Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Lab: Authentication and Authorization

  • Configure authentication and authorization for applications.

Outcomes

  • Configure different RH-SSO clients for the OpenID Connect (OIDC) Authorization Code Flow.

  • Describe the content of different OIDC tokens.

  • Create and manage users and roles in RH-SSO.

  • Create groups of users and assign roles by using groups.

  • Configure authentication options.

  • Configure password policies for the users.

  • Configure required actions for log in.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start auth-review

Procedure 3.4. Instructions

In this exercise you configure your RH-SSO realm to enhance the security of the authentication of the users. Then, you create two clients, and configure the realm with the roles required by the applications.

  • The finance-webapp application is a server-side web application that uses the OpenID Connect authorization code flow as a confidential client to authenticate the application users. The application uses the Java Quarkus framework, and the Quarkus integration with OpenID Connect identity servers. The finance-webapp application calls an external endpoint in the marketing-restful-api application.

  • The marketing-restful-api application is a Node.js back end service which serves REST endpoints. It uses the OpenID Connect authorization code flow as a bearer-only client. Thus, the application cannot initiate the login process, but RH-SSO can generate the access token for this client. The marketing-restful-api application uses the Node.js adapter from RH-SSO to integrate with the authentication server.

The finance-webapp and marketing-restful-api applications perform access control by using two RH-SSO realm roles. The following table shows the relationship between the roles and the application endpoints.

Table 3.8. Roles and Endpoints

RoleApplicationEndpoint
None (only authenticated)finance-webapp http://localhost:8080/finance/showtokens
finance-userfinance-webapp http://localhost:8080/finance/showinvoices
marketing-usermarketing-restful-api http://localhost:3000/campaign/list

  1. Prepare the RH-SSO rhtraining realm to allow user registration.

    1. Log in to the RH-SSO Admin Console.

      On the workstation machine, use Firefox to navigate to the Red Hat Single Sign-On web UI URL at https://sso.lab.example.com:8080. Click Administration Console. Log in as the admin user with redhat as the password. By default, the main page shows the Realm Settings menu for the rhtraining realm.

    2. Activate user registration.

      From within the ConfigureRealm Settings menu, click Login. Then, set the User registration button to ON. Click Save.

  2. Enhance password security by forcing all the users to have a password with a minimum length of 10 characters, and at least 1 special character.

    1. In the RH-SSO Admin Console, click ConfigureAuthentication.

      Then, click Password Policy.

    2. Add password policies to the rhtraining realm.

      In the Add policy drop down button, select the following list of password policies.

      You must add the policies one by one. Modify the Policy Value field to 10 for the Minimum Length policy.

      • Special Characters

      • Minimum Length (10)

        After adding all the password policies, click Save.

  3. Create a client for the Quarkus finance-webapp in the rhtraining realm.

    The new client must allow only the OpenID Connect authorization code flow (standard flow) as a confidential client. Create the client based on the following criteria.

    FieldValue
    Client ID finance-webapp
    Client Protocol openid-connect
    Root URL http://localhost:8080/finance

    1. Navigate to rhtraining realm, and then click ConfigureClients. Then, click Create.

    2. Create the client based on the criteria from the previous table.

      Click Save.

    3. On the page that opens, set Direct Access Grants Enabled to OFF, and select confidential in the Access Type field.

      Finance web application client configuration

      Scroll down and click Save.

    4. Navigate to the Credentials tab, and take note of the secret value.

      Finance web application client credentials

  4. Inspect the ID and access tokens emitted for the alice user and the finance-webapp client from the RH-SSO Admin Console.

    1. Click the Client Scopes tab within the finance-webapp client page.

      Then, click the Evaluate tab.

    2. Fill the User field with the already existing alice user.

      Then, click Evaluate.

      You can inspect the access token, emitted for the alice user from the finance-webapp OIDC client, in the Generated Access Token tab. You can inspect the ID token in the Generated ID Token tab.

  5. Create a client for the marketing-restful-api services applications in the rhtraining realm.

    The new client must allow only the OpenID Connect authorization code flow (standard flow) as a bearer-only client. Create the client based on the following criteria.

    Table 3.9. Marketing Restful API client creation

    FieldValue
    Client ID marketing-restful-api
    Client Protocol openid-connect
    Root URL http://localhost:3000/campaign

    1. Navigate to the rhtraining realm, and then click ConfigureClients.

      Then, click Create.

    2. Create the client based on the criteria from the previous table.

      Click Save.

    3. On the page that opens, select bearer-only in the Access Type field.

      Scroll down and click Save.

    4. Try to inspect the tokens for the marketing-restful-api client.

      The marketing-restful-api client is a bearer-only client. Thus, the client cannot start a login flow, and in the RH-SSO Admin Console there is no Client Scopes tab.

  6. Run the finance-webapp application. The application is in the ~/DO313/labs/auth-review/finance-webapp directory, and it is started with the mvn quarkus:dev command.

