From 31e22a300dadcb8f6d86cafafcafed1ec11bc654 Mon Sep 17 00:00:00 2001 From: stianst Date: Wed, 14 Nov 2018 08:59:08 +0100 Subject: [PATCH] Fixes --- securing_apps/topics.adoc | 10 +++++++--- securing_apps/topics/oidc/keycloak-gatekeeper.adoc | 10 +++++----- .../topics/token-exchange/token-exchange.adoc | 4 ++-- server_admin/topics/user-federation/sssd.adoc | 4 ++-- tests/src/test/resources/ignored-links | 3 +++ topics/templates/document-attributes-community.adoc | 3 ++- topics/templates/document-attributes-product.adoc | 2 +- 7 files changed, 22 insertions(+), 14 deletions(-) diff --git a/securing_apps/topics.adoc b/securing_apps/topics.adoc index 05f6336a75..8d6f56b7a0 100644 --- a/securing_apps/topics.adoc +++ b/securing_apps/topics.adoc @@ -28,19 +28,21 @@ include::topics/oidc/java/fuse7/cxf-builtin.adoc[] include::topics/oidc/java/fuse7/fuse-admin.adoc[] include::topics/oidc/java/fuse7/hawtio.adoc[] include::topics/oidc/java/spring-boot-adapter.adoc[] + ifeval::[{project_community}==true] include::topics/oidc/java/tomcat-adapter.adoc[] include::topics/oidc/java/jetty9-adapter.adoc[] include::topics/oidc/java/jetty8-adapter.adoc[] include::topics/oidc/java/spring-security-adapter.adoc[] endif::[] + include::topics/oidc/java/servlet-filter-adapter.adoc[] + ifeval::[{project_community}==true] include::topics/oidc/java/jaas.adoc[] -endif::[] -ifeval::[{project_community}==true] include::topics/oidc/java/installed-adapter.adoc[] endif::[] + include::topics/oidc/java/adapter-context.adoc[] include::topics/oidc/java/adapter_error_handling.adoc[] include::topics/oidc/java/logout.adoc[] @@ -53,11 +55,13 @@ include::topics/oidc/javascript-adapter.adoc[] include::topics/oidc/nodejs-adapter.adoc[] -include::topics/oidc/keycloak-gatekeeper.adoc[] ifeval::[{project_community}==true] +include::topics/oidc/keycloak-gatekeeper.adoc[] include::topics/oidc/mod-auth-openidc.adoc[] endif::[] +include::topics/oidc/oidc-generic.adoc[] + include::topics/saml/saml-overview.adoc[] include::topics/saml/java/java-adapters.adoc[] include::topics/saml/java/general-config.adoc[] diff --git a/securing_apps/topics/oidc/keycloak-gatekeeper.adoc b/securing_apps/topics/oidc/keycloak-gatekeeper.adoc index 0fed584948..5fe3bc8909 100644 --- a/securing_apps/topics/oidc/keycloak-gatekeeper.adoc +++ b/securing_apps/topics/oidc/keycloak-gatekeeper.adoc @@ -23,7 +23,7 @@ For further information, see the included help file which includes a full list o - Run `make test` to run the included tests. - Run `make` to build the project. You can instead use `make static` if you prefer to build a binary that includes within it all of the required dependencies. -NOTE: You can also build via docker container: `make docker-build`. A Docker image is available at link:https://hub.docker.com/r/keycloak/keycloak-gatekeeper[https://hub.docker.com/r/keycloak/keycloak-gatekeeper]. +NOTE: You can also build via docker container: `make docker-build`. A Docker image is available at link:https://hub.docker.com/r/keycloak/keycloak-gatekeeper/[https://hub.docker.com/r/keycloak/keycloak-gatekeeper/]. ==== Configuration options @@ -125,7 +125,7 @@ resources: Anything defined in a configuration file can also be configured using command line options, such as in this example. -[source,bash] +[source,bash,subs="attributes+"] ---- bin/{generic_adapter_name} \ --discovery-url=https://keycloak.example.com/auth/realms/ \ @@ -171,7 +171,7 @@ Example setup: You have collection of micro-services which are permitted to speak to one another; you have already set up the credentials, roles, and clients in Keycloak, providing granular role controls over issue tokens. -[source,yaml] +[source,yaml,subs="attributes+"] ---- - name: {generic_adapter_name} image: quay.io/gambol99/keycloak-generic-adapter:latest @@ -202,7 +202,7 @@ On the receiver side you could set up the {generic_adapter_name_full} (--no=redi Handling HTTPS requires a man-in-the-middle