commit
4e6680a4e9
29 changed files with 317 additions and 119 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -1,3 +1,6 @@
|
||||||
|
_book
|
||||||
|
node_modules
|
||||||
|
|
||||||
# Intellij
|
# Intellij
|
||||||
###################
|
###################
|
||||||
.idea
|
.idea
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
|
|
||||||
Securing Client Applications Guide
|
{{book.title}}
|
||||||
======================
|
===========================================
|
||||||
|
|
||||||
image:images/keycloak_logo.png[alt="Keycloak"]
|
image:images/keycloak_logo.png[alt="Keycloak"]
|
||||||
|
|
||||||
*Keycloak* _Documentation_ for {{book.versions.swarm}}
|
*Keycloak* _Documentation_ for {{book.project.version}}
|
||||||
|
|
||||||
http://www.keycloak.org
|
http://www.keycloak.org
|
||||||
|
|
||||||
|
|
66
SUMMARY.adoc
66
SUMMARY.adoc
|
@ -1,25 +1,49 @@
|
||||||
== Securing Client Applications Guide
|
= {{book.title}}
|
||||||
|
|
||||||
//. link:topics/templates/document-attributes.adoc[]
|
|
||||||
:imagesdir: images
|
|
||||||
|
|
||||||
. link:topics/preface.adoc[Preface]
|
. link:topics/preface.adoc[Preface]
|
||||||
. link:topics/Overview.adoc[Overview]
|
. link:topics/overview/overview.adoc[Overview]
|
||||||
. link:topics/oidc.adoc[OpenID Connect Client Adapters]
|
.. link:topics/overview/what-are-client-adapters.adoc[What are Client Adapters?]
|
||||||
.. link:topics/jboss-adapter.adoc[JBoss/Wildfly Adapter]
|
.. link:topics/overview/supported-protocols.adoc[Supported Protocols]
|
||||||
.. link:topics/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters]
|
|
||||||
.. link:topics/jetty9-adapter.adoc[Jetty 9.x Adapters]
|
. link:topics/oidc/oidc-overview.adoc[OpenID Connect]
|
||||||
.. link:topics/jetty8-adapter.adoc[Jetty 8.1.x Adapter]
|
|
||||||
.. link:topics/servlet-filter-adapter.adoc[Java Servlet Filter Adapter]
|
.. link:topics/oidc/java/java-adapters.adoc[Java Adapters]
|
||||||
.. link:topics/fuse-adapter.adoc[JBoss Fuse and Apache Karaf Adapter]
|
... link:topics/oidc/java/java-adapter-config.adoc[Java Adapters Config]
|
||||||
.. link:topics/javascript-adapter.adoc[Javascript Adapter]
|
... link:topics/oidc/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter]
|
||||||
.. link:topics/spring-boot-adapter.adoc[Spring Boot Adapter]
|
... link:topics/oidc/java/fuse-adapter.adoc[JBoss Fuse and Apache Karaf Adapter]
|
||||||
.. link:topics/spring-security-adapter.adoc[Spring Security Adapter]
|
{% if book.community %}
|
||||||
.. link:topics/installed-applications.adoc[Installed Applications]
|
... link:topics/oidc/java/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters]
|
||||||
.. link:topics/logout.adoc[Logout]
|
... link:topics/oidc/java/jetty9-adapter.adoc[Jetty 9.x Adapters]
|
||||||
.. link:topics/adapter_error_handling.adoc[Error Handling]
|
... link:topics/oidc/java/jetty8-adapter.adoc[Jetty 8.1.x Adapter]
|
||||||
.. link:topics/multi-tenancy.adoc[ Multi Tenancy]
|
... link:topics/oidc/java/spring-boot-adapter.adoc[Spring Boot Adapter]
|
||||||
.. link:topics/jaas.adoc[JAAS plugin]
|
... link:topics/oidc/java/spring-security-adapter.adoc[Spring Security Adapter]
|
||||||
. link:topics/saml.adoc[SAML Client Adapters]
|
{% endif %}
|
||||||
|
... link:topics/oidc/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter]
|
||||||
|
... link:topics/oidc/java/jaas.adoc[JAAS plugin]
|
||||||
|
... link:topics/oidc/java/adapter-context.adoc[Keycloak Security Context]
|
||||||
|
... link:topics/oidc/java/adapter_error_handling.adoc[Error Handling]
|
||||||
|
... link:topics/oidc/java/logout.adoc[Logout]
|
||||||
|
... link:topics/oidc/java/multi-tenancy.adoc[Multi Tenancy]
|
||||||
|
|
||||||
|
.. link:topics/oidc/javascript-adapter.adoc[JavaScript Adapter]
|
||||||
|
|
||||||
|
.. link:topics/oidc/oidc-generic.adoc[Other OpenID Connect libraries]
|
||||||
|
|
||||||
|
. link:topics/saml/saml-overview.adoc[SAML]
