example/secured. By default, the application WAR file is registered under the root-context path, likehttp://server-url/servlet_path, for example:http://localhost:8080/secured.
Set the application name, for example "simple-oidc-layer-example" in the
<build>element of thepom.xmlfile.<finalName>simple-oidc-layer-example</finalName>
Verification
In the application root directory, enter the following command:
$ mvn installYou get an output similar to the following:
... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 19.157 s [INFO] Finished at: 2022-03-10T09:38:21+05:30 [INFO] ------------------------------------------------------------------------
You can now create a bootable jar application that uses OpenID Connect
9.4.3. Creating a bootable jar application that uses OpenID Connect
The following example demonstrates creating a servlet that prints a logged-in user’s Principal. For an existing application, only those steps that are related to updating the deployment configuration are required.
In this example, the value of the Principal comes from the ID token from the OpenID provider. By default, the Principal is the value of the "sub" claim from the token. You can specify which claim value from the ID token to use as the Principal in one of the following:
-
The
elytron-oidc-clientsubsystem attributeprincipal-attribute. -
The
oidc.jsonfile.
<application_root> in the procedure denotes the pom.xml file directory. The pom.xml file contains your application’s Maven configuration.
Prerequisites
- You have created a Maven project. For more information, see Configuring Maven project for creating a secure application .
- You have configured Red Hat Single Sign-On as the OpenID provider. For more information, see Configuring Red Hat Single Sign-On as an OpenID provider.
Procedure
Create a directory to store the Java files.
Syntax
$ mkdir -p <application_root>/src/main/java/com/example/oidcExample
$ mkdir -p simple-oidc-layer-example/src/main/java/com/example/oidcNavigate to the new directory.
Syntax
$ cd <application_root>/src/main/java/com/example/oidcExample
$ cd simple-oidc-layer-example/src/main/java/com/example/oidcCreate a servlet "SecuredServlet.java" with the following content:
package com.example.oidc; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * A simple secured HTTP servlet. * */ @WebServlet("/secured") public class SecuredServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (PrintWriter writer = resp.getWriter()) { writer.println("<html>"); writer.println(" <head><title>Secured Servlet</title></head>"); writer.println(" <body>"); writer.println(" <h1>Secured Servlet</h1>"); writer.println(" <p>"); writer.print(" Current Principal '"); Principal user = req.getUserPrincipal(); writer.print(user != null ? user.getName() : "NO AUTHENTICATED USER"); writer.print("'"); writer.println(" </p>"); writer.println(" </body>"); writer.println("</html>"); } } }Add security rules for access to your application in the deployment descriptor
web.xmlfile located in theWEB-INFdirectory of the application.<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" metadata-complete="false"> <security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/secured</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>*</role-name> </security-role> </web-app>To secure the application with OpenID Connect, either update the deployment configuration or configure the
elytron-oidc-clientsubsystem.NoteIf you configure OpenID Connect in both the deployment configuration and the
elytron-oidc-clientsubsystem, the configuration in theelytron-oidc-clientsubsystemsecure-deploymentattribute takes precedence over the configuration in the application deployment descriptor.Updating the deployment configuration:
Create a file
oidc.jsonin theWEB-INFdirectory, like this:{ "provider-url" : "http://localhost:8180/auth/realms/example_realm", "ssl-required": "external", "client-id": "my_jbeap", "public-client": true, "confidential-port": 0 }Update the deployment descriptor
web.xmlfile with the following text to declare that this application uses OIDC:<login-config> <auth-method>OIDC</auth-method> </login-config>
Configuring the
elytron-oidc-clientsubsystem:Create a directory to store a CLI script in the application root directory:
Syntax
$ mkdir <application_root>/<cli_script_directory>Example
$ mkdir simple-oidc-layer-example/scripts/You can create the directory at any place that Maven can access, inside the application root directory.
