Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Guided Exercise: Authorize Users with Red Hat Single Sign-On

  • Configure Red Hat Single Sign-On to authorize users and applications using the OpenID Connect (OIDC) protocol and the RBAC features of RH-SSO.

Outcomes

  • Create and manage roles in RH-SSO.

  • Create and manage composite roles in RH-SSO.

  • Create groups of users and assign roles by using the groups.

  • Identify the relationship between the OIDC tokens, and the RH-SSO roles.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that the RH-SSO realm is configured, and populated with users.

[student@workstation ~]$ lab start auth-authz

Procedure 3.2. Instructions

The finance-webapp and marketing-restful-api applications perform access control by using three RH-SSO realm roles. The following table shows the relationship between the roles and the application endpoints.

Table 3.5. Roles and Endpoints

RoleApplicationEndpoint
marketing-usermarketing-restful-api http://localhost:3000/campaign/list
finance-userfinance-webapp http://localhost:8080/finance/showinvoices
finance-adminfinance-webapp http://localhost:8080/finance/addinvoices

The following tables show the users and groups already present in the rhtraining realm.

Table 3.6. Users and Passwords

UserPassword
alice alice
bob bob
johndoe johndoe

Table 3.7. Groups

Group
managers
finance-users
marketing-users

In this exercise you use the groups to grant different roles to users.

  1. Run the finance-webapp application, and test the authorization.

    1. Open the terminal application on the workstation machine and change to the ~/DO313/labs/auth-authz/finance-webapp directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-authz/finance-webapp

    2. From the terminal, compile and run the application.

      [student@workstation finance-webapp]$ mvn quarkus:dev
...output omitted...
2022-12-15 07:41:26,210 INFO  [io.quarkus] (Quarkus Main Thread) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.2.Final) started in 3.001s. Listening on: http://localhost:8080
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, oidc, oidc-client, oidc-token-propagation, qute, reactive-routes, rest-client, rest-client-jackson, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

 --
Tests paused
Press [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

      Note

      The application can take some minutes downloading dependencies.

      Leave the terminal open.

    3. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Note

      If you do not use a private window, the browser maintains the user identified, by using browser cookies, and the SSO session. You can also log out the user by finishing the sessions from the ManageSessions in the RH-SSO Admin Console.

      Click Show my access token, and log in as the alice user, with alice as the password.

    4. Click /showinvoices.

      There is an authorization error, because the application requires the user to be in the finance-user role.

      Note

      You can examine the piece of the source code of the finance-webapp application requiring authorization by opening the ~/DO313/labs/auth-authz/finance-webapp/src/main/java/com/example/ShowInvoices.java file.

  2. Create the finance-user realm role.

    1. Log in to the RHSSO Admin Console.

      On the workstation machine, use Firefox to navigate to the RH-SSO web UI URL at https://sso.lab.example.com:8080. Click Administration Console. Log in as the admin user with redhat as the password.

    2. In the left menu, navigate to the rhtraining realm, and click ConfigureRoles.

      Then, click Add Role.

    3. Type finance-user in the Role Name field.

      Then, click Save.

  3. Add the finance-user realm role to the finance-users group.

    1. From the RH-SSO Admin Console, click ManageGroups.

      Select finance-users group. Then, click Edit.

      Figure 3.22: Edit group to add the realm role

    2. Click the Role Mappings tab.

      Then, select the finance-user role in the list of available roles, and click Add Selected.

      Figure 3.23: Realm role added

  4. Add the bob user to the finance-users group.

    1. From the RH-SSO Admin Console, click ManageUsers.

      Then click View all users.

    2. Click Edit in the bob users row.

      Then, navigate to the Groups tab, click the finance-users group, and click Join.

  5. Log in to the finance application as the bob user.

    1. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click /showinvoices, and log in as the bob user, with bob as the password.

      The bob user, in the finance-users group, can see the list of invoices because the group has the required role.

    2. Click /addinvoices.

      Then, fill the fields with random data, and click Submit Query.

      There is an authorization error, because the application requires the user to be in the finance-admin role. You create this role later in this exercise.

  6. Create the marketing-user role.

    The last feature of the finance-webapp application is the request to the marketing-restful-api external application, to list the marketing campaigns. You need that application running with its required role.

    1. From the RH-SSO Admin Console, navigate to the rhtraining realm, and then click ConfigureRoles.

      Then, click Add Role.

    2. Type marketing-user in the Role Name field.

      Then, click Save.

  7. Add the marketing-user realm role to the marketing-users group.

    1. From the RH-SSO Admin Console, click ManageGroups.

      Select the marketing-users group. Then, click Edit.

    2. Navigate to the Role Mappings tab.

      Then, select the marketing-user role in the list of available roles, and click Add Selected.

  8. Add the johndoe user to the marketing-users group.

    1. From the RH-SSO Admin Console, navigate to ManageUsers.

      Then click View all users.

    2. Click Edit in the johndoe users row.

      Then, navigate to the Groups tab, select the marketing-users group, and click Join.

  9. Start the marketing-restful-api, and test access.

    1. Open a new terminal application on the workstation machine, and change to the ~/DO313/labs/auth-authz/marketing-restful-api directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-authz/marketing-restful-api

    2. From the terminal, install dependencies and run the application.

      [student@workstation ~]$ npm install && npm run start
...oupout omitted...
> marketing-restful-api@0.0.1 start /home/student/DO313/labs/auth-authz/marketing-restful-api
> node app.js

Started at port 3000

      Note

      The application can take some minutes downloading dependencies.

      Leave the terminal open.

    3. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token, and log in as the johndoe user, with johndoe as the password.

    4. Click External API to access the list of campaigns.

      The johndoe user, in the marketing-users group, can see the list of campaigns because the group has the required role.

  10. Create the finance-admin composite role.

    The users in the finance-admin role need to access all resources in the finance-webapp application, including the request to the external marketing-restful-api application.

    1. From the RH-SSO Admin Console, navigate to the rhtraining realm, and then click ConfigureRoles.

      Then, click Add Role.

    2. Type finance-admin in the Role Name field.

      Then, click Save.

    3. Set Composite Roles to ON.

      Then, in the Available Roles column select the finance-user, and marketing-user roles.

      Click Add Selected to move to the Associated Roles column.

  11. Add the finance-admin realm role to the managers group.

    1. From the RH-SSO Admin Console, click ManageGroups.

      Select managers group. Then, click Edit.

    2. Navigate to the Role Mappings tab.

      Then, select the finance-admin role in the list of available roles, and click Add Selected.

  12. Add the alice user to the managers group.

    1. From the RH-SSO Admin Console, navigate to ManageUsers.

      Then click View all users.

    2. Click Edit in the alice users row.

      Then, navigate to the Groups tab, select the managers group, and click Join.

  13. Test that the alice user has all the roles.

    1. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token and log in as the alice user, with alice as the password.

    2. Observe the claim inside the token with the list of roles.

      Figure 3.24: Access token claim with the roles list.

  14. Close all terminals and all the Firefox windows, and change to the /home/student directory.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-authz

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333