Support for Keycloak SSO
Overview
Provide authentication to Keycloak SSO, once it is configured in wildfly http management interface, HAL should redirects the login attempt to keycloak to authenticate the user, if successful redirect back to HAL. Provide the logout option in HAL to call the logout page on keycloak, also there should be a link on HAL to show the user information on a keycloak page. This will only work in standalone mode, as the wildfly adapter doesn’t support domain mode.
How to configure Wildfly to enable keycloak: https://docs.jboss.org/author/display/WFLY/Protecting+Wildfly+Adminstration+Console+With+Keycloak Keycloak javascript adapter: https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter
Issue Metadata
Dev Contacts
QE Contacts
Affected Projects or Components
-
HAL
-
WildFly
Other Interested Projects
-
Keycloak
Requirements
-
Keycloak adapters installed in wildfly
-
HTTP management interface configured with a keycloak http authentication factory
-
The /subsystem=keycloak/secure-server resource must be named wildfly-console, in order to HAL recognize this is the keycloak configuration to protect http management interface.
The keycloak wildfly adapter provides a public http endpoint that publish the keycloak configuration [1]. HAL will check if the address exists and will redirects the login to keycloak.
-
<wildfly-http-management>/keycloak/adapter/wildfly-console
Non-Requirements
-
Do not support in domain mode, as the wildfly adapter only works in standalone mode.
Hard Requirements
-
Upon first access to WildFly console at 9990 port, redirect to keycloak login page if HTTP GET to /keycloak/adapter/wildfly-console response is 200
-
Logout link will call keycloak logout action
-
Do not show the user management features on access control, as the user management is performed on keycloak server.
-
Show the access control page, with basic information about the keycloak configuration.
-
Provide a link to view user profile on keycloak.