Guide: Securing a WildFly app on k8s with OIDC #2087
Conversation
| cd /PATH/TO/ELYTRON/EXAMPLES/simple-webapp-oidc/charts | ||
| ---- | ||
|
|
||
| . Create a file `values.yml`. |
There was a problem hiding this comment.
Hi @fjuma, do we want to add this file in https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc ?
There was a problem hiding this comment.
Hi @theashiot, apologies for the delayed response. I haven't gone through this in detail yet but yes, adding a file with the required configuration for k8s to the existing example would make sense.
There was a problem hiding this comment.
Thanks, @fjuma, i've created a PR to add the file: wildfly-security-incubator/elytron-examples#209
I'll updated the steps shortly.
There was a problem hiding this comment.
I've updates the steps. Ready for review!
Please note that I haven't tested the steps for Quay. I have based them on https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/ . I'm facing some authentication problems with Quay.
I've tested the steps for Docker Hub.
theashiot
force-pushed
the
develop
branch
2 times, most recently
from
7303027 to
b7060de
Compare
|
|
||
| == Example Application | ||
|
|
||
| We use a simple web application in this guide that consists of a single https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We show how to secure this servlet using OIDC. We will use the example in the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc[simple-webapp-oidc] directory in the https://github.com/wildfly-security/elytron-examples[elytron-examples] repository. |
There was a problem hiding this comment.
FYI, the examples repo is under the wildfly-security-incubator account.
https://github.com/wildfly-security-incubator/elytron-examples
|
Hi @PrarthonaPaul, I've made some updates. The steps for port-forwarding were missing. I've added them now. The steps work for dockerhub, but when i use quay, i get "ErrImagePull". oidc-app-5d6f9974fd-srvrg is launched from dockerhub. oidc-app-quay-79d48ff4df-lsb6l is from quay. I'm not able to figure out whats going wrong. best, |
Hello @theashiot |
|
Thanks, @PrarthonaPaul for the reply! As discussed, i've removed all mentions of quay. I'll add quay-related info in a separate PR when i'm able to get it running. best, |
| :toc: macro | ||
| :toc-title: | ||
|
|
||
| You can secure your WildFly applications deployed on Kubernetes with OpenID Connect (OIDC). By using OIDC to secure applications, you delegate authentication to OIDC providers. This guide shows how to secure an example application deployed to WildFly on Kubernetes cluster running on your local machine, with OIDC using Keycloak as the OIDC provider. |
There was a problem hiding this comment.
s/on Kubernetes cluster/on a Kubernetes cluster
There was a problem hiding this comment.
s/OIDC provider/OpenID provider
|
|
||
| == Start Keycloak | ||
|
|
||
| We will be using Keycloak as our OIDC identity provider. |
There was a problem hiding this comment.
s/OIDC identity provider/OpenID provider
|
|
||
| We will be using Keycloak as our OIDC identity provider. | ||
|
|
||
| Follow the instructions, till "Log in to the Admin Console", provided in the https://www.keycloak.org/getting-started/getting-started-kube[Get started with Keycloak on Kubernetes] guide. |
| + | ||
| [source,subs=+quotes] | ||
| ---- | ||
| docker login __CONTAINER_REGISTRY__ |
There was a problem hiding this comment.
CONTAINER_REGISTRY seems to render a bit odd. Could we use <CONTAINER_REGISTRY> or something similar instead?
There was a problem hiding this comment.
updated all italics to <this_form>
| docker tag simple-webapp-oidc __TAGGED_IMAGE__ | ||
| ---- | ||
| + | ||
| Substitute __TAGGED_IMAGE__ as follows: |
There was a problem hiding this comment.
Same here, renders in a way that's a bit hard to read.
|
Thanks for the post @theashiot! This looks great! @PrarthonaPaul Would you be able to try out the steps from this post when you get a chance? |
|
Thanks, @fjuma for the review! I've updated the content. best, |
|
|
||
| You can secure your WildFly applications deployed on Kubernetes with OpenID Connect (OIDC). By using OIDC to secure applications, you delegate authentication to OpenID providers. This guide shows how to secure an example application deployed to WildFly on a Kubernetes cluster running on your local machine, with OIDC using Keycloak as the OpenID provider. | ||
|
|
||
| //toc::[] |
There was a problem hiding this comment.