|
||||||
|
|
||||||
|
|
||||||
|
// . link:topics/oidc.adoc[OpenID Connect Client Adapters]
|
||||||
|
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//{% if book.community %}
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//{% endif %}
|
||||||
|
// .. link:topics/installed-applications.adoc[Installed Applications]
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// . link:topics/saml.adoc[SAML Client Adapters]
|
||||||
|
|
||||||
|
|
||||||
|
|
39
book.json
Executable file
39
book.json
Executable file
|
@ -0,0 +1,39 @@
|
||||||
|
{
|
||||||
|
"gitbook": "2.x.x",
|
||||||
|
"structure": {
|
||||||
|
"readme": "README.adoc"
|
||||||
|
},
|
||||||
|
"plugins": [
|
||||||
|
"toggle-chapters",
|
||||||
|
"ungrey",
|
||||||
|
"splitter"
|
||||||
|
],
|
||||||
|
"variables": {
|
||||||
|
"title": "Keycloak Securing Client Applications Guide",
|
||||||
|
"community": true,
|
||||||
|
"product": false,
|
||||||
|
"images": "keycloak-images",
|
||||||
|
"appserver": {
|
||||||
|
"name": "Wildfly",
|
||||||
|
"version": "10"
|
||||||
|
},
|
||||||
|
"adminguide": {
|
||||||
|
"name": "Keycloak Administration Guide",
|
||||||
|
"link": "https://keycloak.gitbooks.io/server-adminstration-guide/content/"
|
||||||
|
},
|
||||||
|
"web": {
|
||||||
|
"docs": {
|
||||||
|
"name": "keycloak.org/docs",
|
||||||
|
"link": "http://keycloak.org/docs"
|
||||||
|
},
|
||||||
|
"downloads": {
|
||||||
|
"name": "keycloak.org/downloads",
|
||||||
|
"link": "http://keycloak.org/downloads"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"project": {
|
||||||
|
"name": "Keycloak",
|
||||||
|
"version": "1.9.5.Final"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
9
build.sh
Executable file
9
build.sh
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
cd $(readlink -f `dirname $0`)
|
||||||
|
|
||||||
|
python gitlab-conversion.py
|
||||||
|
cd target
|
||||||
|
asciidoctor master.adoc
|
||||||
|
|
||||||
|
xdg-open master.html
|
107
gitlab-conversion.py
Executable file
107
gitlab-conversion.py
Executable file
|
@ -0,0 +1,107 @@
|
||||||
|
import sys, os, re, json, shutil, errno
|
||||||
|
|
||||||
|
def transform(root, f, targetdir):
|
||||||
|
full = os.path.join(root, f)
|
||||||
|
input = open(full, 'r').read()
|
||||||
|
dir = os.path.join(targetdir, root)
|
||||||
|
if not os.path.exists(dir):
|
||||||
|
os.makedirs(dir)
|
||||||
|
output = open(os.path.join(dir, f), 'w')
|
||||||
|
input = applyTransformation(input)
|
||||||
|
output.write(input)
|
||||||
|
|
||||||
|
|
||||||
|
def applyTransformation(input):
|
||||||
|
for variable in re.findall(r"\{\{(.*?)\}\}", input):
|
||||||
|
tmp = variable.replace('.', '_')
|
||||||
|
input = input.replace(variable, tmp)
|
||||||
|
input = input.replace('{{', '{').replace('}}', '}')
|
||||||
|
input = re.sub(r"<<fake.+#", "<<", input)
|
||||||
|
for variable in re.findall(r"[ ]*{% if (.*?) %}", input):
|
||||||
|
tmp = variable.replace('.', '_')
|
||||||
|
input = input.replace(variable, tmp)
|
||||||
|
exp = re.compile("[ ]*{% if (.*?) %}(.*?)[ ]*{% endif %}", re.DOTALL)
|
||||||
|
input = re.sub(exp, "ifeval::[{\g<1>}==true]\g<2>endif::[]", input)
|
||||||
|
input = re.sub(r"image:(\.\./)*", "image:", input)
|
||||||
|
input = re.sub(r"image::(\.\./)*", "image::", input)
|
||||||
|
return input
|
||||||
|
|
||||||
|
|
||||||
|
indir = 'topics'
|
||||||
|
targetdir = 'target'
|
||||||
|
if len(sys.argv) > 1:
|
||||||
|
targetdir = sys.argv[1]
|
||||||
|
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'images'), ignore_errors=True)
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'keycloak-images'), ignore_errors=True)
|
||||||
|
shutil.rmtree(os.path.join(targetdir, 'rhsso-images'), ignore_errors=True)
|
||||||
|
shutil.copytree('images',os.path.join(targetdir, 'images'))
|
||||||
|
#shutil.copytree('keycloak-images',os.path.join(targetdir, 'keycloak-images'))
|
||||||
|