sort of TLS connection. By default, if no `--tls-ca-certificate` and `--tls-ca-key` are provided the proxy will use the default certificate. If you wish to verify the trust, you'll need to generate a CA, for example. -[source,bash] +[source,bash,subs="attributes+"] ---- $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem $ bin/{generic_adapter_name} \ @@ -434,7 +434,7 @@ To enable a local redis store use `redis://[USER:PASSWORD@]HOST:PORT`. In both c ==== Logout endpoint -A */oauth/logout?redirect=url* is provided as a helper to log users out. In addition to dropping any session cookies, we also attempt to revoke access via revocation url (config *revocation-url* or *--revocation-url*) with the provider. For Keycloak, the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout, for Google https://accounts.google.com/o/oauth2/revoke. If the url is not specified we will attempt to grab the url from the OpenID discovery response. +A */oauth/logout?redirect=url* is provided as a helper to log users out. In addition to dropping any session cookies, we also attempt to revoke access via revocation url (config *revocation-url* or *--revocation-url*) with the provider. For Keycloak, the url for this would be https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout. If the url is not specified we will attempt to grab the url from the OpenID discovery response. ==== Cross-origin resource sharing (CORS) diff --git a/securing_apps/topics/token-exchange/token-exchange.adoc b/securing_apps/topics/token-exchange/token-exchange.adoc index fd3d285715..d3aebadf6d 100644 --- a/securing_apps/topics/token-exchange/token-exchange.adoc +++ b/securing_apps/topics/token-exchange/token-exchange.adoc @@ -17,7 +17,7 @@ to impersonate a user. Here's a short summary of the current capabilities of {p * A client can exchange an external token for a {project_name} token. * A client can impersonate a user -Token exchange in {project_name} is a very loose implementation of the link:https://www.ietf.org/id/draft-ietf-oauth-token-exchange-15.txt[OAuth Token Exchange] specification at the IETF. +Token exchange in {project_name} is a very loose implementation of the link:https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16[OAuth Token Exchange] specification at the IETF. We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification. It is a simple grant type invocation on a realm's OpenID Connect token endpoint. @@ -72,7 +72,7 @@ NOTE: We currently only support OpenID Connect and OAuth exchanges. Support f A successful response from an exchange invocation will return the HTTP 200 response code with a content type that depends on the `requested-token-type` and `requested_issuer` the client asks for. OAuth requested token types will return -a JSON document as described in the link:https://www.ietf.org/id/draft-ietf-oauth-token-exchange-15.txt[OAuth Token Exchange] specification. +a JSON document as described in the link:https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16[OAuth Token Exchange] specification. [source,json] ---- diff --git a/server_admin/topics/user-federation/sssd.adoc b/server_admin/topics/user-federation/sssd.adoc index ede62a3809..2c4530c329 100644 --- a/server_admin/topics/user-federation/sssd.adoc +++ b/server_admin/topics/user-federation/sssd.adoc @@ -4,7 +4,7 @@ {project_name} also comes with a built-in https://fedoraproject.org/wiki/Features/SSSD[SSSD] (System Security Services Daemon) plugin. SSSD is part of the latest Fedora or Red Hat Enterprise Linux and provides access to multiple identity and authentication providers. It provides benefits such as failover and offline support. To see configuration options and for more information see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd[the Red Hat Enterprise Linux Identity Management documentation]. -SSSD also integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. For {project_name}, we benefit