Chapter 4. Securing the JBoss EAP management console with an OpenID provider

Procedure

1. Create a realm in Red Hat build of Keycloak using the Red Hat build of Keycloak admin console; for example, example_jboss_infra. You will use this realm to create the required users, roles, and clients.

   For more information, see Creating a realm.

2. Create a user. For example, user1.

   For more information, see Creating users.

3. Create a password for the user. For example, passwordUser1.

   For more information, see Setting a password for a user.

4. Create a role. For example, Administrator.

   To enable role-based access control (RBAC) in JBoss EAP, the name should be one of the standard RBAC roles like Administrator. For more information about RBAC in JBoss EAP, see Role-Based Access Control in the JBoss EAP 7.4 Security Architecture guide.

   For more information about creating roles in Red Hat build of Keycloak, see Creating a realm role.

5. Assign roles to users.

   For more information, see Assigning role mappings.

6. Create an OpenID Connect client, for example, jboss-console.

   • Ensure that the following capability configuration values are checked:

     • Standard flow
     • Direct access grants

   • Set the following attributes at the minimum on the Login settings page:

     • Set Valid Redirect URIs to the management console URI. For example, http://localhost:9990.
     • Set Web Origins to the management console URI. For example, http://localhost:9990.

7. Create another OpenID Connect client, for example, jboss-management, as a bearer-only client.

   • In capability configuration, uncheck the following options:

     • Standard flow
     • Direct access grants
   • You do not need to specify any fields on the Login settings page.

Procedure

1. Configure the OIDC provider in the elytron-oidc-client subsystem.

   Syntax

   /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=<OIDC_provider_URL>)

   Example

   /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8180/realms/example_jboss_infra)

2. Create a secure-deployment resource called wildfly-management to protect the management interface.

   Syntax

   /subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=<OIDC_provider_name>,client-id=<OIDC_client_name>,principal-attribute=<attribute_to_use_as_principal>,bearer-only=true,ssl-required=<internal_or_external>)

   Example

   /subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=jboss-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)

3. OPTIONAL: You can enable role-based access control (RBAC) using the following commands.

   /core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
   /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

4. Create a secure-server resource called wildfly-console that references the jboss-console client.

   Syntax

   /subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=<OIDC_provider_name>,client-id=<OIDC_client_name>,public-client=true)

   Example

   /subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=jboss-console,public-client=true)

   Important

   The JBoss EAP management console requires that the secure-server resource be specifically named wildfly-console.

Verification

1. Access the management console. By default, the management console is available at http://localhost:9990.

   You are redirected to the OIDC provider.

2. Log in with the credentials of the user you created in the OIDC provider.