#shutil.copytree('rhsso-images',os.path.join(targetdir, 'rhsso-images'))
|
||||||
|
|
||||||
|
tmp = os.path.join(targetdir, 'topics')
|
||||||
|
if not os.path.exists(tmp):
|
||||||
|
os.makedirs(tmp)
|
||||||
|
|
||||||
|
# transform files
|
||||||
|
for root, dirs, filenames in os.walk(indir):
|
||||||
|
for f in filenames:
|
||||||
|
transform(root,f,targetdir)
|
||||||
|
|
||||||
|
# Create master.doc includes
|
||||||
|
input = open('SUMMARY.adoc', 'r').read()
|
||||||
|
output = open(os.path.join(targetdir, 'master.adoc'), 'w')
|
||||||
|
|
||||||
|
output.write("""
|
||||||
|
:toc:
|
||||||
|
:toclevels: 3
|
||||||
|
:numbered:
|
||||||
|
|
||||||
|
include::document-attributes.adoc[]
|
||||||
|
""")
|
||||||
|
|
||||||
|
input = re.sub(r"[ ]*\.+\s*link:(.*)\[(.*)\]", "include::\g<1>[]", input)
|
||||||
|
input = applyTransformation(input)
|
||||||
|
output.write(input)
|
||||||
|
|
||||||
|
# parse book.json file and create document attributes
|
||||||
|
with open('book.json') as data_file:
|
||||||
|
data = json.load(data_file)
|
||||||
|
|
||||||
|
variables = data['variables']
|
||||||
|
|
||||||
|
def makeAttributes(variables, variable, list):
|
||||||
|
for i in variables.keys():
|
||||||
|
if variable is None:
|
||||||
|
tmp = i
|
||||||
|
else:
|
||||||
|
tmp = variable + '_' + i
|
||||||
|
if isinstance(variables[i],dict):
|
||||||
|
makeAttributes(variables[i], tmp, list)
|
||||||
|
elif isinstance(variables[i],bool):
|
||||||
|
boolval = 'false'
|
||||||
|
if variables[i]:
|
||||||
|
boolval = 'true'
|
||||||
|
list.append({tmp: boolval})
|
||||||
|
else:
|
||||||
|
list.append({tmp: str(variables[i])})
|
||||||
|
|
||||||
|
|
||||||
|
attributeList = []
|
||||||
|
makeAttributes(variables, None, attributeList)
|
||||||
|
|
||||||
|
output = open(os.path.join(targetdir, 'document-attributes.adoc'), 'w')
|
||||||
|
for attribute in attributeList:
|
||||||
|
for k in attribute.keys():
|
||||||
|
output.write(':book_' + k + ": " + attribute[k] + "\n")
|
||||||
|
|
||||||
|
print "Transformation complete!"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,4 @@
|
||||||
= KeycloakSecurityContext
|
=== Keycloak Security Context
|
||||||
:doctype: book
|
|
||||||
:sectnums:
|
|
||||||
:toc: left
|
|
||||||
:icons: font
|
|
||||||
:experimental:
|
|
||||||
:sourcedir: .
|
|
||||||
|
|
||||||
The `KeycloakSecurityContext` interface is available if you need to look at the access token directly.
|
The `KeycloakSecurityContext` interface is available if you need to look at the access token directly.
|
||||||
This context is also useful if you need to get the encoded access token so you can make additional REST invocations.
|
This context is also useful if you need to get the encoded access token so you can make additional REST invocations.
|
|
@ -1,6 +1,6 @@
|
||||||
|
|
||||||
[[_adapter_error_handling]]
|
[[_adapter_error_handling]]
|
||||||
= Error Handling
|
=== Error Handling
|
||||||
|
|
||||||
Keycloak has some error handling facilities for servlet based client adapters.
|
Keycloak has some error handling facilities for servlet based client adapters.
|
||||||
When an error is encountered in authentication, keycloak will call `HttpServletResponse.sendError()`.
|
When an error is encountered in authentication, keycloak will call `HttpServletResponse.sendError()`.
|
|
@ -1,6 +1,6 @@
|
||||||
|
|
||||||
[[_fuse_adapter]]
|
[[_fuse_adapter]]
|
||||||
= JBoss Fuse and Apache Karaf Adapter
|
=== JBoss Fuse and Apache Karaf Adapter
|
||||||
|
|
||||||
Currently Keycloak supports securing your web applications running inside http://www.jboss.org/products/fuse/overview/[JBoss Fuse] or http://karaf.apache.org/[Apache Karaf] . It leverages <<_jetty8_adapter,Jetty 8 adapter>> as both JBoss Fuse 6.1 and Apache Karaf 3 are bundled with http://eclipse.org/jetty/[Jetty 8.1 server] under the covers and Jetty is used for running various kinds of web applications.