    1. Open the terminal application on the workstation machine and change to the ~/DO313/labs/auth-review/finance-webapp directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-review/finance-webapp

    2. Modify the finance-webapp/src/main/resources/application.properties configuration file, to include the client secret you noted in a previous step.

      quarkus.oidc.auth-server-url=https://sso.lab.example.com:8080/auth/realms/rhtraining
quarkus.oidc.application-type=web-app
#For web-app type applications, Quarkus needs to read the roles from access token, instead of the idToken:
quarkus.oidc.roles.source=accesstoken
quarkus.oidc.client-id=finance-webapp
quarkus.oidc.credentials.secret=passw0rd
...output omitted...

    3. From the terminal, compile and run the application.

      [student@workstation finance-webapp]$ mvn quarkus:dev
...output omitted...
2022-12-15 07:41:26,210 INFO  [io.quarkus] (Quarkus Main Thread) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.2.Final) started in 3.001s. Listening on: http://localhost:8080
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, oidc, oidc-client, oidc-token-propagation, qute, reactive-routes, rest-client, rest-client-jackson, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

 --
Tests paused
Press [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

      Note

      The application can take some minutes downloading dependencies.

      Leave the terminal open.

  7. Run the marketing-restful-api application. The application is in the ~/DO313/labs/auth-review/marketing-restful-api directory, and it is started with the npm install && npm run start commands.

    1. Open a new terminal application on the workstation machine, and change to the ~/DO313/labs/auth-review/marketing-restful-api directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-review/marketing-restful-api

    2. From the terminal, install dependencies and run the application.

      [student@workstation marketing-restful-api]$ npm install && npm run start
...oupout omitted...
> marketing-restful-api@0.0.1 start /home/student/DO313/labs/auth-review/marketing-restful-api
> node app.js

Started at port 3000

      Note

      The application can take some minutes downloading dependencies.

      Leave the terminal open.

  8. Register a new bob user from the finance-webapp client.

    The application is at http://localhost:8080/finance. Register the new bob user based on the following criteria:

    FieldValue
    First name Bob
    Last name Liddle
    Email bob@example.com
    Username bob
    Password bob
    Confirm Password bob

    Try to use the following passwords:

    • BobBob@

    • BobBobBob@

    Then, try to access to the External API link in the finance-webapp application.

    1. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token.

    2. In the rhtraining realm login page click Register.

    3. Register the bob user based on the criteria from the previous table.

      Click Register. The RH-SSO login page does not allow that password.

      Only the BobBobBob@ password is accepted.

    4. In the finance-webapp application, click External API to access the list of campaigns.

      The bob user cannot see the list of campaigns because the user is not in the marketing-user role.

  9. Create the marketing-user role to access the marketing-restful-api application, and configure it as a default role for all new users.

    1. From the RH-SSO Admin Console, navigate to rhtraining realm, and then click ConfigureRoles.

      Then, click Add Role.

    2. Type marketing-user in the Role Name field.

      Then, click Save.

    3. From within the ConfigureRoles menu, click Default Roles.

      Then, select the marketing-user role in the list of available roles, and click Add Selected.

  10. Delete the existing alice user and register a new alice user.

    Then, use the Chromium Web Browser to test the access to the /finance/showcampaigns/list endpoint at the External API link within the finance-webapp application.

    Register the new alice user based on the following criteria:

    FieldValue
    First name Alice
    Last name Liddle
    Email alice@example.com
    Username alice
    Password AliceAlice@
    Confirm Password AliceAlice@

    1. From within the ManageUsers menu, click View all users.

      Then, in the alice user row, click Delete. Confirm the action by clicking Delete.

    2. Open a new Chromium Web Browser window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token.

    3. In the rhtraining realm login page click Register.

    4. Register the user based on the criteria from the previous table.

      Click Register.

    5. In the finance-webapp application, click External API to access the list of campaigns.

      The alice user can see the list of campaigns because they are in the default marketing-user realm role.

    6. In the finance-webapp application, click /showinvoices.

      The alice user cannot see the list of invoices because they are not in the finance-user role.

  11. Create the finance-user role to access to the finance-webapp application's list of invoices.

    1. From the RH-SSO Admin Console, navigate to rhtraining realm, and then click ConfigureRoles.

      Then, click Add Role.

    2. Type finance-user in the Role Name field.

      Then, click Save.

  12. Create the managers group and assign the finance-user role to it. Then, add the alice user to the group and test access to the /finance/showinvoices endpoint.

    1. From the RH-SSO Admin Console, navigate to the rhtraining realm, and then click ManageGroups.

      Then click New. Type managers as the group name, and click Save.

    2. Click the Role Mappings tab.

      Then, select the finance-user role in the list of available roles, and click Add Selected.

    3. Add the alice user to the managers group.

      From the RH-SSO Admin Console, navigate to ManageUsers. Then click View all users.

    4. Click Edit in the alice users row.

      Then, navigate to the Groups tab, select the managers group, and click Join.

    5. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click /showinvoices, and log in as the alice user, with AliceAlice@ as the password. The alice user can see the list of invoices because they are in the managers group, which has the finance-user role.

  13. Close all terminals and all the browsers windows, and change to the /home/student directory.

    [student@workstation finance-webapp]$ cd ~
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade auth-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-review

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333