Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Guided Exercise: Authenticate Users with Red Hat Single Sign-On

  • Configure Red Hat Single Sign-On to authenticate users and applications using the OpenID Connect (OIDC) protocol.

Outcomes

  • Configure RH-SSO clients for Open ID Connect (OIDC) Authorization Code Flow, with confidential and public clients.

  • Configure RH-SSO clients for the OAuth2 Client Credentials Grant.

  • Describe the requests involved in OIDC Authorization Code Flow, with confidential and public clients.

  • Describe the content of different OIDC tokens.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start auth-oidc

Procedure 3.1. Instructions

In this exercise you configure three RH-SSO clients for authentication of three different types of applications:

  • The finance-webapp application is a server-side web application that uses the OpenID Connect authorization code flow as a confidential client to authenticate the application users. The application uses the Java Quarkus framework and the Quarkus integration with OpenID Connect identity servers. The finance-webapp application calls an external endpoint in the marketing-restful-api application.

  • The marketing-restful-api application is a Node.js back end service which serves REST endpoints. It uses an RH-SSO service account with a confidential secret, which enables the client credentials grant from OAuth2. Thus, the application cannot initiate the log in process, but RH-SSO can generate the access token for this client. The marketing-restful-api application uses the Node.js adapter from RH-SSO to integrate with the authentication server.

  • The marketing-html5 is a single-page application (SPA) developed with HTML5 and JavaScript, which runs in a browser. It uses the OpenID Connect authorization code flow as a public client. The application uses the JavaScript adapter from RH-SSO to integrate with the authentication server. The marketing-html5 application calls an external endpoint in the marketing-restful-api application.

Figure 3.4: Applications used in the exercise

  1. Log in to RH-SSO Admin Console. On the workstation machine, use Firefox to navigate to the Red Hat Single Sign-On web UI URL at https://sso.lab.example.com:8080. Click Administration Console. Log in as the admin user with redhat as the password.

  2. Create a client for the Quarkus finance-webapp in the rhtraining realm.

    1. Navigate to rhtraining realm, and then click ConfigureClients. Then, click Create.

    2. Create the client based on the following criteria.

      Table 3.2. Finance web application client creation

      FieldValue
      Client ID finance-webapp
      Client Protocol openid-connect
      Root URL http://localhost:8080/finance

      Click Save.

    3. On the page that opens, set Direct Access Grants Enabled to OFF, and select confidential in the Access Type field.

      Figure 3.5: Finance web application client configuration

      Scroll down and click Save.

    4. Navigate to the Credentials tab, and take note of the secret value.

      Figure 3.6: Finance web application client credentials

  3. Configure, run, and test the authentication for the finance-webapp application.

    1. Open the terminal application on the workstation machine and change to the ~/DO313/labs/auth-oidc/finance-webapp directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-oidc/finance-webapp

    2. Modify the finance-webapp/src/main/resources/application.properties configuration file, to include the client secret you noted in the previous step.

      quarkus.oidc.auth-server-url=https://sso.lab.example.com:8080/auth/realms/rhtraining
quarkus.oidc.application-type=web-app
#For web-app type applications, Quarkus needs to read the roles from access token, instead of the idToken:
quarkus.oidc.roles.source=accesstoken
quarkus.oidc.client-id=finance-webapp
quarkus.oidc.credentials.secret=wRaGhUsdJKIe8PL0ShboprtyLDgzPd5H
...output omitted...

    3. From the terminal, compile and run the application.

      [student@workstation finance-webapp]$ mvn install && \
  java -jar target/quarkus-app/quarkus-run.jar
...output omitted...
022-11-17 13:22:04,304 INFO  [io.quarkus] (main) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.0.Final) started in 1.230s. Listening on: http://0.0.0.0:8080
2022-11-17 13:22:04,310 INFO  [io.quarkus] (main) Profile prod activated.
2022-11-17 13:22:04,310 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, qute, reactive-routes, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

      Leave the terminal open.

    4. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token. Try to log in with the admin user, with redhat as the password.

      The authentication fails because the admin user is not present in the rhtraining realm.

    5. Close the Firefox private window.

  4. Create the alice user, and test the access to the finance web application.

    1. Use Firefox to log in again to the RH-SSO Admin Console at https://sso.lab.example.com:8080.

    2. Click ManageUsers. Then, click Add user.

    3. Create the user based on the following criteria. Leave the other fields empty.

      FieldValue
      Username alice
      Email alice@example.com
      First Name Alice
      Last Name in Chains
      User enabled ON
      Email verified ON

      Click Save.

    4. Navigate to the Credentials tab of the alice user to set the password.

      Fill the Password, and Password Confirmation fields using alice as the password. Set the Temporary to OFF. Then, click Set Password and confirm the change.

