Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Securing the JBoss EAP management console with an OpenID provider
You can secure the JBoss EAP management console with an external identity provider, such as Red Hat build of Keycloak, using OIDC. By using an external identity provider, you can delegate authentication to the identity provider.
To secure the JBoss EAP management console using OIDC, follow these procedures:
4.1. JBoss EAP management console security with OIDC
You can secure the JBoss EAP management console with OpenID Connect (OIDC) by configuring an OIDC provider, such as Red Hat build of Keycloak, and the elytron-oidc-client
subsystem.
Securing the management console of JBoss EAP running as a managed domain with OIDC is not supported.
JBoss EAP management console security with OIDC works as follows:
-
When you configure a
secure-server
resource in theelytron-oidc-client
subsystem, the JBoss EAP management console redirects to the OIDC provider login page for login. -
JBoss EAP then uses the
secure-deployment
resource configuration to secure the management interface with bearer token authentication.
OIDC relies on accessing a web application in a browser. Therefore, the JBoss EAP management CLI can’t be secured with OIDC.
RBAC support
You can configure and assign roles in the OIDC provider to implement role-based access control (RBAC) to the JBoss EAP management console. JBoss EAP includes or excludes the users roles for RBAC as defined in the JBoss EAP RBAC configuration. For more information about RBAC, see Role-Based Access Control in the JBoss EAP 7.4 Security Architecture guide.
4.2. Configuring Red Hat build of Keycloak to secure JBoss EAP management console
Configure the required users, roles, and clients in the OpenID Connect (OIDC) provider to secure the JBoss EAP management console.
Two clients are required to secure the management console with OIDC. The clients must be configured as follows:
- A client configured for standard flow.
- A client configured as bearer-only client.
The following procedure outlines the minimum steps required to get started with securing the JBoss EAP management console using OIDC for testing purposes. For detailed configurations, see the Red Hat build of Keycloak documentation.
Prerequisites
- You have administrator access to Red Hat build of Keycloak.
- Red Hat build of Keycloak is running.
Procedure
Create a realm in Red Hat build of Keycloak using the Red Hat build of Keycloak admin console; for example,
example_jboss_infra
. You will use this realm to create the required users, roles, and clients.For more information, see Creating a realm.
Create a user. For example,
user1
.For more information, see Creating users.
Create a password for the user. For example,
passwordUser1
.For more information, see Setting a password for a user.
Create a role. For example,
Administrator
.To enable role-based access control (RBAC) in JBoss EAP, the name should be one of the standard RBAC roles like
Administrator
. For more information about RBAC in JBoss EAP, see Role-Based Access Control in the JBoss EAP 7.4 Security Architecture guide.For more information about creating roles in Red Hat build of Keycloak, see Creating a realm role.
Assign roles to users.
For more information, see Assigning role mappings.
Create an OpenID Connect client, for example,
jboss-console
.Ensure that the following capability configuration values are checked:
- Standard flow
- Direct access grants
Set the following attributes at the minimum on the Login settings page:
- Set Valid Redirect URIs to the management console URI. For example, http://localhost:9990.
- Set Web Origins to the management console URI. For example, http://localhost:9990.
Create another OpenID Connect client, for example,
jboss-management
, as a bearer-only client.In capability configuration, uncheck the following options:
- Standard flow
- Direct access grants
- You do not need to specify any fields on the Login settings page.
You can now secure the JBoss EAP management console by using the clients you defined. For more information, see Securing the JBoss EAP management console using OpenID Connect.
Additional resources
4.3. Securing the JBoss EAP management console using OpenID Connect
When you secure the JBoss EAP management console using OpenID Connect (OIDC), JBoss EAP redirects to the OIDC provider for users to log in to the management console.
Prerequisites
You have configured the required clients in the OIDC provider.
For more information, see Configuring Red Hat build of Keycloak to secure JBoss EAP management console.
Procedure
Configure the OIDC provider in the
elytron-oidc-client
subsystem.Syntax
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=<OIDC_provider_URL>)
Example
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8180/realms/example_jboss_infra)
Create a
secure-deployment
resource calledwildfly-management
to protect the management interface.Syntax
/subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=<OIDC_provider_name>,client-id=<OIDC_client_name>,principal-attribute=<attribute_to_use_as_principal>,bearer-only=true,ssl-required=<internal_or_external>)
Example
/subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=jboss-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)
OPTIONAL: You can enable role-based access control (RBAC) using the following commands.
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac) /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)
Create a
secure-server
resource calledwildfly-console
that references thejboss-console
client.Syntax
/subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=<OIDC_provider_name>,client-id=<OIDC_client_name>,public-client=true)
Example
/subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=jboss-console,public-client=true)
ImportantThe JBoss EAP management console requires that the
secure-server
resource be specifically namedwildfly-console
.
Verification
Access the management console. By default, the management console is available at http://localhost:9990.
You are redirected to the OIDC provider.
- Log in with the credentials of the user you created in the OIDC provider.
The JBoss EAP management console is now secured with OIDC.
Additional resources