from this integration authenticating against http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM] services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index[the Red Hat Enterprise Linux Identity Management documentation]. +SSSD also integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. For {project_name}, we benefit from this integration authenticating against PAM services and retrieving user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index[the Red Hat Enterprise Linux Identity Management documentation]. image:{project_images}/keycloak-sssd-freeipa-integration-overview.png[] @@ -48,7 +48,7 @@ You should be prompted for the password. After that, you can add users to the IP ==== SSSD and D-Bus -As mentioned previously, the federation provider obtains the data from SSSD using D-BUS and authentication occurs using http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html[PAM]. +As mentioned previously, the federation provider obtains the data from SSSD using D-BUS and authentication occurs using PAM. First, you have to install the sssd-dbus RPM, which allows information from SSSD to be transmitted over the system bus. diff --git a/tests/src/test/resources/ignored-links b/tests/src/test/resources/ignored-links index ba18097d4e..7e30ca56c7 100644 --- a/tests/src/test/resources/ignored-links +++ b/tests/src/test/resources/ignored-links @@ -2,6 +2,7 @@ http://localhost* http://localhost:8080* http://localhost:8180* http://localhost:8181* +http://127.0.0.1:3000* https://myhost.com/myapp/k_jwks https://myhost.com/myapp http://host:port* @@ -15,6 +16,8 @@ http://node12:8080* http://node21:8080* http://node22:8080* http://web.example.com* +https://keycloak.example.com* https://github.com/keycloak/keycloak-documentation/blob/master/* https://openshift.example.com:8443/console https://github.com/keycloak/keycloak-quickstarts.git +https://github.com/go-chi/chi#router-design \ No newline at end of file diff --git a/topics/templates/document-attributes-community.adoc b/topics/templates/document-attributes-community.adoc index a98a945e5e..b686b12bce 100644 --- a/topics/templates/document-attributes-community.adoc +++ b/topics/templates/document-attributes-community.adoc @@ -67,8 +67,9 @@ :appserver_name: WildFly :appserver_dirref: WILDFLY_HOME -:appserver_doc_base_url: http://docs.wildfly.org/13 :appserver_version: 13 + +:appserver_doc_base_url: http://docs.wildfly.org/13 :appserver_socket_link: {appserver_doc_base_url}/Admin_Guide.html#Interfaces_and_ports :appserver_socket_name: {appserver_name} {appserver_version} Documentation :appserver_jgroups_link: {appserver_doc_base_url}/High_Availability_Guide.html#JGroups_Subsystem diff --git a/topics/templates/document-attributes-product.adoc b/topics/templates/document-attributes-product.adoc index 13b19cbfa3..696acdf40c 100644 --- a/topics/templates/document-attributes-product.adoc +++ b/topics/templates/document-attributes-product.adoc @@ -33,6 +33,7 @@ endif::[] :authorizationguide_link: {project_doc_base_url}/authorization_services_guide/ :adapterguide_name: Securing Applications and Services Guide :adapterguide_link: {project_doc_base_url}/securing_applications_and_services_guide/ +:adapterguide_logout_link: {adapterguide_link}#_java_adapter_logout :adminguide_name: Server Administration Guide :adminguide_link: {project_doc_base_url}/server_administration_guide/ :adminguide_bruteforce_name: Password guess: brute force attacks @@ -103,7 +104,6 @@ endif::[] :appserver_managementcli_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_cli_overview :appserver_managementconsole_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/configuration_guide/#management_console_overview - :jdgserver_name: JDG :jdgserver_version: 7.2.3 :jdgserver_crossdcdocs_link: https://access.redhat.com/documentation/en-us/red_hat_jboss_data_grid/7.2/html/administration_and_configuration_guide/set_up_cross_datacenter_replication