wildfly · bstansberry · Jul 2, 2024 · May 25, 2023 · May 25, 2023 · May 29, 2023
diff --git a/console/HAL-1832_Activate_OIDC.adoc b/console/HAL-1832_Activate_OIDC.adoc
@@ -0,0 +1,95 @@
+= HAL-1832 Activate OIDC in the console
+:author:            Harald Pehl
+:email:             hpehl@redhat.com
+:toc:               left
+:icons:             font
+:idprefix:
+:idseparator:       -
+:issue-base-url:    https://issues.redhat.com/browse
+
+== Overview
+
+With the Keycloak OpenID Connect (OIDC) adapter, it was possible to secure the management console using OIDC. When accessing the management console, the user would get redirected to the Keycloak login page, log in with their credentials, and get redirected back to the management console upon successful authentication. It was also possible for the user to log out of the console.
+
+This RFE is to add the ability to secure the management console when using the native support for OIDC. It addresses the steps necessary to configure the resources in `/subsystem=elytron-oidc-client`.
+
+== Issue Metadata
+
+=== Issue
+
+* {issue-base-url}/HAL-1827[HAL-1832]
+
+=== Related Issues
+
+* {issue-base-url}/EAP7-1796[EAP7-1796]
+
+=== Dev Contacts
+
+* mailto:{email}[{author}]
+
+=== QE Contacts
+
+* mailto:spriadka@redhat.com[Simon Priadka]
+
+=== Testing By
+// Put an x in the relevant field to indicate if testing will be done by Engineering or QE.
+// Discuss with QE during the Kickoff state to decide this
+* [ ] Engineering
+
+* [x] QE
+
+=== Affected Projects or Components
+
+This RFE affects the management console. It depends on the management resources defined by {issue-base-url}/EAP7-1796[EAP7-1796].
+
+=== Other Interested Projects
+
+None
+
+=== Relevant Installation Types
+// Remove the x next to the relevant field if the feature in question is not relevant
+// to that kind of WildFly installation
+* [x] Traditional standalone server (unzipped or provisioned by Galleon)
+
+* [ ] Managed domain
+
+* [ ] OpenShift s2i
+
+* [ ] Bootable jar
+
+== Requirements
+
+Affected UI:: Configuration / Subsystems / Elytron OIDC Client
+Affected Resources:: `/subsystem=elytron-oidc-client`
+
+=== Hard Requirements
+
+The console shows the new `elytron-oidc-client` subsystem. The UI for this subsystem is backed by the https://hal.github.io/documentation/concepts/#applications[model browser] which generates a UI based on the resource descriptions.
+
+The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: `docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc`, section "Securing the management console with OpenID Connect". In particular, this means the console makes it possible to add the following resources:
+
+* `/subsystem=elytron-oidc-client/provider=keycloak`
+* `/subsystem=elytron-oidc-client/secure-deployment=wildfly-management`
+* `/subsystem=elytron-oidc-client/secure-server=wildfly-console`
+
+If the console is secured by the Keycloak OpenID Connect (OIDC) provider, the "Access Control" top level category shows a summary of the basic settings. This contains a link to the Keycloak admin console.
+
+=== Nice-to-Have Requirements
+
+None
+
+=== Non-Requirements
+
+The console does not offer a dedicated UI/wizards to configure the `elytron-oidc-client` subsystem. This might be addressed in a future RFE.
+
+== Open Questions
+
+* None
+
+== Test Plan
+
+Additional tests are added to the test suite that verify that the relevant OIDC resource (see above) can be configured.
+
+== Community Documentation
+
+See the official HAL website at https://hal.github.io