Securing the management console with OIDC

In  elytron

Overview

With the Keycloak OpenID Connect (OIDC) adapter, it was possible to secure the management console using OIDC. When accessing the management console, the user would get redirected to the Keycloak login page, log in with their credentials, and get redirected back to the management console upon successful authentication. It was also possible for the user to log out of the console.

This RFE is to add the ability to secure the management console when using the native support for OIDC.

Issue Metadata

Issue

Dev Contacts

QE Contacts

TBD

Testing By

  • Engineering

  • QE

  • TBD

Affected Projects or Components

  • HAL

  • WildFly Elytron

  • WildFly

Other Interested Projects

Relevant Installation Types

  • Traditional standalone server (unzipped or provisioned by Galleon)

  • Managed domain

  • OpenShift s2i

  • Bootable jar

Requirements

Hard Requirements

  • It will be possible to secure the management console using the native support for OIDC.

    • A new secure-server resource will be added to the elytron-oidc-client subsystem. This will be similar to the secure-server resource from the previous keycloak subsystem.

    • The steps to secure the management console with OIDC will be very similar to the steps that were previously used with the Keycloak OIDC adapter (i.e., configure a secure-deployment to protect the management interface using bearer-only authentication, configure a secure-server to publish the OIDC configuration for the management console).

    • The previous keycloak subsystem published the OIDC configuration to be used for the management console via the http://localhost:MANAGEMENT_PORT/keycloak/adapter/wildfly-console/index.html endpoint. HAL would access this endpoint and if it found OIDC configuration, HAL would then redirect to the Keycloak login page. Similarly, the elytron-oidc-client subsystem will publish the OIDC configuration to be used for the management console to a new endpoint (e.g., http://localhost:MANAGEMENT_PORT/elytron-oidc-client/wildfly-console/index.html). HAL will need to be updated to access this endpoint and if it finds OIDC configuration, HAL would then redirect to the OIDC provider login page.

  • It will be possible to log out of the management console after having logged in with OIDC.

Nice-to-Have Requirements

Non-Requirements

Like with the previous Keycloak OIDC adapter, the ability to secure the management console with OIDC will only be supported for standalone mode. Domain mode won’t be supported.

Backwards Compatibility

No backwards compatibility concerns.

Default Configuration

No changes to the default configuration.

Importing Existing Configuration

N/A

Deployments

N/A

Interoperability

Security Considerations

This is a security RFE.

Test Plan

Tests will be added to the WildFly testsuite to verify that the management console can be secured successfully with OIDC. Tests for logging out and tests that make use of RBAC will also be added.

Community Documentation

A new section will be added to the Elytron OIDC Client documentation that describes how to secure the management console using OIDC.

Release Note Content

It is now possible to secure the management console with OpenID Connect.