2014-02-14 13:42:44 +00:00
Login, Distributed SSO, Distributed Logout, and OAuth Token Grant Examples
2013-11-15 19:15:33 +00:00
===================================
2014-02-14 13:42:44 +00:00
The following examples requires Wildfly 8.0.0, JBoss EAP 6.x, or JBoss AS 7.1.1. Here's the highlights of the examples
2013-11-15 19:15:33 +00:00
* Delegating authentication of a web app to the remote authentication server via OAuth 2 protocols
* Distributed Single-Sign-On and Single-Logout
* Transferring identity and role mappings via a special bearer token (Skeleton Key Token).
* Bearer token authentication and authorization of JAX-RS services
* Obtaining bearer tokens via the OAuth2 protocol
2014-05-23 22:20:55 +00:00
* Interact with the Keycloak Admin REST Api
2013-11-15 19:15:33 +00:00
2014-01-13 13:56:05 +00:00
There are multiple WAR projects. These will all run on the same WildFly instance, but pretend each one is running on a different
2013-11-15 19:15:33 +00:00
machine on the network or Internet.
2014-01-13 13:56:05 +00:00
* **customer-app** A WAR application that does remote login using OAuth2 browser redirects with the auth server
2014-02-25 00:58:54 +00:00
* **customer-app-js** A pure HTML/Javascript application that does remote login using OAuth2 browser redirects with the auth server
2014-03-12 16:56:57 +00:00
* **customer-app-cli** A pure CLI application that does remote login using OAuth2 browser redirects with the auth server
2014-01-13 13:56:05 +00:00
* **product-app** A WAR application that does remote login using OAuth2 browser redirects with the auth server
2014-05-23 22:20:55 +00:00
* **admin-access-app** A WAR application that does remote REST login to admin console to obtain a list of realm roles from Admin REST API
2014-08-20 15:08:40 +00:00
* **angular-product-app** An Angular JS pure HTML5/Javascript application.
2014-01-13 13:56:05 +00:00
* **database-service** JAX-RS services authenticated by bearer tokens only. The customer and product app invoke on it to get data
2013-11-15 19:15:33 +00:00
* **third-party** Simple WAR that obtain a bearer token using OAuth2 using browser redirects to the auth-server.
2014-02-14 13:42:44 +00:00
* **third-party-cdi** Simple CDI/JSF WAR that obtain a bearer token using OAuth2 using browser redirects to the auth-server.
2013-11-15 19:15:33 +00:00
The UI of each of these applications is very crude and exists just to show our OAuth2 implementation in action.
2014-01-07 19:37:50 +00:00
_This demo is meant to run on the same server instance as the Keycloak Server!_
2013-11-15 19:15:33 +00:00
2014-01-07 19:37:50 +00:00
Step 1: Make sure you've set up the Keycloak Server
2013-11-15 19:15:33 +00:00
--------------------------------------
2014-02-14 13:42:44 +00:00
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
2014-01-07 19:37:50 +00:00
2014-02-14 13:42:44 +00:00
Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
2014-01-07 19:37:50 +00:00
2014-02-14 13:42:44 +00:00
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
2014-01-07 19:37:50 +00:00
2014-02-14 13:42:44 +00:00
$ cd ${wildfly.jboss.home}/standalone
2014-01-13 13:56:05 +00:00
$ cp -r ${keycloak-war-dist-all}/deployments .
2014-01-07 19:37:50 +00:00
2014-02-14 13:42:44 +00:00
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
For Wildfly:
< server xmlns = "urn:jboss:domain:1.4" >
< extensions >
< extension module = "org.keycloak.keycloak-wildfly-subsystem" / >
...
< / extensions >
< profile >
< subsystem xmlns = "urn:jboss:domain:keycloak:1.0" / >
...
< / profile >
For JBoss 7.1.1 and EAP 6.x:
< server xmlns = "urn:jboss:domain:1.4" >
< extensions >
< extension module = "org.keycloak.keycloak-as7-subsystem" / >
...
< / extensions >
< profile >
< subsystem xmlns = "urn:jboss:domain:keycloak:1.0" / >
...
< / profile >
2014-01-13 13:56:05 +00:00
2014-01-07 19:37:50 +00:00
Step 2: Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
2013-11-15 19:15:33 +00:00
2014-01-07 20:01:17 +00:00
From appliance:
2014-03-21 16:34:24 +00:00
```
2014-01-07 20:01:17 +00:00
$ cd keycloak/bin
$ ./standalone.sh
2014-03-21 16:34:24 +00:00
```
2014-01-07 20:01:17 +00:00
2014-02-14 13:42:44 +00:00
From existing Wildfly/EAP6/AS7 distro
2014-03-21 16:34:24 +00:00
```
2014-02-14 13:42:44 +00:00
$ cd ${wildfly.jboss.home}/bin
2014-01-07 19:37:50 +00:00
$ ./standalone.sh
2014-03-21 16:34:24 +00:00
```
2013-11-15 19:15:33 +00:00
2014-01-07 19:37:50 +00:00
Step 3: Import the Test Realm
2013-11-15 19:15:33 +00:00
---------------------------------------
2014-01-07 19:37:50 +00:00
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
2014-01-13 13:56:05 +00:00
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
2014-01-07 19:37:50 +00:00
2014-01-13 22:07:36 +00:00
[http://localhost:8080/auth/admin/index.html#/create/realm ](http://localhost:8080/auth/admin/index.html#/create/realm )
2014-01-07 19:37:50 +00:00
2014-02-14 13:42:44 +00:00
Import the testrealm.json file that is in the preconfigured-demo/ example directory.