Create a CLI script, such as
configure-oidc.cli, with the following content:/subsystem=elytron-oidc-client/secure-deployment=simple-oidc-layer-example.war:add(client-id=my_jbeap,provider-url=http://localhost:8180/auth/realms/example_realm,public-client=true,ssl-required=external)The subsystem command defines the
simple-oidc-layer-example.warresource as the deployment to secure inelytron-oidc-clientsubsystem.In the project
pom.xmlfile, add the following configuration extract to the existing plug-in<configuration>element:<cli-sessions> <cli-session> <script-files> <script>scripts/configure-oidc.cli</script> </script-files> </cli-session> </cli-sessions>
In the application root directory, compile your application with the following command:
$ mvn packageDeploy the bootable jar application using the following command:
Syntax
$ java -jar <application_root>/target/simple-oidc-layer-example-bootable.jarExample
$ java -jar simple-oidc-layer-example/target/simple-oidc-layer-example-bootable.jarThis starts JBoss EAP and deploys the application.
Verification
-
In a browser, navigate to
http://localhost:8080/simple-oidc-layer-example/secured. Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
Secured Servlet Current Principal '5cb0c4ca-0477-44c3-bdef-04db04d7e39d'You can now log in to the application using the credentials you configured in the Red Hat Single Sign-On as the OpenID provider.
9.4.4. Restricting access based on user roles in bootable jar OIDC applications
You can restrict access to all, or parts, of your application based on user roles. For example, you can let users with the "public" role have access to the parts of your application that aren’t sensitive, and give users with the "admin" role access to those parts that are.
Prerequisites
- You have secured your application using OpenID Connect. For more information, see Creating a bootable jar application that uses OpenID Connect.
Procedure
Update the deployment descriptor
web.xmlfile with the following text:Syntax
<security-constraint> ... <auth-constraint> <role-name><allowed_role></role-name> </auth-constraint> </security-constraint>Example
<security-constraint> ... <auth-constraint> <role-name>example_role</role-name>1 </auth-constraint> </security-constraint>- 1
- Allow only those users with the role
example_roleto access your application.
In the application root directory, recompile your application with the following command:
$ mvn packageDeploy the application.
$ java -jar simple-oidc-layer-example/target/simple-oidc-layer-example-bootable.jarThis starts JBoss EAP and deploys the application.
Verification
-
In a browser, navigate to
\localhost:8080/simple-oidc-layer-example/secured. Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
ForbiddenBecause you have not assigned the required role to the user "jane_doe," jane_doe can’t log in to your application. Only the users with the required role can log in.
To assign users the required roles, see Creating and assigning roles to users in Red Hat Single Sign-On.
9.4.5. Creating and assigning user roles in Red Hat Single Sign-On
Red Hat Single Sign-On is an identity and access management provider for securing your web applications with single sign-on (SSO). You can define users and assign roles in Red Hat Single Sign-On.
Prerequisites
- You have configured Red Hat Single Sign-On. For more information, see Configuring Red Hat Single Sign-On as an OpenID provider.
Procedure
-
Log in to the admin console at
http://localhost:<port>/auth/. For example,http://localhost:8180/auth/. - Click the realm you use to connect with JBoss EAP. For example, example_realm.
-
Click Clients, then click the
client-nameyou configured for JBoss EAP. For example, my_jbeap. - Click Roles, then Add Role.
- Enter a role name, such as example_role, then click Save. This is the role name you configure in JBoss EAP for authorization.
- Click Users, then View all users.
- Click an ID to assign the role you created. For example, click the ID for jane_doe.
-
Click Role Mappings. In the Client Roles field, select the
client-nameyou configured for JBoss EAP. For example, my_jbeap. - In Available Roles, select a role to assign. For example, example_role. Click Add selected.
Verification
- In a browser, navigate to the application URL.
Log in with your credentials. For example:
username: jane_doe password: janedoep@$$You get the following output:
Secured Servlet Current Principal '5cb0c4ca-0477-44c3-bdef-04db04d7e39d'Users with the required role can log in to your application.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}