From ac1f631760918223ff568ff60ba31d9c7dae7677 Mon Sep 17 00:00:00 2001 From: PrarthonaPaul Date: Wed, 21 Feb 2024 16:52:28 +0000 Subject: [PATCH] Deploy to PrarthonaPaul/wildfly-elytron gh-pages branch - Wed Feb 21 16:52:28 UTC 2024 --- .../index.html | 137 +++++++++--------- feed.xml | 2 +- 2 files changed, 70 insertions(+), 69 deletions(-) diff --git a/blog/securing-wildfly-apps-okta-openshift/index.html b/blog/securing-wildfly-apps-okta-openshift/index.html index 53df96addf..0696aea967 100644 --- a/blog/securing-wildfly-apps-okta-openshift/index.html +++ b/blog/securing-wildfly-apps-okta-openshift/index.html @@ -364,16 +364,16 @@

Configure O

User Name: alice@example.org

  • -

    From the dropdown list for Password, choose Set by admin and set a password that fits the password requirements.

    +

    From the dropdown list for Password, choose Set by admin and set a password that fits the password requirements.

  • -

    Uncheck User must change password on first login and hit Save. For more information about how to add a user manually click here.

    +

    Uncheck User must change password on first login and hit Save. For more information about how to add a user manually click here.

  • -

    Click on the Applications tab on the left hand side. Navigate to Applications and click on simple-webapp-okta. Under the Assignments tab, click on Assign, then click on Assign to People and select Alice. For more information about how to assign a user to an application, please see here.

    +

    Click on the Applications tab on the left hand side. Navigate to Applications and click on simple-webapp-okta. Under the Assignments tab, click on Assign, then click on Assign to People and select Alice. For more information about how to assign a user to an application, please see here.

    • @@ -401,7 +401,7 @@

    here.

    @@ -448,11 +448,11 @@

    (1) + value: <OKTA_URL> (1) - name: OIDC_CLIENT_ID - value: <client_id> (2) + value: <CLIENT_ID> (2) - name: OIDC_CLIENT_SECRET - value: <client_secret> (3) + value: <CLIENT_SECRET> (3)
    @@ -466,11 +466,11 @@

    2 -Replace client_id with the Client ID listed on the Okta console. Navigate to the General tab for our application on the Okta admin console and copy the Client Id and add it beside the client-id attribute. +Replace CLIENT_ID with the Client ID listed on the Okta console. Navigate to the General tab for our application on the Okta admin console and copy the Client Id and add it beside the client-id attribute. 3 -Replace client_secret with your Client Secret for this application listed on Okta. +Replace CLIENT_SECRET with your Client Secret for this application listed on Okta.

    @@ -483,7 +483,7 @@

    Configure the Deployment Settings

    -

    We can use the resources under 'elytron-oidc-client' to configure the WildFly server. We can do this in two different ways:

    +

    Applications deployed to WildFly can be secured with OIDC in a couple different ways:

      @@ -496,7 +496,7 @@

      -

      This guide uses the deployment configuration, but you can use the same attributes to configure the elytron-oidc-client subsystem. You can view the resources defined by navigating to the oidc.json file. Note that we are making use of the environment variables we defined in the helm chart.

      +

      This guide uses the deployment configuration, but you can use the same attributes to configure the elytron-oidc-client subsystem. You can view the deployment configuration used in this example by navigating to the oidc.json file. Note that we are making use of the environment variables we defined in the helm chart.

    Now that we have added the required changes, we can deploy our application, the helm chart will specify the location for this example application and pull information needed for our deployment specified in the oidc.json file.

    @@ -555,12 +555,8 @@

    Behin

    While our application is building, let’s take a closer look at our application.

    -
    -
      -
    1. -

      Examine the pom.xml file. Notice that it contains an openshift profile. A profile in Maven lets you create a set of configuration values to customize your application build for different environments. The openshift profile in this example defines a configuration that will be used by the wildfly Helm Chart when provisioning the WildFly server on OpenShift.

      -
      2. -
    +
    +

    Examine the pom.xml file. Notice that it contains an openshift profile. A profile in Maven lets you create a set of configuration values to customize your application build for different environments. The openshift profile in this example defines a configuration that will be used by the WildFly Helm Chart when provisioning the WildFly server on OpenShift.

    @@ -610,64 +606,72 @@

    Behin 2 -elytron-oidc-client automatically adds the native OIDC client subsystem to our WildFly installation. -
    -
      -
    1. -

      Examine the web.xml file.

      -
      2. -
    -
    +elytron-oidc-client automatically adds the native OIDC client subsystem to our WildFly installation.

    +
    +

    Now examine the web.xml file.

    +
    -
    ... <login-config> <auth-method>OIDC</auth-method> (1) </login-config> ...
    +
        <login-config>
+        <auth-method>OIDC</auth-method> (1)
+    </login-config>
    -
    -

    When elytron-oidc-client subsystem sees auth-method is set to OIDC, it enables OIDC authentication mechanism for the application.

    +
    + + + + + +
    1When elytron-oidc-client subsystem sees auth-method is set to OIDC, it enables OIDC authentication mechanism for the application.
    -
    -
      -
    1. -

      Examine the oidc.json file. The oidc.json is used to configure the native OIDC client subsystem.