|
Currently Keycloak supports securing your web applications running inside http://www.jboss.org/products/fuse/overview/[JBoss Fuse] or http://karaf.apache.org/[Apache Karaf] . It leverages <<_jetty8_adapter,Jetty 8 adapter>> as both JBoss Fuse 6.1 and Apache Karaf 3 are bundled with http://eclipse.org/jetty/[Jetty 8.1 server] under the covers and Jetty is used for running various kinds of web applications.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
|
|
||||||
[[_jaas_adapter]]
|
[[_jaas_adapter]]
|
||||||
= JAAS plugin
|
=== JAAS plugin
|
||||||
|
|
||||||
It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, but directly choose one of our adapters.
|
It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, but directly choose one of our adapters.
|
||||||
However some applications and systems may still rely on pure legacy JAAS solution.
|
However some applications and systems may still rely on pure legacy JAAS solution.
|
15
topics/oidc.adoc → topics/oidc/java/java-adapter-config.adoc
Executable file → Normal file
15
topics/oidc.adoc → topics/oidc/java/java-adapter-config.adoc
Executable file → Normal file
|
@ -1,17 +1,6 @@
|
||||||
|
|
||||||
[[_adapter_config]]
|
[[_java_adapter_config]]
|
||||||
|
=== Java Adapter Config
|
||||||
= Adapters
|
|
||||||
|
|
||||||
Keycloak can secure a wide variety of application types.
|
|
||||||
This section defines which application types are supported and how to configure and install them so that you can use Keycloak to secure your applications.
|
|
||||||
|
|
||||||
These client adapters use an extension of the OpenID Connect protocol (a derivate of OAuth 2.0). This extension provides support for clustering, backchannel logout, and other non-standard adminstrative functions.
|
|
||||||
The Keycloak project also provides a separate, standalone, generic, SAML client adapter.
|
|
||||||
But that is describe in a separate document and has a different download.
|
|
||||||
|
|
||||||
|
|
||||||
== General Adapter Config
|
|
||||||
|
|
||||||
Each adapter supported by Keycloak can be configured by a simple JSON text file.
|
Each adapter supported by Keycloak can be configured by a simple JSON text file.
|
||||||
This is what one might look like:
|
This is what one might look like:
|
1
topics/oidc/java/java-adapters.adoc
Normal file
1
topics/oidc/java/java-adapters.adoc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
== Java Adapters
|
|
@ -1,6 +1,6 @@
|
||||||
|
|
||||||
[[_jboss_adapter]]
|
[[_jboss_adapter]]
|
||||||
= JBoss/Wildfly Adapter
|
=== JBoss/Wildfly Adapter
|
||||||
|
|
||||||
To be able to secure WAR apps deployed on JBoss AS 7.1.1, JBoss EAP 6.x, or Wildfly, you must install and configure the Keycloak Subsystem.
|
To be able to secure WAR apps deployed on JBoss AS 7.1.1, JBoss EAP 6.x, or Wildfly, you must install and configure the Keycloak Subsystem.
|
||||||
You then have two options to secure your WARs.
|
You then have two options to secure your WARs.
|
||||||
|
@ -9,7 +9,7 @@ Alternatively, you don't have to crack open your WARs at all and can apply Keycl
|
||||||
Both methods are described in this section.
|
Both methods are described in this section.
|
||||||
|
|
||||||
[[_jboss_adapter_installation]]
|
[[_jboss_adapter_installation]]
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
Adapters are no longer included with the appliance or war distribution.
|
Adapters are no longer included with the appliance or war distribution.
|
||||||
Each adapter is a separate download on the Keycloak download site.
|
Each adapter is a separate download on the Keycloak download site.
|
||||||
|
@ -144,7 +144,7 @@ public class CustomerService {
|
||||||
|
|
||||||
We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier.
|
We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier.
|
||||||
|
|
||||||
== Required Per WAR Configuration
|
==== Required Per WAR Configuration
|
||||||
|
|
||||||
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
||||||
|
|
||||||
|
@ -206,7 +206,7 @@ Here's an example pulled from one of the examples that comes distributed with Ke
|
||||||
</web-app>
|
</web-app>
|
||||||
----
|
----
|
||||||
|
|
||||||
== Securing WARs via Keycloak Subsystem
|
==== Securing WARs via Keycloak Subsystem
|
||||||
|
|
||||||
You do not have to crack open a WAR to secure it with Keycloak.
|
You do not have to crack open a WAR to secure it with Keycloak.
|
||||||
Alternatively, you can externally secure it via the Keycloak Adapter Subsystem.
|
Alternatively, you can externally secure it via the Keycloak Adapter Subsystem.
