WildFly 29 introduces the ability to secure WildFly Management Console with KeyCloak OpenID Connect Clients. In this article we will go through the steps you need to configure WildFly elytron-oidc-client subsystem and the Keycloak Realm. By the end of it, you will learn how to secure your WildFly Management Console with Keycloak OpenID Connect.
Prerequisites
- A WildFly 29+ installation. You can download it from here.
- A Keycloak (powered by Quarkus) installation. You can download it from here.
If you are new to Keycloak/Quarkus distribution we recommend checking this article: Getting started with Keycloak powered by Quarkus
Configuring OpenID Connect Client Subsystem
Securing the WildFly console with Keycloak allows for Centralized Authentication and Authorization: Keycloak acts as a centralized identity provider, allowing you to manage user authentication and authorization in a single place. With OpenID Connect, you can leverage Keycloak’s features for user management, including role-based access control, multi-factor authentication, and social login.
Since WildFly 25, you can use a new subsystem (“elytron-oidc-client“) to secure deployments using OpenID Connect, without needing to install the Keycloak client adapter. This means that you can secure applications in two different ways:
- Provide a oidc.json along with your Web application. See the following tutorial as an example: Secure WildFly applications with OpenID Connect
- Configure a secured deployment through the elytron-oidc-client subsystem. For example:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0"> <secure-deployment name="webapp.war"> <client-id>customer-portal</client-id> <provider-url>http://localhost:8180/realms/myrealm</provider-url> <ssl-required>external</ssl-required> <credential name="secret" secret="0aa31d98-e0aa-404c-b6e0-e771dba1e798" /> </secure-deployment> </subsystem>
In order to secure WildFly management console, we will choose the latter option which will require two steps:
- Create a secure-deployment in order to protect mgmt interface
- Create a secure-server in order to publish the management console configuration via mgmt interface
Before that, let’s first configure a Keycloak Realm to secure Clients arriving from the default WildFly Console (http://localhost:9990)
Configuring a Keycloak Realm
Firstly, start Keycloak on a port that doesn’t conflict with WildFly, for example on port 8180:
./kc.sh start-dev --http-port=8180
Next, login into the Admin Console (localhost:8180) and create a new Realm. We will call it:
Next, we need to create two Clients:
- wildfly-console: This Keycloak Client will set the Valid Redirect URIs to access the WildFly management console (http://localhost:9990/console). Also, it will set the Web Origins where the request can come from.
- wildfly-management: This is a “Bearer-only” Keycloak client. That is, a type of client configuration that is used to secure server-to-server communication where the client application acts as a resource server and requires authentication and authorization from Keycloak. We will bind this Keycloak Client to a elytron-oidc-client secure-deployment
Here is an overview of the Keycloak Clients you need:
The wildfly-console Keycloak Client
More in detail, into the wildfly-console Client make sure you set the Redirect URIs to WildFly’s Management Console address. Also set the Web Origins for your requests:
The wildfly-management Keycloak Client
Finally, make sure to configure the wildfly-management Client as a Bearer Only Client. To do that, make sure to uncheck the Standard flow and Direct access grants in the Capability Config:
Adding an User to the Realm
As last step, we will add an User that belongs to an Administrator Group. This will allow us to use RBAC authentication with WildFly Management Console.
Add an user, for example “frank” and make it member of the “Administrator” Group:
The keycloak configuration is complete. Let’s move to the WildFly CLI to configure the elytron-oidc-client subsystem.
Configuring the elytron-oidc-client on WildFly
Firstly, connect to WIldFly Console:
./jboss-cli.sh -c
Next, execute the following set of commands to configure Keycloak Identity Provider with a Secure Deployment and a Secure Server:
# Configure the Keycloak provider /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8180/realms/wildfly-infra) # Create a secure-deployment in order to protect mgmt interface /subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL) # Enable RBAC where roles are obtained from the identity /core-service=management/access=authorization:write-attribute(name=provider,value=rbac) /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true) # Create a secure-server in order to publish the management console configuration via mgmt interface /subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true) # reload reload
After the reload, the Server configuration now includes the reference to Keycloak Realm (wildfly-infra), a secure-deployment that references the wildfly-management Keycloak client and a secure server that references the public Keycloak Client wildfly-console:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:2.0"> <provider name="keycloak"> <provider-url>http://localhost:8180/realms/wildfly-infra</provider-url> </provider> <secure-deployment name="wildfly-management"> <ssl-required>EXTERNAL</ssl-required> <principal-attribute>preferred_username</principal-attribute> <provider>keycloak</provider> <client-id>wildfly-management</client-id> <bearer-only>true</bearer-only> </secure-deployment> <secure-server name="wildfly-console"> <provider>keycloak</provider> <client-id>wildfly-console</client-id> <public-client>true</public-client> </secure-server> </subsystem>
Testing the Keycloak OpenID authentication
Finally, we can test our Keycloak OpenID authentication. Connect to your WildFly Console (http://localhost:9990). You will be redirected to Keycloak Login page:
After entering the username and password, you will access WildFly Console as Administrator:
Congratulations! You have just secured your WildFly Management Console using Keycloak OpenID Clients!
References: https://github.com/wildfly/wildfly/pull/16856