2013-11-15 19:15:33 +00:00
2014-01-07 19:37:50 +00:00
Step 4: Build and deploy
2013-11-15 19:15:33 +00:00
---------------------------------------
next you must build and deploy
2014-03-21 16:34:24 +00:00
```
cd preconfigured-demo
mvn clean install
```
2013-11-15 19:15:33 +00:00
2014-05-29 13:03:50 +00:00
On EAP6/AS7 run:
2014-02-14 13:42:44 +00:00
2014-05-29 13:03:50 +00:00
```
mvn jboss-as:deploy
```
2014-02-14 13:42:44 +00:00
2014-05-29 13:03:50 +00:00
Or for WildFly run:
2014-02-14 13:42:44 +00:00
2014-05-29 13:03:50 +00:00
```
mvn wildfly:deploy
```
2014-02-14 13:42:44 +00:00
2014-01-07 19:37:50 +00:00
Step 5: Login and Observe Apps
2013-11-15 19:15:33 +00:00
---------------------------------------
2014-01-13 13:56:05 +00:00
Try going to the customer app and view customer data:
2013-11-15 19:15:33 +00:00
[http://localhost:8080/customer-portal/customers/view.jsp ](http://localhost:8080/customer-portal/customers/view.jsp )
This should take you to the auth-server login screen. Enter username: bburke@redhat.com and password: password.
2014-01-13 13:56:05 +00:00
If you click on the products link, you'll be taken to the products app and show a product listing. The redirects
2013-11-15 19:15:33 +00:00
are still happening, but the auth-server knows you are already logged in so the login is bypassed.
If you click on the logout link of either of the product or customer app, you'll be logged out of all the applications.
2014-03-12 16:56:57 +00:00
If you click on [http://localhost:8080/customer-portal-js ](http://localhost:8080/customer-portal-js ) you can invoke
2014-02-25 00:58:54 +00:00
on the pure HTML/Javascript application.
2014-01-07 19:37:50 +00:00
Step 6: Traditional OAuth2 Example
2013-11-15 19:15:33 +00:00
----------------------------------
The customer and product apps are logins. The third-party app is the traditional OAuth2 usecase of a client wanting
2014-01-13 13:56:05 +00:00
to get permission to access a user's data. To run this example open
2013-11-15 19:15:33 +00:00
[http://localhost:8080/oauth-client ](http://localhost:8080/oauth-client )
2014-03-21 16:34:24 +00:00
If you are already logged in, you will not be asked for a username and password, but you will be redirected to
2013-11-15 19:15:33 +00:00
an oauth grant page. This page asks you if you want to grant certain permissions to the third-part app.
2014-03-12 16:56:57 +00:00
Step 7: Try the CLI Example
---------------------------
To try the CLI example run the following commands:
$ cd customer-app-cli
$ mvn exec:java
This will open a shell that lets you specify a few different commands. For example type 'login' and press enter to login. Pressing enter with a blank line will display the available commands.
The CLI example has two alternative methods for login. When a browser is available the CLI opens the login form in a browser, and will automatically retrieve the return code by starting a
temporary web server on a free port. If a browser is not available the URL to login is displayed on the CLI. The user can copy this URL to another computer that has a browser available. The code
is displayed to the user after login and the user has to copy this code back to the application.
2014-05-23 22:20:55 +00:00
Step 8: Admin REST API
----------------------------------
Keycloak has a Admin REST API. This example shows an application making a remove direct login to Keycloak to obtain a token
then using that token to access the Admin REST API.
[http://localhost:8080/admin-access ](http://localhost:8080/admin-access )
If you are already logged in, you will not be asked for a username and password, but you will be redirected to
an oauth grant page. This page asks you if you want to grant certain permissions to the third-part app.
2014-08-20 15:08:40 +00:00
Step 9: Angular JS Example
----------------------------------
An Angular JS example using Keycloak to secure it.
[http://localhost:8080/angular-product ](http://localhost:8080/angular-product )
If you are already logged in, you will not be asked for a username and password, but you will be redirected to
an oauth grant page. This page asks you if you want to grant certain permissions to the third-part app.
Step 9: Pure HTML5/Javascript Example
----------------------------------
An pure HTML5/Javascript example using Keycloak to secure it.
[http://localhost:8080/customer-portal-js ](http://localhost:8080/customer-portal-js )
If you are already logged in, you will not be asked for a username and password, but you will be redirected to
an oauth grant page. This page asks you if you want to grant certain permissions to the third-part app.
2013-11-15 19:15:33 +00:00
Admin Console
==========================
2014-01-13 22:07:36 +00:00
[http://localhost:8080/auth/admin/index.html ](http://localhost:8080/auth/admin/index.html )
2013-11-15 19:15:33 +00:00