      Figure 3.7: Changing user password

    5. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token, and log in as the alice user, with alice as the password.

      The authentication now works, because you are using a user that belongs to the rhtraining realm. The application shows the access token, and all its claims. You can see the RH-SSO standard OIDC Authorization Code activities in the log showed in the terminal for the finance-webapp application.

    6. Close the Firefox private window.

  5. Observe the requests to the RH-SSO server from the browser.

    1. Open a new Firefox private window and press the F12 key to show the Firefox developer tools. Click Network to show Firefox's network monitor.

      Figure 3.8: Firefox network monitor

    2. Navigate to the finance web application at http://localhost:8080/finance.

      There are no requests to the sso.lab.example.com:8080 server.

    3. Click Show my access token.

      Scroll up over the list of requests, and observe the first request to the sso.lab.example.com:8080 server.

      Figure 3.9: Authentication Code Flow. 1

    4. Log in as the alice user with alice as the password.

      Observe the requests to the sso.lab.example.com:8080 server.

      Figure 3.10: Authentication Code Flow. 2

      The user browser never receives any token, nor requests directly to the token OIDC endpoint.

    5. Close the Firefox private window.

  6. Create a client for the marketing-restful-api services applications.

    1. Navigate to the rhtraining realm, and then click ConfigureClients. Then, click Create.

    2. Create the client based on the following criteria.

      Table 3.3. Marketing Restful API client creation

      FieldValue
      Client ID marketing-restful-api
      Client Protocol openid-connect
      Root URL http://localhost:3000/campaign

      Click Save.

    3. On the page that opens, select confidential in the Access Type field, and set the Direct Access Grants Enabled and Standard Flow Enabled fields to OFF.

      Select the Service Accounts Enabled field.

      Figure 3.11: Marketing restful application client configuration.

      Scroll down and click Save.

  7. Configure, run, and test the authentication for the marketing-restful-api services applications.

    1. Open a new terminal application on the workstation machine and change to the ~/DO313/labs/auth-oidc/marketing-restful-api directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-oidc/marketing-restful-api

    2. Run the Node application.

      [student@workstation marketing-restful-api]$ npm run start

> marketing-restful-api@0.0.1 start /home/student/DO313/labs/auth-oidc/marketing-restful-api
> node app.js

Started at port 3000

      Leave the terminal open.

    3. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token, to log in as the alice user, with alice as the password. Then, click External API.

      You can see the list of marketing campaigns because the finance-webapp application uses the access token to call to the external endpoint present in the marketing-restful-api application.

      You can see the HTTP request, with the access token, in the log showed in the terminal for the marketing-restful-api application.

      Figure 3.12:

      Output from the marketing-restful-api application.

    4. Close the Firefox private window.

  8. Create a client for the marketing-html5 single page application.

    1. From the RH-SSO Admin Console, navigate to the rhtraining realm, and then click ConfigureClients.

      Then, click Create.

    2. Create the client based on the following criteria.

      Table 3.4. Marketing SPA application client creation

      FieldValue
      Client ID marketing-html5
      Client Protocol openid-connect
      Root URL http://localhost:8081/marketing-html5

      Click Save.

    3. On the page that opens, set Direct Access Grants Enabled to OFF, and leave public in the Access Type field.

      Scroll down and click Save.

  9. Configure, run, and test the authentication for the marketing-html5 single page application.

    1. Open a new terminal application on the workstation machine and change to the ~/DO313/labs/auth-oidc/marketing-html5 directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-oidc/marketing-html5

    2. Run the Node application that wraps the single-page application.

      [student@workstation marketing-restful-api]$ npm run start

> marketing-html5@0.0.1 start /home/student/DO313/labs/auth-oidc/marketing-html5
> node app.js

marketing-html5 listening on port 8081

      Leave the terminal open.

  10. Access the marketing-html5 application and examine the requests.

    1. Open a new Firefox regular window and press the F12 key to show the Firefox developer tools.

      Click Network to show Firefox's network monitor.

    2. Navigate to the marketing single-page application at http://localhost:8081/marketing-html5.

      Observe the requests to the sso.lab.example.com:8080 server from a hidden HTML iframe, even when there are still no authenticated requests. The RH-SSO JavaScript adapter maintains the status by using a hidden HTML iframe in the JavaScript application.

    3. Click Login to log in as the alice user, with alice as the password.

      Then, click Sign In and observe the request to the OIDC token endpoint. With a public client application all the tokens reach the user device.

      Figure 3.13: Request to the OIDC token endpoint

    4. Close all the Firefox windows.

    5. Close all the applications running in terminals by pressing Ctrl+C.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-oidc

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333