HAL-1832 Activate OIDC in the console

Table of Contents

Overview
Issue Metadata
Requirements
Open Questions
Test Plan
Community Documentation

Overview

With the Keycloak OpenID Connect (OIDC) adapter, it was possible to secure the management console using OIDC. When accessing the management console, the user would get redirected to the Keycloak login page, log in with their credentials, and get redirected back to the management console upon successful authentication. It was also possible for the user to log out of the console.

This RFE is to add the ability to secure the management console when using the native support for OIDC. It addresses the steps necessary to configure the resources in /subsystem=elytron-oidc-client.

Issue Metadata

Testing By

Engineering
QE

Affected Projects or Components

This RFE affects the management console. It depends on the management resources defined by EAP7-1796.

Other Interested Projects

None

Relevant Installation Types

Traditional standalone server (unzipped or provisioned by Galleon)
Managed domain
OpenShift s2i
Bootable jar

Requirements

Affected UI: Configuration / Subsystems / Elytron OIDC Client
Affected Resources: /subsystem=elytron-oidc-client

Hard Requirements

The console shows the new elytron-oidc-client subsystem. The UI for this subsystem is backed by the model browser which generates a UI based on the resource descriptions.

The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc, section "Securing the management console with OpenID Connect". In particular, this means the console makes it possible to add the following resources:

/subsystem=elytron-oidc-client/provider=keycloak
/subsystem=elytron-oidc-client/secure-deployment=wildfly-management
/subsystem=elytron-oidc-client/secure-server=wildfly-console

If the console is secured by the Keycloak OpenID Connect (OIDC) provider, the "Access Control" top level category shows a summary of the basic settings. This contains a link to the Keycloak admin console.

Nice-to-Have Requirements

None

Non-Requirements

The console does not offer a dedicated UI/wizards to configure the elytron-oidc-client subsystem. This might be addressed in a future RFE.

Open Questions

None

Test Plan

Additional tests are added to the test suite that verify that the relevant OIDC resource (see above) can be configured.

Community Documentation

See the official HAL website at https://hal.github.io