|
|
@ -1,13 +1,13 @@
|
||||||
|
|
||||||
[[_jetty8_adapter]]
|
[[_jetty8_adapter]]
|
||||||
= Jetty 8.1.x Adapter
|
=== Jetty 8.1.x Adapter
|
||||||
|
|
||||||
Keycloak has a separate adapter for Jetty 8.1.x that you will have to install into your Jetty installation.
|
Keycloak has a separate adapter for Jetty 8.1.x that you will have to install into your Jetty installation.
|
||||||
You then have to provide some extra configuration in each WAR you deploy to Jetty.
|
You then have to provide some extra configuration in each WAR you deploy to Jetty.
|
||||||
Let's go over these steps.
|
Let's go over these steps.
|
||||||
|
|
||||||
[[_jetty8_adapter_installation]]
|
[[_jetty8_adapter_installation]]
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
|
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
|
||||||
They are also available as a maven artifact.
|
They are also available as a maven artifact.
|
||||||
|
@ -40,7 +40,7 @@ Edit start.ini and add keycloak to the options
|
||||||
OPTIONS=Server,jsp,jmx,resources,websocket,ext,plus,annotations,keycloak
|
OPTIONS=Server,jsp,jmx,resources,websocket,ext,plus,annotations,keycloak
|
||||||
----
|
----
|
||||||
|
|
||||||
== Required Per WAR Configuration
|
==== Required Per WAR Configuration
|
||||||
|
|
||||||
Enabling Keycloak for your WARs is the same as the Jetty 9.x adapter.
|
Enabling Keycloak for your WARs is the same as the Jetty 9.x adapter.
|
||||||
Our 8.1.x adapter supports both keycloak.json and the jboss-web.xml advanced configuration.
|
Our 8.1.x adapter supports both keycloak.json and the jboss-web.xml advanced configuration.
|
|
@ -1,13 +1,13 @@
|
||||||
|
|
||||||
[[_jetty9_adapter]]
|
[[_jetty9_adapter]]
|
||||||
= Jetty 9.x Adapters
|
=== Jetty 9.x Adapters
|
||||||
|
|
||||||
Keycloak has a separate adapter for Jetty 9.1.x and Jetty 9.2.x that you will have to install into your Jetty installation.
|
Keycloak has a separate adapter for Jetty 9.1.x and Jetty 9.2.x that you will have to install into your Jetty installation.
|
||||||
You then have to provide some extra configuration in each WAR you deploy to Jetty.
|
You then have to provide some extra configuration in each WAR you deploy to Jetty.
|
||||||
Let's go over these steps.
|
Let's go over these steps.
|
||||||
|
|
||||||
[[_jetty9_adapter_installation]]
|
[[_jetty9_adapter_installation]]
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
|
Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
|
||||||
They are also available as a maven artifact.
|
They are also available as a maven artifact.
|
||||||
|
@ -34,7 +34,7 @@ $ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
|
||||||
----
|
----
|
||||||
|
|
||||||
[[_jetty9_per_war]]
|
[[_jetty9_per_war]]
|
||||||
== Required Per WAR Configuration
|
==== Required Per WAR Configuration
|
||||||
|
|
||||||
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
= Logout
|
=== Logout
|
||||||
|
|
||||||
There are multiple ways you can logout from a web application.
|
There are multiple ways you can logout from a web application.
|
||||||
For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at the url `http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri`.
|
For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at the url `http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri`.
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
= Multi Tenancy
|
=== Multi Tenancy
|
||||||
|
|
||||||
Multi Tenancy, in our context, means that one single target application (WAR) can be secured by a single (or clustered) Keycloak server, authenticating its users against different realms.
|
Multi Tenancy, in our context, means that one single target application (WAR) can be secured by a single (or clustered) Keycloak server, authenticating its users against different realms.
|
||||||
In practice, this means that one application needs to use different `keycloak.json` files.
|
In practice, this means that one application needs to use different `keycloak.json` files.
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
= Java Servlet Filter Adapter
|
=== Java Servlet Filter Adapter
|
||||||
|
|
||||||
If you want to use Keycloak with a Java servlet application that doesn't have an adapter for that servlet platform, you can opt to use the servlet filter adapter that Keycloak has.
|
If you want to use Keycloak with a Java servlet application that doesn't have an adapter for that servlet platform, you can opt to use the servlet filter adapter that Keycloak has.
|
||||||
This adapter works a little differently than the other adapters.
|
This adapter works a little differently than the other adapters.
|
|
@ -1,11 +1,11 @@
|
||||||
|
|
||||||
= Spring Boot Adapter
|
=== Spring Boot Adapter
|
||||||
|
|
||||||
To be able to secure Spring Boot apps you must add the Keycloak Spring Boot adapter JAR to your app.
