Address comments on Securing Apps
Closes #27867 Signed-off-by: AndyMunro <amunro@redhat.com>
This commit is contained in:
parent
0e717f735e
commit
e40227fa50
5 changed files with 34 additions and 23 deletions
|
@ -7,7 +7,7 @@ It is necessary to create or obtain a client configuration for any application t
|
|||
|
||||
You can configure application clients from a command line with the Client Registration CLI, and you can use it in shell scripts.
|
||||
|
||||
To allow a particular user to use `Client Registration CLI` the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.
|
||||
To allow a particular user to use `Client Registration CLI`, the {project_name} administrator typically uses the Admin Console to configure a new user with proper roles or to configure a new client and client secret to grant access to the Client Registration REST API.
|
||||
|
||||
|
||||
[[_configuring_a_user_for_client_registration_cli]]
|
||||
|
@ -18,8 +18,13 @@ To allow a particular user to use `Client Registration CLI` the {project_name} a
|
|||
. Log in to the Admin Console (for example, http://localhost:8080{kc_admins_path}) as [command]`admin`.
|
||||
. Select a realm to administer.
|
||||
. If you want to use an existing user, select that user to edit; otherwise, create a new user.
|
||||
. Select *Role Mappings > Client Roles > realm-management*. If you are in the master realm, select *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.
|
||||
. Select *Available Roles > manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
|
||||
|
||||
. Select *Role Mapping*, *Assign role*. From the option list, click *Filter by clients*. In the search bar, type `manage-clients`. Select the role, or if you are in the master realm, select the one with *NAME-realm*, where `NAME` is the name of the target realm. You can grant access to any other realm to users in the master realm.
|
||||
|
||||
. Click *Assign* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
|
||||
|
||||
. Select *Available Roles*, *manage-client* to grant a full set of client management permissions. Another option is to choose *view-clients* for read-only or *create-client* to create new clients.
|
||||
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
|
@ -28,8 +33,7 @@ These permissions grant the user the capability to perform operations without th
|
|||
|
||||
It is possible to not assign any [command]`realm-management` roles to a user. In that case, a user can still log in with the Client Registration CLI but cannot use it without an Initial Access Token. Trying to perform any operations without a token results in a *403 Forbidden* error.
|
||||
|
||||
The Administrator can issue Initial Access Tokens from the Admin Console through the *Realm Settings > Client Registration > Initial Access Token* menu.
|
||||
|
||||
The administrator can issue Initial Access Tokens from the Admin Console in the Clients area on the *Initial Access Token* tab.
|
||||
|
||||
[[_configuring_a_client_for_use_with_client_registration_cli]]
|
||||
=== Configuring a client for use with the Client Registration CLI
|
||||
|
@ -39,21 +43,25 @@ By default, the server recognizes the Client Registration CLI as the [filename]`
|
|||
.Procedure
|
||||
|
||||
. Create a client (for example, [filename]`reg-cli`) if you want to use a separate client configuration for the Client Registration CLI.
|
||||
. Toggle the *Standard Flow Enabled* setting it to *Off*.
|
||||
. Strengthen the security by configuring the client [filename]`Access Type` as [filename]`Confidential` and selecting *Credentials > ClientId and Secret*.
|
||||
. Uncheck *Standard Flow Enabled*.
|
||||
. Strengthen the security by toggling *Client authentication* to *On*.
|
||||
. Choose the type of account that you want to use.
|
||||
.. If you want to use a service account associated with the client, check *Service accounts roles*.
|
||||
.. If you prefer to use a regular user account, check *Direct access grants*.
|
||||
. Click *Next*.
|
||||
. Click *Save*.
|
||||
. Click the *Credentials* tab.
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
You can configure either [filename]`Client Id and Secret` or [filename]`Signed JWT` under the *Credentials* tab .
|
||||
====
|
||||
. Enable service accounts if you want to use a service account associated with the client by selecting a client to edit in the *Clients* section of the `Admin Console`.
|
||||
.. Under *Settings*, change the *Access Type* to *Confidential*, toggle the *Service Accounts Enabled* setting to *On*, and click *Save*.
|
||||
.. Click *Service Account Roles* and select desired roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
|
||||
. Toggle the *Direct Access Grants Enabled* setting it to *On* if you want to use a regular user account instead of a service account.
|
||||
. If the client is configured as [filename]`Confidential`, provide the configured secret when running [command]`kcreg config credentials` by using the [command]`--secret` option.
