Securing WildFly Management Console with Keycloak

WildFly 29 introduces the ability to secure WildFly Management Console with KeyCloak OpenID Connect Clients. In this article we will go through the steps you need to configure WildFly elytron-oidc-client subsystem and the Keycloak Realm. By the end of it, you will learn how to secure your WildFly Management Console with Keycloak OpenID Connect.

Prerequisites

  • A WildFly 29+ installation. You can download it from here.
  • A Keycloak (powered by Quarkus) installation. You can download it from here.

If you are new to Keycloak/Quarkus distribution we recommend checking this article: Getting started with Keycloak powered by Quarkus

Configuring OpenID Connect Client Subsystem

Securing the WildFly console with Keycloak allows for Centralized Authentication and Authorization: Keycloak acts as a centralized identity provider, allowing you to manage user authentication and authorization in a single place. With OpenID Connect, you can leverage Keycloak’s features for user management, including role-based access control, multi-factor authentication, and social login.

Since WildFly 25, you can use a new subsystem (“elytron-oidc-client“) to secure deployments using OpenID Connect, without needing to install the Keycloak client adapter. This means that you can secure applications in two different ways:

<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
    <secure-deployment name="webapp.war">
        <client-id>customer-portal</client-id>
        <provider-url>http://localhost:8180/realms/myrealm</provider-url>
        <ssl-required>external</ssl-required>
        <credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" />
    </secure-deployment>
</subsystem>

In order to secure WildFly management console, we will choose the latter option which will require two steps:

  • Create a secure-deployment in order to protect mgmt interface
  • Create a secure-server in order to publish the management console configuration via mgmt interface

Before that, let’s first configure a Keycloak Realm to secure Clients arriving from the default WildFly Console (http://localhost:9990)

Configuring a Keycloak Realm

Firstly, start Keycloak on a port that doesn’t conflict with WildFly, for example on port 8180:

./kc.sh start-dev --http-port=8180

Next, login into the Admin Console (localhost:8180) and create a new Realm. We will call it:

WildFly console login screen with Keycloak authentication

Next, we need to create two Clients:

  • wildfly-console: This Keycloak Client will set the Valid Redirect URIs to access the WildFly management console (http://localhost:9990/console). Also, it will set the Web Origins where the request can come from.
  • wildfly-management: This is a “Bearer-only” Keycloak client. That is, a type of client configuration that is used to secure server-to-server communication where the client application acts as a resource server and requires authentication and authorization from Keycloak. We will bind this Keycloak Client to a elytron-oidc-client secure-deployment

Here is an overview of the Keycloak Clients you need:

Secure WildFly console access with Keycloak OpenID Connect integration

The wildfly-console Keycloak Client

More in detail, into the wildfly-console Client make sure you set the Redirect URIs to WildFly’s Management Console address. Also set the Web Origins for your requests:

Enhanced security through Keycloak integration for WildFly console

The wildfly-management Keycloak Client

Finally, make sure to configure the wildfly-management Client as a Bearer Only Client. To do that, make sure to uncheck the Standard flow and Direct access grants in the Capability Config:

Flexible identity management options with Keycloak for WildFly

Adding an User to the Realm

As last step, we will add an User that belongs to an Administrator Group. This will allow us to use RBAC authentication with WildFly Management Console.

Add an user, for example “frank” and make it member of the “Administrator” Group:

The keycloak configuration is complete. Let’s move to the WildFly CLI to configure the elytron-oidc-client subsystem.

Configuring the elytron-oidc-client on WildFly

Firstly, connect to WIldFly Console:

./jboss-cli.sh -c

Next, execute the following set of commands to configure Keycloak Identity Provider with a Secure Deployment and a Secure Server:

# Configure the Keycloak provider
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8180/realms/wildfly-infra)

# Create a secure-deployment in order to protect mgmt interface
/subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)

# Enable RBAC where roles are obtained from the identity
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

# Create a secure-server in order to publish the management console configuration via mgmt interface
/subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true)

# reload
reload

After the reload, the Server configuration now includes the reference to Keycloak Realm (wildfly-infra), a secure-deployment that references the wildfly-management Keycloak client and a secure server that references the public Keycloak Client wildfly-console:

<subsystem xmlns="urn:wildfly:elytron-oidc-client:2.0">
    <provider name="keycloak">
        <provider-url>http://localhost:8180/realms/wildfly-infra</provider-url>
    </provider>
    <secure-deployment name="wildfly-management">
        <ssl-required>EXTERNAL</ssl-required>
        <principal-attribute>preferred_username</principal-attribute>
        <provider>keycloak</provider>
        <client-id>wildfly-management</client-id>
        <bearer-only>true</bearer-only>
    </secure-deployment>
    <secure-server name="wildfly-console">
        <provider>keycloak</provider>
        <client-id>wildfly-console</client-id>
        <public-client>true</public-client>
    </secure-server>
</subsystem>

Testing the Keycloak OpenID authentication

Finally, we can test our Keycloak OpenID authentication. Connect to your WildFly Console (http://localhost:9990). You will be redirected to Keycloak Login page:

Optimizing WildFly console security with Keycloak and OpenID Connect

After entering the username and password, you will access WildFly Console as Administrator:

Improved user experience and convenience through Keycloak integration for WildFly console

Congratulations! You have just secured your WildFly Management Console using Keycloak OpenID Clients!

References: https://github.com/wildfly/wildfly/pull/16856