|
To be able to secure Spring Boot apps you must add the Keycloak Spring Boot adapter JAR to your app.
|
||||||
You then have to provide some extra configuration via normal Spring Boot configuration (`application.properties`). Let's go over these steps.
|
You then have to provide some extra configuration via normal Spring Boot configuration (`application.properties`). Let's go over these steps.
|
||||||
|
|
||||||
[[_spring_boot_adapter_installation]]
|
[[_spring_boot_adapter_installation]]
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
The Keycloak Spring Boot adapter takes advantage of Spring Boot's autoconfiguration so all you need to do is add the Keycloak Spring Boot adapter JAR to your project.
|
The Keycloak Spring Boot adapter takes advantage of Spring Boot's autoconfiguration so all you need to do is add the Keycloak Spring Boot adapter JAR to your project.
|
||||||
Depending on what container you are using with Spring Boot, you also need to add the appropriate Keycloak container adapter.
|
Depending on what container you are using with Spring Boot, you also need to add the appropriate Keycloak container adapter.
|
||||||
|
@ -29,7 +29,7 @@ If you are using Maven, add the following to your pom.xml (using Tomcat as an ex
|
||||||
----
|
----
|
||||||
|
|
||||||
[[_spring_boot_adapter_configuration]]
|
[[_spring_boot_adapter_configuration]]
|
||||||
== Required Spring Boot Adapter Configuration
|
==== Required Spring Boot Adapter Configuration
|
||||||
|
|
||||||
This section describes how to configure your Spring Boot app to use Keycloak.
|
This section describes how to configure your Spring Boot app to use Keycloak.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
= Spring Security Adapter
|
=== Spring Security Adapter
|
||||||
|
|
||||||
To secure an application with Spring Security and Keycloak, add this adapter as a dependency to your project.
|
To secure an application with Spring Security and Keycloak, add this adapter as a dependency to your project.
|
||||||
You then have to provide some extra beans in your Spring Security configuration file and add the Keycloak security filter to your pipeline.
|
You then have to provide some extra beans in your Spring Security configuration file and add the Keycloak security filter to your pipeline.
|
||||||
|
@ -7,7 +7,7 @@ You then have to provide some extra beans in your Spring Security configuration
|
||||||
Unlike the other Keycloak Adapters, you should not configure your security in web.xml.
|
Unlike the other Keycloak Adapters, you should not configure your security in web.xml.
|
||||||
However, keycloak.json is still required.
|
However, keycloak.json is still required.
|
||||||
|
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle build.
|
Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle build.
|
||||||
|
|
||||||
|
@ -23,11 +23,11 @@ Add Keycloak Spring Security adapter as a dependency to your Maven POM or Gradle
|
||||||
</dependency>
|
</dependency>
|
||||||
----
|
----
|
||||||
|
|
||||||
== Spring Security Configuration
|
==== Spring Security Configuration
|
||||||
|
|
||||||
The Keycloak Spring Security adapter takes advantage of Spring Security's flexible security configuration syntax.
|
The Keycloak Spring Security adapter takes advantage of Spring Security's flexible security configuration syntax.
|
||||||
|
|
||||||
=== Java Configuration
|
===== Java Configuration
|
||||||
|
|
||||||
Keycloak provides a KeycloakWebSecurityConfigurerAdapter as a convenient base class for creating a http://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/config/annotation/web/WebSecurityConfigurer.html[WebSecurityConfigurer] instance.
|
Keycloak provides a KeycloakWebSecurityConfigurerAdapter as a convenient base class for creating a http://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/config/annotation/web/WebSecurityConfigurer.html[WebSecurityConfigurer] instance.
|
||||||
The implementation allows customization by overriding methods.
|
The implementation allows customization by overriding methods.
|
||||||
|
@ -78,7 +78,7 @@ You must provide a session authentication strategy bean which should be of type
|
||||||
Spring Security's `SessionFixationProtectionStrategy` is currently not supported because it changes the session identifier after login via Keycloak.
|
Spring Security's `SessionFixationProtectionStrategy` is currently not supported because it changes the session identifier after login via Keycloak.
|
||||||
If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier.
|
If the session identifier changes, universal log out will not work because Keycloak is unaware of the new session identifier.
|
||||||
|
|
||||||
=== XML Configuration
|
===== XML Configuration
|
||||||
|
|
||||||
While Spring Security's XML namespace simplifies configuration, customizing the configuration can be a bit verbose.
|
While Spring Security's XML namespace simplifies configuration, customizing the configuration can be a bit verbose.
|
||||||
|
|
||||||
|
@ -148,13 +148,13 @@ While Spring Security's XML namespace simplifies configuration, customizing the
|
||||||
</beans>
|
</beans>
|
||||||
----
|
----
|
||||||
|
|
||||||
== Multi Tenancy
|
==== Multi Tenancy
|
||||||
|
|
||||||
The Keycloak Spring Security adapter also supports multi tenancy.
