Chapter 1. OpenID Connect configuration in JBoss EAP
When you secure your applications using an OpenID provider, you do not need to configure any security domain resources locally. The elytron-oidc-client
subsystem provides a native OpenID Connect (OIDC) client in JBoss EAP to connect with OpenID providers. JBoss EAP automatically creates a virtual security domain for your application, based on your OpenID provider configurations.
It is recommended to use the OIDC client with Red Hat Single Sign-On. You can use other OpenID providers if they can be configured to use access tokens that are JSON Web Tokens (JWTs) and can be configured to use the RS256, RS384, RS512, ES256, ES384, or ES512 signature algorithm.
To enable the use of OIDC, you can configure either the elytron-oidc-client
subsystem or an application itself. JBoss EAP activates the OIDC authentication as follows:
-
When you deploy an application to JBoss EAP, the
elytron-oidc-client
subsystem scans the deployment to detect if the OIDC authentication mechanism is required. -
If the subsystem detects OIDC configuration for the deployment in either the
elytron-oidc-client
subsystem or the application deployment descriptor, JBoss EAP enables the OIDC authentication mechanism for the application. -
If the subsystem detects OIDC configuration in both places, the configuration in the
elytron-oidc-client
subsystemsecure-deployment
attribute takes precedence over the configuration in the application deployment descriptor.
Deployment configuration
To secure an application with OIDC by using a deployment descriptor, update the application’s deployment configuration as follows:
Create a file called
oidc.json
in theWEB-INF
directory with the OIDC configuration information.Example
oidc.json
contents{ "client-id" : "customer-portal", 1 "provider-url" : "http://localhost:8180/auth/realms/demo", 2 "ssl-required" : "external", 3 "credentials" : { "secret" : "234234-234234-234234" 4 } }
-
Set the
auth-method
property toOIDC
in the application deployment descriptorweb.xml
file.
Example deployment descriptor update
<login-config> <auth-method>OIDC</auth-method> </login-config>
Subsystem configuration
You can secure applications with OIDC by configuring the elytron-oidc-client
subsystem in the following ways:
- Create a single configuration for multiple deployments if you use the same OpenID provider for each application.
- Create a different configuration for each deployment if you use different OpenID providers for different applications.
Example XML configuration for a single deployment:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0"> <secure-deployment name="DEPLOYMENT_RUNTIME_NAME.war"> 1 <client-id>customer-portal</client-id> 2 <provider-url>http://localhost:8180/auth/realms/demo</provider-url> 3 <ssl-required>external</ssl-required> 4 <credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" /> 5 </secure-deployment </subsystem>
To secure multiple applications using the same OpenID provider, configure the provider
separately, as shown in the example:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0"> <provider name="${OpenID_provider_name}"> <provider-url>http://localhost:8080/auth/realms/demo</provider-url> <ssl-required>external</ssl-required> </provider> <secure-deployment name="customer-portal.war"> 1 <provider>${OpenID_provider_name}</provider> <client-id>customer-portal</client-id> <credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" /> </secure-deployment> <secure-deployment name="product-portal.war"> 2 <provider>${OpenID_provider_name}</provider> <client-id>product-portal</client-id> <credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" /> </secure-deployment> </subsystem>
Additional resources