Skip to content

Commit

Permalink
Address comments on Securing Apps
Browse files Browse the repository at this point in the history
Closes keycloak#27867

Signed-off-by: AndyMunro <[email protected]>
  • Loading branch information
andymunro authored and ahus1 committed Mar 15, 2024
1 parent 0e717f7 commit e40227f
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 23 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ It is necessary to create or obtain a client configuration for any application t

You can configure application clients from a command line with the Client Registration CLI, and you can use it in shell scripts.

To allow a particular user to use `Client Registration CLI` the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.
To allow a particular user to use `Client Registration CLI`, the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.


[[_configuring_a_user_for_client_registration_cli]]
Expand All @@ -18,8 +18,13 @@ To allow a particular user to use `Client Registration CLI` the {project_name} a
. Log in to the Admin Console (for example, http://localhost:8080{kc_admins_path}) as [command]`admin`.
. Select a realm to administer.
. If you want to use an existing user, select that user to edit; otherwise, create a new user.
. Select *Role Mappings > Client Roles > realm-management*. If you are in the master realm, select *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.
. Select *Available Roles > manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.

. Select *Role Mapping*, *Assign role*. From the option list, click *Filter by clients*. In the search bar, type `manage-clients`. Select the role, or if you are in the master realm, select the one with *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.

. Click *Assign* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.

. Select *Available Roles*, *manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.

+
[NOTE]
====
Expand All @@ -28,8 +33,7 @@ These permissions grant the user the capability to perform operations without th

It is possible to not assign any [command]`realm-management` roles to a user. In that case, a user can still log in with the Client Registration CLI but cannot use it without an Initial Access Token. Trying to perform any operations without a token results in a *403 Forbidden* error.

The Administrator can issue Initial Access Tokens from the Admin Console through the *Realm Settings > Client Registration > Initial Access Token* menu.

The administrator can issue Initial Access Tokens from the Admin Console in the Clients area on the *Initial Access Token* tab.

[[_configuring_a_client_for_use_with_client_registration_cli]]
=== Configuring a client for use with the Client Registration CLI
Expand All @@ -39,21 +43,25 @@ By default, the server recognizes the Client Registration CLI as the [filename]`
.Procedure

. Create a client (for example, [filename]`reg-cli`) if you want to use a separate client configuration for the Client Registration CLI.
. Toggle the *Standard Flow Enabled* setting it to *Off*.
. Strengthen the security by configuring the client [filename]`Access Type` as [filename]`Confidential` and selecting *Credentials > ClientId and Secret*.
. Uncheck *Standard Flow Enabled*.
. Strengthen the security by toggling *Client authentication* to *On*.
. Choose the type of account that you want to use.
.. If you want to use a service account associated with the client, check *Service accounts roles*.
.. If you prefer to use a regular user account, check *Direct access grants*.
. Click *Next*.
. Click *Save*.
. Click the *Credentials* tab.
+
[NOTE]
====
You can configure either [filename]`Client Id and Secret` or [filename]`Signed JWT` under the *Credentials* tab .
====
. Enable service accounts if you want to use a service account associated with the client by selecting a client to edit in the *Clients* section of the `Admin Console`.
.. Under *Settings*, change the *Access Type* to *Confidential*, toggle the *Service Accounts Enabled* setting to *On*, and click *Save*.
.. Click *Service Account Roles* and select desired roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
. Toggle the *Direct Access Grants Enabled* setting it to *On* if you want to use a regular user account instead of a service account.
. If the client is configured as [filename]`Confidential`, provide the configured secret when running [command]`kcreg config credentials` by using the [command]`--secret` option.
. Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
. With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.
Configure either [filename]`Client Id and Secret` or [filename]`Signed JWT`.
. If you are using service account roles, click the *Service Account Roles* tab.
+
Select the roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
. Click *Save*.

When you run the [command]`kcreg config credentials`, use the [command]`--secret` option to supply the configured secret.

* Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
* With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.

[[_installing_client_registration_cli]]
=== Installing the Client Registration CLI
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ When enforcing the requirements of the FAPI CIBA specification, there is a need

==== Open Finance Brasil Financial-grade API Security Profile

{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/82083996/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/245760001/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
This one is stricter in some requirements than the <<_fapi-support,FAPI 1 Advanced>> specification and hence it may be needed to configure link:{adminguide_link}#_client_policies[Client Policies]
in the more strict way to enforce some of the requirements. Especially:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ Spring Security provides comprehensive support for OAuth 2 and OpenID Connect. F
https://spring.io/projects/spring-security[Spring Security documentation].

Alternatively, for Spring Boot 2.x the Spring Boot adapter from Red Hat Single Sign-On 7.6 can be used in combination with the {project_name} server. For more information, see the
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#jboss_adapter[Red Hat Single Sign-On documentation].
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#spring_boot_adapter[Red Hat Single Sign-On documentation].


Original file line number Diff line number Diff line change
Expand Up @@ -386,8 +386,11 @@ Options is an optional Object, where:

* redirectUri - Specifies the uri to redirect to after login.
* prompt - This parameter allows to slightly customize the login flow on the {project_name} server side.
For example enforce displaying the login screen in case of value `login`. See link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
For example, enforce displaying the login screen in case of value `login`.
ifeval::[{project_community}==true]
See the link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
for the details and all the possible values of the `prompt` parameter.
endif::[]
* maxAge - Used just if user is already authenticated. Specifies maximum time since the authentication of user happened. If user is already authenticated for longer time than `maxAge`, the SSO is ignored and he will need to re-authenticate again.
* loginHint - Used to pre-fill the username/email field on the login form.
* scope - Override the scope configured in `init` with a different value for this specific login.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ endif::[]

To use the Node.js adapter, first you must create a client for your application in the {project_name} Admin Console. The adapter supports public, confidential, and bearer-only access type. Which one to choose depends on the use-case scenario.

Once the client is created click the `Installation` tab, select `{project_name} OIDC JSON` for `Format Option`, and then click `Download`. The downloaded `keycloak.json` file should be at the root folder of your project.
Once the client is created, click *Action* at the top right and choose *Download adapter config*. For *Format, choose *Keycloak OIDC JSON* and click *Download*. The downloaded `keycloak.json` file is at the root folder of your project.

==== Installation

Assuming you've already installed https://nodejs.org[Node.js], create a folder for your application:
Assuming you have already installed https://nodejs.org[Node.js], create a folder for your application:

mkdir myapp && cd myapp

Expand Down

0 comments on commit e40227f

Please sign in to comment.