|
The Keycloak Spring Security adapter also supports multi tenancy.
|
||||||
Instead of injecting `AdapterDeploymentContextFactoryBean` with the path to `keycloak.json` you can inject an implementation of the `KeycloakConfigResolver` interface.
|
Instead of injecting `AdapterDeploymentContextFactoryBean` with the path to `keycloak.json` you can inject an implementation of the `KeycloakConfigResolver` interface.
|
||||||
More details on how to implement the `KeycloakConfigResolver` can be found in <<_multi_tenancy>>.
|
More details on how to implement the `KeycloakConfigResolver` can be found in <<_multi_tenancy>>.
|
||||||
|
|
||||||
== Naming Security Roles
|
==== Naming Security Roles
|
||||||
|
|
||||||
Spring Security, when using role-based authentication, requires that role names start with `ROLE_`.
|
Spring Security, when using role-based authentication, requires that role names start with `ROLE_`.
|
||||||
For example, an administrator role must be declared in Keycloak as `ROLE_ADMIN` or similar, not simply `ADMIN`.
|
For example, an administrator role must be declared in Keycloak as `ROLE_ADMIN` or similar, not simply `ADMIN`.
|
||||||
|
@ -163,7 +163,7 @@ The class `org.keycloak.adapters.springsecurity.authentication.KeycloakAuthentic
|
||||||
Use, for example, `org.springframework.security.core.authority.mapping.SimpleAuthorityMapper` to insert the `ROLE_` prefix and convert the role name to upper case.
|
Use, for example, `org.springframework.security.core.authority.mapping.SimpleAuthorityMapper` to insert the `ROLE_` prefix and convert the role name to upper case.
|
||||||
The class is part of Spring Security Core module.
|
The class is part of Spring Security Core module.
|
||||||
|
|
||||||
== Client to Client Support
|
==== Client to Client Support
|
||||||
|
|
||||||
To simplify communication between clients, Keycloak provides an extension of Spring's `RestTemplate` that handles bearer token authentication for you.
|
To simplify communication between clients, Keycloak provides an extension of Spring's `RestTemplate` that handles bearer token authentication for you.
|
||||||
To enable this feature your security configuration must add the `KeycloakRestTemplate` bean.
|
To enable this feature your security configuration must add the `KeycloakRestTemplate` bean.
|
||||||
|
@ -227,7 +227,7 @@ public class RemoteProductService implements ProductService {
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
||||||
== Spring Boot Configuration
|
==== Spring Boot Configuration
|
||||||
|
|
||||||
Spring Boot attempts to eagerly register filter beans with the web application context.
|
Spring Boot attempts to eagerly register filter beans with the web application context.
|
||||||
Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add two ``FilterRegistrationBean``s to your security configuration to prevent the Keycloak filters from being registered twice.
|
Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add two ``FilterRegistrationBean``s to your security configuration to prevent the Keycloak filters from being registered twice.
|
|
@ -1,13 +1,13 @@
|
||||||
|
|
||||||
[[_tomcat_adapter]]
|
[[_tomcat_adapter]]
|
||||||
= Tomcat 6, 7 and 8 Adapters
|
=== Tomcat 6, 7 and 8 Adapters
|
||||||
|
|
||||||
To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation.
|
To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 adapter into your Tomcat installation.
|
||||||
You then have to provide some extra configuration in each WAR you deploy to Tomcat.
|
You then have to provide some extra configuration in each WAR you deploy to Tomcat.
|
||||||
Let's go over these steps.
|
Let's go over these steps.
|
||||||
|
|
||||||
[[_tomcat_adapter_installation]]
|
[[_tomcat_adapter_installation]]
|
||||||
== Adapter Installation
|
==== Adapter Installation
|
||||||
|
|
||||||
Adapters are no longer included with the appliance or war distribution.
|
Adapters are no longer included with the appliance or war distribution.
|
||||||
Each adapter is a separate download on the Keycloak download site.
|
Each adapter is a separate download on the Keycloak download site.
|
||||||
|
@ -28,7 +28,7 @@ $ unzip keycloak-tomcat7-adapter-dist.zip
|
||||||
$ unzip keycloak-tomcat8-adapter-dist.zip
|
$ unzip keycloak-tomcat8-adapter-dist.zip
|
||||||
----
|
----
|
||||||
|
|
||||||
== Required Per WAR Configuration
|
==== Required Per WAR Configuration
|
||||||
|
|
||||||
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
= Javascript Adapter
|
== Javascript Adapter
|
||||||
|
|
||||||
The Keycloak Server comes with a Javascript library you can use to secure HTML/Javascript applications.
|
The Keycloak Server comes with a Javascript library you can use to secure HTML/Javascript applications.