|
||||
. Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
|
||||
. With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.
|
||||
Configure either [filename]`Client Id and Secret` or [filename]`Signed JWT`.
|
||||
. If you are using service account roles, click the *Service Account Roles* tab.
|
||||
+
|
||||
Select the roles to configure the access for the service account. For the details on what roles to select, see <<_configuring_a_user_for_client_registration_cli>>.
|
||||
. Click *Save*.
|
||||
|
||||
When you run the [command]`kcreg config credentials`, use the [command]`--secret` option to supply the configured secret.
|
||||
|
||||
* Specify which [filename]`clientId` to use (for example, [command]`--client reg-cli`) when running [command]`kcreg config credentials`.
|
||||
* With the service account enabled, you can omit specifying the user when running [command]`kcreg config credentials` and only provide the client secret or keystore information.
|
||||
|
||||
[[_installing_client_registration_cli]]
|
||||
=== Installing the Client Registration CLI
|
||||
|
|
|
@ -29,7 +29,7 @@ When enforcing the requirements of the FAPI CIBA specification, there is a need
|
|||
|
||||
==== Open Finance Brasil Financial-grade API Security Profile
|
||||
|
||||
{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/82083996/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
|
||||
{project_name} is compliant with the https://openfinancebrasil.atlassian.net/wiki/spaces/OF/pages/245760001/EN+Open+Finance+Brasil+Financial-grade+API+Security+Profile+1.0+Implementers+Draft+3[Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3].
|
||||
This one is stricter in some requirements than the <<_fapi-support,FAPI 1 Advanced>> specification and hence it may be needed to configure link:{adminguide_link}#_client_policies[Client Policies]
|
||||
in the more strict way to enforce some of the requirements. Especially:
|
||||
|
||||
|
|
|
@ -30,6 +30,6 @@ Spring Security provides comprehensive support for OAuth 2 and OpenID Connect. F
|
|||
https://spring.io/projects/spring-security[Spring Security documentation].
|
||||
|
||||
Alternatively, for Spring Boot 2.x the Spring Boot adapter from Red Hat Single Sign-On 7.6 can be used in combination with the {project_name} server. For more information, see the
|
||||
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#jboss_adapter[Red Hat Single Sign-On documentation].
|
||||
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/oidc#spring_boot_adapter[Red Hat Single Sign-On documentation].
|
||||
|
||||
|
||||
|
|
|
@ -386,8 +386,11 @@ Options is an optional Object, where:
|
|||
|
||||
* redirectUri - Specifies the uri to redirect to after login.
|
||||
* prompt - This parameter allows to slightly customize the login flow on the {project_name} server side.
|
||||
For example enforce displaying the login screen in case of value `login`. See link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
|
||||
For example, enforce displaying the login screen in case of value `login`.
|
||||
ifeval::[{project_community}==true]
|
||||
See the link:{adapterguide_link}#_params_forwarding[Parameters Forwarding Section]
|
||||
for the details and all the possible values of the `prompt` parameter.
|
||||
endif::[]
|
||||
* maxAge - Used just if user is already authenticated. Specifies maximum time since the authentication of user happened. If user is already authenticated for longer time than `maxAge`, the SSO is ignored and he will need to re-authenticate again.
|
||||
* loginHint - Used to pre-fill the username/email field on the login form.
|
||||
* scope - Override the scope configured in `init` with a different value for this specific login.
|
||||
|
|
|
@ -10,11 +10,11 @@ endif::[]
|
|||
|
||||
To use the Node.js adapter, first you must create a client for your application in the {project_name} Admin Console. The adapter supports public, confidential, and bearer-only access type. Which one to choose depends on the use-case scenario.
|
||||
|
||||
Once the client is created click the `Installation` tab, select `{project_name} OIDC JSON` for `Format Option`, and then click `Download`. The downloaded `keycloak.json` file should be at the root folder of your project.
|
||||
Once the client is created, click *Action* at the top right and choose *Download adapter config*. For *Format, choose *Keycloak OIDC JSON* and click *Download*. The downloaded `keycloak.json` file is at the root folder of your project.
|
||||
|
||||
==== Installation
|
||||
|
||||
Assuming you've already installed https://nodejs.org[Node.js], create a folder for your application:
|
||||
Assuming you have already installed https://nodejs.org[Node.js], create a folder for your application:
|
||||
|
||||
mkdir myapp && cd myapp
|
||||
|
||||
|
|
Loading…
Reference in a new issue