Please uncomment this to have the table of contents appear at the top of the guide.
|
|
||
| == Example Application | ||
|
|
||
| We use a simple web application in this guide that consists of a single https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We show how to secure this servlet using OIDC. We will use the example in the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-oidc[simple-webapp-oidc] directory in the https://github.com/wildfly-security-incubator/elytron-examples[elytron-examples] repository. |
There was a problem hiding this comment.
Please update the first link to https://github.com/wildfly-security-incubator/elytron-examples/blob/main/simple-webapp-oidc/src/main/java/org/wildfly/security/examples/SecuredServlet.java
| * *Login settings*: Leave the fields blank for now. | ||
|
|
||
| + | ||
| For more information, see the Keycloak documentation on how to https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc_clients[Managing OpenID Connect clients]. |
There was a problem hiding this comment.
This could be reworded to "... documentation on how to Manage OpenID Connect clients" or "... documentation on Managing OpenID Connect clients"
|
|
||
| To build a Docker image from your application so that you can push it to a container repository, such as Docker Hub, follow these steps: | ||
|
|
||
| . Navigate to the application's directory. |
There was a problem hiding this comment.
It might be clearer to say "Navigate to the simple-webapp-oidc directory."
|
|
||
| While our application is building, let's take a closer look at our application. | ||
|
|
||
| * Examine the https://github.com/wildfly-security/elytron-examples/blob/main/simple-webapp-oidc/pom.xml[pom.xml] file. |
There was a problem hiding this comment.
s/wildfly-security/wildfly-security-incubator
| == Resources | ||
|
|
||
| * https://www.wildfly.org/news/2023/06/16/deploy-on-kubernetes-with-helm/[Deploy on Kubernetes with Helm] | ||
| * https://docs.wildfly.org/30/Getting_Started_on_OpenShift.html#helm-charts[WildFly Helm Chart] |
There was a problem hiding this comment.
You can update the version number to 33 to keep it up to date
|
Thanks @PrarthonaPaul for the review! I've made the suggested changed. Mind having another look? best, |
|
Hi @rsearls, would you mind trying out the steps in this post? Also please let me know if you think anything can be improved. thanks, |
|
I'll look at it in the next couple of days |
|
|
||
| We will be using Keycloak as our OpenID provider. | ||
|
|
||
| Follow the instructions, up until "Log in to the Admin Console", provided in the https://www.keycloak.org/getting-started/getting-started-kube[Get started with Keycloak on Kubernetes] guide. |
There was a problem hiding this comment.
This installation guide has 2 sets of directions, one with the "Ingress addon"
and one without. You need to instruct the user whether this example requires
the "Ingress addon". Direct the user as to which set of instructions to use
as it relates to Ingress.
There was a problem hiding this comment.
added a line "This guide uses Keycloak with Ingress add-on enabled."
|
|
||
| We will be using Keycloak as our OpenID provider. | ||
|
|
||
| Follow the instructions, up until "Log in to the Admin Console", provided in the https://www.keycloak.org/getting-started/getting-started-kube[Get started with Keycloak on Kubernetes] guide. |
There was a problem hiding this comment.
Tell the user that during this step, "make note of the
initial admin user username, password and Keycloak Admin Console URL",
as it will be needed in the next step.
|
|
||
| . Log into the Keycloak Admin Console using the username and password you specified earlier. | ||
|
|
||
| . Create a new realm called *myrealm*. For more information, see the Keycloak documentation on how to https://www.keycloak.org/getting-started/getting-started-kube#_create_a_realm[create a realm]. |
There was a problem hiding this comment.
The directions linked to are old and not that helpful. Use this link and
instruct the user to Follow the directions in "Creating a realm".
https://www.keycloak.org/docs/latest/server_admin/#proc-creating-a-realm_server_administration_guide
|
|
||
| . Create a new realm called *myrealm*. For more information, see the Keycloak documentation on how to https://www.keycloak.org/getting-started/getting-started-kube#_create_a_realm[create a realm]. | ||
|
|
||
| . Add a role called *user*. This role will be required to access our simple web application. For more information, see the Keycloak documentation on how to https://www.keycloak.org/docs/latest/server_admin/index.html#assigning-permissions-using-roles-and-groups[create a role]. |
There was a problem hiding this comment.
