Using Keycloak Authz examples with RedHat SSO (Authorization Service)

1) Overview

This article explains how to use the the keycloak Authz examples with Redhat SSO.

2) RH-SSO server

Examples are by default provided on a a jboss server at address 8080.

RH-SSO needs some parameter customization to be launched

• It is required to launch RH-SSO server on a different port address. (8180 is used in our case)
• Authorisation Services need to be enabled with the command -DTECH_PREVIEW

sh standalone.sh -Djboss.socket.binding.port-offset=100 -Dkeycloak.profile=preview

3)  JBOSS server

3.1) Starting JBoss Server

You need to installed RH-SSO adapter rh-sso-7.1.0-eap7-adapter.zip. For further information about jboss rh-sso adapter, to RH-SSO admin guide.

sh standalone.sh

3.2) Managing deployed application using JBoss CLI (jboss-cli.sh)

The easiest way to manage deployed application is using the Jboss cli command.

The most useful commands of jboss cli are:

• connect: allow to connect to the CLI
• deploy: allow to list deployed war file application
• deploy <war-file>: deploy a specific application
• undeploy <war-file> : undeploy a specific application

sh jboss-cli.sh

You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
[standalone@localhost:9990 /] deploy
app-authz-vanilla.war customer-portal.war photoz-html5-client.war 
app-html5.war database.war photoz-restful-api.war 
app-profile-html5.war hello-world-authz-service-2.5.11.Final-SNAPSHOT.war product-portal.war 
app-profile-jsp.war oauth-client.war servlet-authz.war

4) Compiling RH-SSO and using AuthZ Examples

The release to be used is 2.5.X (i.e 2.5.11)
Authz examples can be found at:

4.1) Source code adaption

Examples source code needs to be adapted for RH-SSO Server which run on port 8180.

4.1.1) RH-SSO Authentication Server port to be adjusted

Moreover, all the call to te RH-SSO server ending with:

• https://localhost:8080/auth

needs to be replaced with

• https://localhost:8180/auth

Example:

./src/main/webapp/WEB-INF/keycloak.json: "auth-server-url": "https://localhost:8180/auth"

This modification has to be done on all teh files which contain the above mentioned pattern.

4.1.2)  Jboss URL to be fully specified

On RH-SSO Client configuration the FQDN  of the JBoss client application needs to be fully specified such as

Redirect uri: https://localhost:8080/hello-world-authz-service/*
Base URL: https://localhost:8080/hello-world-authz-service
Admin URL: https://localhost:8080/hello-world-authz-service
Web Origins: https://localhost:8080

5) Deploying the Authz examples

Once you have done all the small changes mentionned earliar
To deploy each example, you just need to follow the README of each example.

5.1) Deployment Tips

Before using a new example, make sure that all the users  are empty, as the json file  that you will upload contain some specific userproperty for a given example.

If you don’t cleanit, you may end up with inconsistencies, as you current user property will not be correct.

5.2) Troubleshooting an example

The most common source of issue is related of the modification that have been introduced:

• Make sure that ALL Authorization Server request have to go to port https://localhost:8180/auth
• Make sure that ALL application are deployed wrt https://localhost:8080

5.3) Bug Fix (photoz-restful-api-authz-service.json)

in the photoz example, is mentioned to upload

examples/authz/photoz/photoz-restful-api/src/main/resources/photoz-restful-api-authz-service.json

When you follow the README, execution breaks with error message such as :

21:49:22,210 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-79) RESTEASY002020: Unhandled asynchronous exception, sending back
500: org.jboss.resteasy.spi.UnhandledException:
java.lang.RuntimeException: Cannot find KieModule:
org.keycloak:photoz-authz-policy:${project.version}
     at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:255)

In fact, this is due to the fact that you need to import the json file from the target, where ${project.version} has been fully resolved:

When you build the example, there is a filtered version of at photoz-restful-api-authz-service.json photoz/photoz-restful-api/target/classes/photoz-restful-api-authz-service.json. This is the file you need to import

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021