|
||||||
This library is referenceable directly from the keycloak server.
|
This library is referenceable directly from the keycloak server.
|
29
topics/installed-applications.adoc → topics/oidc/oidc-generic.adoc
Executable file → Normal file
29
topics/installed-applications.adoc → topics/oidc/oidc-generic.adoc
Executable file → Normal file
|
@ -1,10 +1,29 @@
|
||||||
|
== Other OpenID Connect libraries
|
||||||
|
|
||||||
= Installed Applications
|
OAuth2 https://tools.ietf.org/html/rfc6749
|
||||||
|
OpenID Connect http://openid.net/connect/
|
||||||
|
|
||||||
|
|
||||||
|
=== Endpoints
|
||||||
|
|
||||||
|
TODO
|
||||||
|
|
||||||
|
=== Flows
|
||||||
|
|
||||||
|
==== Authorization Grant
|
||||||
|
|
||||||
|
==== Implicit
|
||||||
|
|
||||||
|
==== Resource Owner Password Credentials
|
||||||
|
|
||||||
|
==== Client Credentials
|
||||||
|
|
||||||
|
=== Redirect URIs
|
||||||
|
|
||||||
Keycloak provides two special redirect uris for installed applications.
|
Keycloak provides two special redirect uris for installed applications.
|
||||||
|
|
||||||
[[_installed_applications_url]]
|
[[_installed_applications_url]]
|
||||||
== Installed Applications url
|
==== Installed Applications url
|
||||||
|
|
||||||
http://localhost
|
http://localhost
|
||||||
|
|
||||||
|
@ -13,7 +32,7 @@ Any port number is allowed.
|
||||||
This makes it possible to start a web server for the installed application on any free port number without requiring changes in the `Admin Console`.
|
This makes it possible to start a web server for the installed application on any free port number without requiring changes in the `Admin Console`.
|
||||||
|
|
||||||
[[_installed_applications_urn]]
|
[[_installed_applications_urn]]
|
||||||
== Installed Applications urn
|
==== Installed Applications urn
|
||||||
|
|
||||||
`urn:ietf:wg:oauth:2.0:oob`
|
`urn:ietf:wg:oauth:2.0:oob`
|
||||||
|
|
||||||
|
@ -21,3 +40,7 @@ If its not possible to start a web server in the client (or a browser is not ava
|
||||||
When this redirect uri is used Keycloak displays a page with the code in the title and in a box on the page.
|
When this redirect uri is used Keycloak displays a page with the code in the title and in a box on the page.
|
||||||
The application can either detect that the browser title has changed, or the user can copy/paste the code manually to the application.
|
The application can either detect that the browser title has changed, or the user can copy/paste the code manually to the application.
|
||||||
With this redirect uri it is also possible for a user to use a different device to obtain a code to paste back to the application.
|
With this redirect uri it is also possible for a user to use a different device to obtain a code to paste back to the application.
|
||||||
|
|
||||||
|
=== Session Management
|
||||||
|
|
||||||
|
=== Dynamic Client Registration
|
8
topics/oidc/oidc-overview.adoc
Normal file
8
topics/oidc/oidc-overview.adoc
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
== OpenID Connect
|
||||||
|
|
||||||
|
Keycloak can secure a wide variety of application types.
|
||||||
|
This section defines which application types are supported and how to configure and install them so that you can use Keycloak to secure your applications.
|
||||||
|
|
||||||
|
These client adapters use an extension of the OpenID Connect protocol (a derivate of OAuth 2.0). This extension provides support for clustering, backchannel logout, and other non-standard adminstrative functions.
|
||||||
|
The Keycloak project also provides a separate, standalone, generic, SAML client adapter.
|
||||||
|
But that is describe in a separate document and has a different download.
|
0
topics/overview/overview.adoc
Normal file
0
topics/overview/overview.adoc
Normal file
0
topics/overview/supported-protocols.adoc
Normal file
0
topics/overview/supported-protocols.adoc
Normal file
0
topics/overview/what-are-client-adapters.adoc
Normal file
0
topics/overview/what-are-client-adapters.adoc
Normal file
|
@ -1,4 +1,4 @@
|
||||||
= Preface
|
== Preface
|
||||||
|
|
||||||
In some of the example listings, what is meant to be displayed on one line does not fit inside the available page width.These lines have been broken up. A '\' at the end of a line means that a break has been introduced to fit in the page, with the following lines indented.
|
In some of the example listings, what is meant to be displayed on one line does not fit inside the available page width.These lines have been broken up. A '\' at the end of a line means that a break has been introduced to fit in the page, with the following lines indented.
|
||||||
So:
|
So:
|
||||||
|
|
1
topics/saml/saml-overview.adoc
Normal file
1
topics/saml/saml-overview.adoc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
== SAML
|
Loading…
Reference in a new issue