keycloak-scim/examples/as7-eap-demo
2014-01-17 09:30:56 +00:00
..
customer-app auth-server-url and Realm/App name changes 2014-01-15 10:02:56 -05:00
database-service KEYCLOAK-230 Convert third-party example to be CDI+JSF application with reading config from JSON file. Renamed package org.jboss.resteasy to org.keycloak in database example. Added ServletOAuthClientConfigLoader 2014-01-13 18:41:00 +01:00
product-app auth-server-url and Realm/App name changes 2014-01-15 10:02:56 -05:00
third-party auth-server-url and Realm/App name changes 2014-01-15 10:02:56 -05:00
third-party-cdi auth-server-url and Realm/App name changes 2014-01-15 10:02:56 -05:00
pom.xml Added third-party-cdi example. Example in both AS7 and Wildfly 2014-01-13 18:49:32 +01:00
README.md change uri scheme 2014-01-13 17:07:36 -05:00
testrealm.json KEYCLOAK-264 Remove option to enable/disable acct mngmt 2014-01-17 09:30:56 +00:00

Login, Distributed SSO, Distributed Logout, and Oauth Token Grant Wildfly Examples

The following examples requires JBoss AS 7.1.1 or EAP 6.x. Here's the highlights of the examples

  • Delegating authentication of a web app to the remote authentication server via OAuth 2 protocols
  • Distributed Single-Sign-On and Single-Logout
  • Transferring identity and role mappings via a special bearer token (Skeleton Key Token).
  • Bearer token authentication and authorization of JAX-RS services
  • Obtaining bearer tokens via the OAuth2 protocol

There are multiple WAR projects. These all will run on the same jboss instance, but pretend each one is running on a different machine on the network or Internet.

  • customer-app A WAR applications that does remote login using OAUTH2 browser redirects with the auth server
  • product-app A WAR applications that does remote login using OAUTH2 browser redirects with the auth server
  • database-service JAX-RS services authenticated by bearer tokens only. The customer and product app invoke on it to get data
  • third-party Simple WAR that obtain a bearer token using OAuth2 using browser redirects to the auth-server.

The UI of each of these applications is very crude and exists just to show our OAuth2 implementation in action.

This demo is meant to run on the same server instance as the Keycloak Server!

Step 1: Make sure you've set up the Keycloak Server and Adapter

Obtain latest keycloak-war-dist-all.zip. This distro is used to install keycloak onto an existing JBoss installation

$ cd ${jboss.home}/standalone $ cp -r ${keycloak-war-dist-all}/deployments .

To install the adapter if running JBoss 7.1.1 $ cd ${jboss.home} $ unzip ${keycloak-war-dist-al}/adapters/keycloak-as7-adapter-dist.zip

To install the adapter if running on EAP 6.x $ cd ${jboss.home} $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip

Step 2: Boot Keycloak Server

Where you go to start up the Keycloak Server depends on which distro you installed.

$ cd ${jboss.home}/bin $ ./standalone.sh

Step 3: Import the Test Realm

Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the create realm page in the admin UI. The username/password is admin/admin to login in. Keycloak will ask you to create a new password admin password before you can go to the create realm page.

http://localhost:8080/auth/admin/index.html#/create/realm

Import the testrealm.json file that is in the as7-eap6-demo/ example directory.

Step 4: Build and deploy

next you must build and deploy

  1. cd as7-eap-demo
  2. mvn clean install
  3. mvn jboss-as:deploy

Step 5: Login and Observe Apps

Try going to the customer app and viewing customer data:

http://localhost:8080/customer-portal/customers/view.jsp

This should take you to the auth-server login screen. Enter username: bburke@redhat.com and password: password.

If you click on the products link, you'll be take to the products app and show a product listing. The redirects are still happening, but the auth-server knows you are already logged in so the login is bypassed.

If you click on the logout link of either of the product or customer app, you'll be logged out of all the applications.

Step 6: Traditional OAuth2 Example

The customer and product apps are logins. The third-party app is the traditional OAuth2 usecase of a client wanting to get permission to access a user's data. To run this example

http://localhost:8080/oauth-client

If you area already logged in, you will not be asked for a username and password, but you will be redirected to an oauth grant page. This page asks you if you want to grant certain permissions to the third-part app.

Admin Console

  1. Login

Login: http://localhost:8080/auth/rest/admin/login