Skip to content

Commit

Permalink
Merge pull request #525 from hpehl/HAL-1832
Browse files Browse the repository at this point in the history
[HAL-1832] Activate OIDC in the console
  • Loading branch information
bstansberry authored Jul 2, 2024
2 parents 197de84 + b907e39 commit d24ea4c
Showing 1 changed file with 95 additions and 0 deletions.
95 changes: 95 additions & 0 deletions console/HAL-1832_Activate_OIDC.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
= HAL-1832 Activate OIDC in the console
:author: Harald Pehl
:email: hpehl@redhat.com
:toc: left
:icons: font
:idprefix:
:idseparator: -
:issue-base-url: https://issues.redhat.com/browse

== Overview

With the Keycloak OpenID Connect (OIDC) adapter, it was possible to secure the management console using OIDC. When accessing the management console, the user would get redirected to the Keycloak login page, log in with their credentials, and get redirected back to the management console upon successful authentication. It was also possible for the user to log out of the console.

This RFE is to add the ability to secure the management console when using the native support for OIDC. It addresses the steps necessary to configure the resources in `/subsystem=elytron-oidc-client`.

== Issue Metadata

=== Issue

* {issue-base-url}/HAL-1827[HAL-1832]

=== Related Issues

* {issue-base-url}/EAP7-1796[EAP7-1796]

=== Dev Contacts

* mailto:{email}[{author}]

=== QE Contacts

* mailto:spriadka@redhat.com[Simon Priadka]

=== Testing By
// Put an x in the relevant field to indicate if testing will be done by Engineering or QE.
// Discuss with QE during the Kickoff state to decide this
* [ ] Engineering

* [x] QE

=== Affected Projects or Components

This RFE affects the management console. It depends on the management resources defined by {issue-base-url}/EAP7-1796[EAP7-1796].

=== Other Interested Projects

None

=== Relevant Installation Types
// Remove the x next to the relevant field if the feature in question is not relevant
// to that kind of WildFly installation
* [x] Traditional standalone server (unzipped or provisioned by Galleon)

* [ ] Managed domain

* [ ] OpenShift s2i

* [ ] Bootable jar

== Requirements

Affected UI:: Configuration / Subsystems / Elytron OIDC Client
Affected Resources:: `/subsystem=elytron-oidc-client`

=== Hard Requirements

The console shows the new `elytron-oidc-client` subsystem. The UI for this subsystem is backed by the https://hal.github.io/documentation/concepts/#applications[model browser] which generates a UI based on the resource descriptions.

The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: `docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc`, section "Securing the management console with OpenID Connect". In particular, this means the console makes it possible to add the following resources:

* `/subsystem=elytron-oidc-client/provider=keycloak`
* `/subsystem=elytron-oidc-client/secure-deployment=wildfly-management`
* `/subsystem=elytron-oidc-client/secure-server=wildfly-console`

If the console is secured by the Keycloak OpenID Connect (OIDC) provider, the "Access Control" top level category shows a summary of the basic settings. This contains a link to the Keycloak admin console.

=== Nice-to-Have Requirements

None

=== Non-Requirements

The console does not offer a dedicated UI/wizards to configure the `elytron-oidc-client` subsystem. This might be addressed in a future RFE.

== Open Questions

* None

== Test Plan

Additional tests are added to the test suite that verify that the relevant OIDC resource (see above) can be configured.

== Community Documentation

See the official HAL website at https://hal.github.io

0 comments on commit d24ea4c

Please sign in to comment.