Fixes
This commit is contained in:
stianst
Stian Thorgersen
parent
a22681113a
commit
31e22a300d
7 changed files with 22 additions and 14 deletions
|
|
@ -28,19 +28,21 @@ include::topics/oidc/java/fuse7/cxf-builtin.adoc[]
|
|||
include::topics/oidc/java/fuse7/fuse-admin.adoc[]
|
||||
include::topics/oidc/java/fuse7/hawtio.adoc[]
|
||||
include::topics/oidc/java/spring-boot-adapter.adoc[]
|
||||
|
||||
ifeval::[{project_community}==true]
|
||||
include::topics/oidc/java/tomcat-adapter.adoc[]
|
||||
include::topics/oidc/java/jetty9-adapter.adoc[]
|
||||
include::topics/oidc/java/jetty8-adapter.adoc[]
|
||||
include::topics/oidc/java/spring-security-adapter.adoc[]
|
||||
endif::[]
|
||||
|
||||
include::topics/oidc/java/servlet-filter-adapter.adoc[]
|
||||
|
||||
ifeval::[{project_community}==true]
|
||||
include::topics/oidc/java/jaas.adoc[]
|
||||
endif::[]
|
||||
ifeval::[{project_community}==true]
|
||||
include::topics/oidc/java/installed-adapter.adoc[]
|
||||
endif::[]
|
||||
|
||||
include::topics/oidc/java/adapter-context.adoc[]
|
||||
include::topics/oidc/java/adapter_error_handling.adoc[]
|
||||
include::topics/oidc/java/logout.adoc[]
|
||||
|
|
@ -53,11 +55,13 @@ include::topics/oidc/javascript-adapter.adoc[]
|
|||
|
||||
include::topics/oidc/nodejs-adapter.adoc[]
|
||||
|
||||
include::topics/oidc/keycloak-gatekeeper.adoc[]
|
||||
ifeval::[{project_community}==true]
|
||||
include::topics/oidc/keycloak-gatekeeper.adoc[]
|
||||
include::topics/oidc/mod-auth-openidc.adoc[]
|
||||
endif::[]
|
||||
|
||||
include::topics/oidc/oidc-generic.adoc[]
|
||||
|
||||
include::topics/saml/saml-overview.adoc[]
|
||||
include::topics/saml/java/java-adapters.adoc[]
|
||||
include::topics/saml/java/general-config.adoc[]
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ For further information, see the included help file which includes a full list o
|
|||
- Run `make test` to run the included tests.
|
||||
- Run `make` to build the project. You can instead use `make static` if you prefer to build a binary that includes within it all of the required dependencies.
|
||||
|
||||
NOTE: You can also build via docker container: `make docker-build`. A Docker image is available at link:https://hub.docker.com/r/keycloak/keycloak-gatekeeper[https://hub.docker.com/r/keycloak/keycloak-gatekeeper].
|
||||
NOTE: You can also build via docker container: `make docker-build`. A Docker image is available at link:https://hub.docker.com/r/keycloak/keycloak-gatekeeper/[https://hub.docker.com/r/keycloak/keycloak-gatekeeper/].
|
||||
|
||||
==== Configuration options
|
||||
|
||||
|
|
@ -125,7 +125,7 @@ resources:
|
|||
|
||||
Anything defined in a configuration file can also be configured using command line options, such as in this example.
|
||||
|
||||
[source,bash]
|
||||
[source,bash,subs="attributes+"]
|
||||
----
|
||||
bin/{generic_adapter_name} \
|
||||
--discovery-url=https://keycloak.example.com/auth/realms/<REALM_NAME> \
|
||||
|
|
@ -171,7 +171,7 @@ Example setup:
|
|||
|
||||
You have collection of micro-services which are permitted to speak to one another; you have already set up the credentials, roles, and clients in Keycloak, providing granular role controls over issue tokens.
|
||||
|
||||
[source,yaml]
|
||||
[source,yaml,subs="attributes+"]
|
||||
----
|
||||
- name: {generic_adapter_name}
|
||||
image: quay.io/gambol99/keycloak-generic-adapter:latest
|
||||
|
|
@ -202,7 +202,7 @@ On the receiver side you could set up the {generic_adapter_name_full} (--no=redi
|
|||
|
||||
Handling HTTPS requires a man-in-the-middle sort of TLS connection. By default, if no `--tls-ca-certificate` and `--tls-ca-key` are provided the proxy will use the default certificate. If you wish to verify the trust, you'll need to generate a CA, for example.
|
||||
|
||||
[source,bash]
|
||||
[source,bash,subs="attributes+"]
|
||||
----
|
||||
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem
|
||||
$ bin/{generic_adapter_name} \
|
||||
|
|
@ -434,7 +434,7 @@ To enable a local redis store use `redis://[USER:PASSWORD@]HOST:PORT`. In both c
|
|||
|
||||
==== Logout endpoint
|
||||
|
||||
A */oauth/logout?redirect=url* is provided as a helper to log users out. In addition to dropping any session cookies, we also attempt to revoke access via revocation url (config *revocation-url* or *--revocation-url*) with the provider. For Keycloak, the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for Google https://accounts.google.com/o/oauth2/revoke. If the url is not specified we will attempt to grab the url from the OpenID discovery response.