The directions linked to are old and not that helpful. Use this link and
instruct the user to Follow the directions in "Creating a realm role",
following steps 1,2 and 4. Step 3 is optional
https://www.keycloak.org/docs/latest/server_admin/#proc-creating-realm-roles_server_administration_guide
|
|
||
| . Add a new user named *alice*. Set an *email* address for this new user, we'll use *[email protected]*. For more information, see the Keycloak documentation on how to https://www.keycloak.org/getting-started/getting-started-kube#_create_a_user[create a user]. | ||
|
|
||
| . Once the new user has been created, set a password for this new user from the *Credentials* tab. |
There was a problem hiding this comment.
Remove this direction. If the user performed all the tasks listed for "create a user" they will have set the password already.
There was a problem hiding this comment.
Updated the link here to be consistent with the others. This one doesn't contain steps for adding a password, so added a sub-step.
|
|
||
| . Once the new user has been created, set a password for this new user from the *Credentials* tab. | ||
|
|
||
| . From the *Role Mapping* tab, assign *alice* the *user* role. For more information, see the Keycloak documentation on how to https://www.keycloak.org/docs/latest/server_admin/index.html#proc-assigning-role-mappings_server_administration_guide[assign a role] to a user. |
There was a problem hiding this comment.
Don't make this a separate numbered step. Make it the 2nd paragraph of step 4. create user, because this task (e.g. tab) is accessed from the user details page.
| . From the *Role Mapping* tab, assign *alice* the *user* role. For more information, see the Keycloak documentation on how to https://www.keycloak.org/docs/latest/server_admin/index.html#proc-assigning-role-mappings_server_administration_guide[assign a role] to a user. | ||
|
|
||
| . Create a new client as follows: | ||
| * *General Settings*: |
There was a problem hiding this comment.
These directions are more concise and clear
Click the General Settings image in the top left hand corner of the admin console
Click the "Clients" menu item
Click the "Create client" button
On the "Create client" page set the "Client type" to "OpenID Connect".
Set the "Client id" as, myclient.
Click the "Next" button at the bottom of the page
On the "Capability config" page the checkboxes for "Standard flow"
and "Direct access grants" should be selected.
Click the "Next" button at the bottom of the page
On the "Login settings" page no action is needed at this time.
Click the "Save" button at the bottom of the page.
There was a problem hiding this comment.
agreed, updated with slight modifications.
| * *Login settings*: Leave the fields blank for now. | ||
|
|
||
| + | ||
| For more information, see the Keycloak documentation on https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc_clients[Managing OpenID Connect clients]. |
There was a problem hiding this comment.
I would remove this reference. It just confuses the whole situation because it does not accurately reflect the current screen layout.
|
|
||
| * For Docker Hub, use `<USERNAME>/simple-webapp-oidc`. | ||
|
|
||
| . Verify that you see the tagged image in Docker images. |
There was a problem hiding this comment.
Remove this step. The image was verified in the previous section. There is no reason to re-verify it here.
| . Navigate to the `simple-webapp-oidc` directory. | ||
|
|
||
|
|
||
| . Use the `wildfly-maven-plugin` plugin to create a docker image. |
There was a problem hiding this comment.
Remove the reference to wildfly-maven-plugin here. It is distracting from the current task and you discuss it at a more appropriate time in a future section.
|
|
||
| == Finish Configuring Keycloak | ||
|
|
||
| From your *myclient* client in the Keycloak Administration Console, in the client settings, set *Valid Redirect URI* to `http://localhost:8080/simple-webapp-oidc/secured/pass:[*]` then click *Save*. |
There was a problem hiding this comment.
These directions are more concise and clear
Click the General Settings image in the top left hand corner of the admin console
Click the "Clients" menu item
Click on "myclient" from the list on the Clients page.
Scroll down to the "Access settings" section on the page.
In field, "Valid redirect URIs set the value to http://localhost:8080/simple-webapp-oidc/secured/pass:[*]
Click the "Save" button at the bottom of the page.
There was a problem hiding this comment.
agreed, updated with slight modification.
|
Thank you so much @rsearls for the review and wonderful suggestions! I've made the suggested changes. Would you mind having another look? best, |
|
This look fine. I have no more comments |
|
Thanks @theashiot and @rsearls! |
Depends on updates to the simple-webapp-oidc example:
wildfly-security-incubator/elytron-examples#209
Preview: https://theashiot.github.io/wildfly-elytron/blog/securing-wildfly-apps-oidc-k8s/