      -
      2. -
    +
    +

    Finally, review the oidc.json file. The oidc.json is used to configure the native OIDC client subsystem.

    {
-    "client-id" : "${env.CLIENT_ID}",
-    "provider-url" : "${env.OIDC_PROVIDER_URL}",
-    "public-client" : "false",
-    "principal-attribute" : "IDTClaim",
-    "ssl-required" : "EXTERNAL",
+    "client-id" : "${env.CLIENT_ID}",               (1)
+    "provider-url" : "${env.OIDC_PROVIDER_URL}",    (2)
+    "public-client" : "false",                      (3)
+    "principal-attribute" : "IDTClaim",             (4)
+    "ssl-required" : "EXTERNAL",                    (5)
     "credentials" : {
-        "secret" : "${env.CLIENT_SECRET}"
+        "secret" : "${env.CLIENT_SECRET}"           (6)
     }
 }
    -
    -
      -
    • -

      Client_ID is the unique identifier for our client used by the Okta OpenID provider. Usually for Keycloak, you can create your own client, but for Okta, you are assigned an id. As a result, we are using environment variables to specify this. We will set the value in

      -
      • -
    • -

      The provider URL, which is the URL for the authorization server that we created, is specified as an environment variable. We will set its value in the helm configuration.

      -
      • -
    • -

      When public-client set to false, client credentials are sent when communicating with the OpenID provider.

      -
      • -
    • -

      We specify that the user name of the identity, which in our case is alice, is to be used as the principal for the identity. We are extracting this information here using a custom claim in the ID token.

      -
      • -
    • -

      When ssl-required is set to EXTERNAL, only the communication with external clients happens over HTTPs

      -
      • -
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    1Client_ID is the unique identifier for our client used by the Okta OpenID provider. Usually for Keycloak, you can create your own client, but for Okta, you are assigned an id. As a result, we are using environment variables to specify this.
    2The provider URL, which is the URL for the authorization server that we created, is specified as an environment variable. We set its value previously in the helm configuration.
    3When public-client set to false, client credentials are sent when communicating with the OpenID provider.
    4We specify that the user name of the identity, which in our case is alice, is to be used as the principal for the identity. We are extracting this information here using a custom claim in the ID token.
    5When ssl-required is set to EXTERNAL, only the communication with external clients happens over HTTPs.
    6Client credentials helps the OIDC server authenticate the client when accepting a request. It is required when public-client is set to false.
    @@ -696,7 +700,7 @@

    Finish Configuring Okta

    -

    Go back to the General Settings for your application and click on Edit. add the Valid redirect URI under the Sign-in redirect URIs and check the Allow wildcard * in login URI redirect field and hit Save.

    +

    Go back to the General Settings for your application and click on Edit. add the Valid redirect URI under the Sign-in redirect URIs and check the Allow wildcard * in login URI redirect field and hit Save.

    @@ -708,10 +712,7 @@

    Access the Click on "Access Secured Servlet".

    -

    Now you will be redirected to the login page for Okta. Login using Alice. You will be prompted for the username. Although we set the username to be alice@example.org, we can just input alice here. You will be presented with three options for loggin in. Choose Password and enter the password you selected for Alice.

    -
    -
    -

    Once you have entered the correct password, you will be prompted to perform 2 factor authentication using the Okta Verify mobile application. You can go ahead and follow the instructions to set it up and once you complete the 2 factor authentication, you will be redirected to the secured page.

    +

    Now you will be redirected to the login page for Okta. Login using Alice. You will be prompted for the username. Although we set the username to be alice@example.org, we can just input alice here. You will be presented with three options for loggin in. Choose Password and enter the password you selected for Alice.

    @@ -719,7 +720,7 @@

    Access the

    Summary

    -

    This guide demonstrates how to use an OpenID provider other than Keycloak to secure an application deployed to WildFly. There are other OpenID providers that can be used to secure WildFly applications as well. And while the specific terms may be slightly different, the overall process should be similar. Please refer to documentations by your OpenID provider for more information.

    +

    This guide demonstrates how to use an OpenID provider other than Keycloak to secure an application deployed to WildFly. Other OpenID providers can be used to secure WildFly applications as well. And while the specific terms may be slightly different, the overall process should be similar. Please refer to documentations by your OpenID provider for more information.

    @@ -732,10 +733,10 @@

    Resources

    Okta Documentation

  • -

    Elytron-oidc-client subsystem

    +

    Elytron-oidc-client subsystem

  • -

    elytron-oidc-client docs

    +

    elytron-oidc-client docs

  • OpenID Specifications

    @@ -744,13 +745,13 @@

    Resources

    Guides Related on Configuring Okta

  • -

    Getting Started with WildFly on OpenShift

    +

    Getting Started with WildFly on OpenShift

  • OpenShift CLI

  • -

    WildFly Helm Charts

    +

    WildFly Helm Charts

    • diff --git a/feed.xml b/feed.xml index a8962a6017..de7d56be82 100644 --- a/feed.xml +++ b/feed.xml @@ -5,7 +5,7 @@ WildFly Elytron https://wildfly-security.github.io/wildfly-elytron - Wed, 21 Feb 2024 16:29:41 +0000 + Wed, 21 Feb 2024 16:52:17 +0000 Securing WildFly Applications Using Okta on OpenShift