|
||||
A */oauth/logout?redirect=url* is provided as a helper to log users out. In addition to dropping any session cookies, we also attempt to revoke access via revocation url (config *revocation-url* or *--revocation-url*) with the provider. For Keycloak, the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout. If the url is not specified we will attempt to grab the url from the OpenID discovery response.
|
||||
|
||||
==== Cross-origin resource sharing (CORS)
|
||||
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ to impersonate a user. Here's a short summary of the current capabilities of {p
|
|||
* A client can exchange an external token for a {project_name} token.
|
||||
* A client can impersonate a user
|
||||
|
||||
Token exchange in {project_name} is a very loose implementation of the link:https://www.ietf.org/id/draft-ietf-oauth-token-exchange-15.txt[OAuth Token Exchange] specification at the IETF.
|
||||
Token exchange in {project_name} is a very loose implementation of the link:https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16[OAuth Token Exchange] specification at the IETF.
|
||||
We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification. It is
|
||||
a simple grant type invocation on a realm's OpenID Connect token endpoint.
|
||||
|
||||
|
|
@ -72,7 +72,7 @@ NOTE: We currently only support OpenID Connect and OAuth exchanges. Support f
|
|||
|
||||
A successful response from an exchange invocation will return the HTTP 200 response code with a content type that
|
||||
depends on the `requested-token-type` and `requested_issuer` the client asks for. OAuth requested token types will return
|
||||
a JSON document as described in the link:https://www.ietf.org/id/draft-ietf-oauth-token-exchange-15.txt[OAuth Token Exchange] specification.
|
||||
a JSON document as described in the link:https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16[OAuth Token Exchange] specification.
|
||||
|
||||
[source,json]
|
||||
----
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
{project_name} also comes with a built-in https://fedoraproject.org/wiki/Features/SSSD[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd[the Red Hat Enterprise Linux Identity Management documentation].
|
||||
|
||||
SSSD also integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. For {project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index[the Red Hat Enterprise Linux Identity Management documentation].
|
||||
SSSD also integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. For {project_name}, we benefit from this integration authenticating against PAM services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index[the Red Hat Enterprise Linux Identity Management documentation].
|
||||
|
||||
image:{project_images}/keycloak-sssd-freeipa-integration-overview.png[]
|
||||
|
||||
|
|
@ -48,7 +48,7 @@ You should be prompted for the password. After that, you can add users to the IP
|
|||
|
||||
==== SSSD and D-Bus
|
||||
|
||||
As mentioned previously, the federation provider obtains the data from SSSD using D-BUS and authentication occurs using http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM].
|
||||
As mentioned previously, the federation provider obtains the data from SSSD using D-BUS and authentication occurs using PAM.
|
||||
|
||||
First, you have to install the sssd-dbus RPM, which allows information from SSSD to be transmitted over the system bus.
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ http://localhost*
|
|||
http://localhost:8080*
|
||||
http://localhost:8180*
|
||||
http://localhost:8181*
|
||||
http://127.0.0.1:3000*
|
||||
https://myhost.com/myapp/k_jwks
|
||||
https://myhost.com/myapp
|
||||
http://host:port*
|
||||
|
|
@ -15,6 +16,8 @@ http://node12:8080*
|
|||
http://node21:8080*
|
||||
http://node22:8080*
|
||||
http://web.example.com*
|
||||
https://keycloak.example.com*
|
||||
https://github.com/keycloak/keycloak-documentation/blob/master/*
|
||||
https://openshift.example.com:8443/console
|
||||
https://github.com/keycloak/keycloak-quickstarts.git
|
||||
https://github.com/go-chi/chi#router-design
|
||||
|
|
@ -67,8 +67,9 @@
|
|||
|
||||
:appserver_name: WildFly
|
||||
:appserver_dirref: WILDFLY_HOME
|
||||
:appserver_doc_base_url: http://docs.wildfly.org/13
|
||||
:appserver_version: 13
|
||||
|
||||
:appserver_doc_base_url: http://docs.wildfly.org/13
|
||||
:appserver_socket_link: {appserver_doc_base_url}/Admin_Guide.html#Interfaces_and_ports
|
||||
:appserver_socket_name: {appserver_name} {appserver_version} Documentation
|
||||
:appserver_jgroups_link: {appserver_doc_base_url}/High_Availability_Guide.html#JGroups_Subsystem
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ endif::[]
|
|||
:authorizationguide_link: {project_doc_base_url}/authorization_services_guide/
|
||||
:adapterguide_name: Securing Applications and Services Guide
|
||||
:adapterguide_link: {project_doc_base_url}/securing_applications_and_services_guide/
|
||||
:adapterguide_logout_link: {adapterguide_link}#_java_adapter_logout
|
||||
:adminguide_name: Server Administration Guide
|
||||
:adminguide_link: {project_doc_base_url}/server_administration_guide/
|
||||
:adminguide_bruteforce_name: Password guess: brute force attacks
|
||||
|
|
@ -103,7 +104,6 @@ endif::[]
|
|||
:appserver_managementcli_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_cli_overview
|
||||
:appserver_managementconsole_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_console_overview
|
||||
|
||||
|
||||
:jdgserver_name: JDG
|
||||
:jdgserver_version: 7.2.3
|
||||
:jdgserver_crossdcdocs_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_data_grid/7.2/html/administration_and_configuration_guide/set_up_cross_datacenter_replication
|
||||
|
|
|
|||
Loading…
Reference in a new issue