[HAL-1832] Activate OIDC in the console #525
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| = HAL-1832 Activate OIDC in the console | ||
| :author: Harald Pehl | ||
| :email: hpehl@redhat.com | ||
| :toc: left | ||
| :icons: font | ||
| :idprefix: | ||
| :idseparator: - | ||
| :issue-base-url: https://issues.redhat.com/browse | ||
|
|
||
| == Overview | ||
|
|
||
| With the Keycloak OpenID Connect (OIDC) adapter, it was possible to secure the management console using OIDC. When accessing the management console, the user would get redirected to the Keycloak login page, log in with their credentials, and get redirected back to the management console upon successful authentication. It was also possible for the user to log out of the console. | ||
|
|
||
| This RFE is to add the ability to secure the management console when using the native support for OIDC. It addresses the steps necessary to configure the resources in `/subsystem=elytron-oidc-client`. | ||
|
|
||
| == Issue Metadata | ||
|
|
||
| === Issue | ||
|
|
||
| * {issue-base-url}/HAL-1827[HAL-1832] | ||
|
|
||
| === Related Issues | ||
|
|
||
| * {issue-base-url}/EAP7-1796[EAP7-1796] | ||
|
|
||
| === Dev Contacts | ||
|
|
||
| * mailto:{email}[{author}] | ||
|
|
||
| === QE Contacts | ||
|
|
||
| * mailto:spriadka@redhat.com[Simon Priadka] | ||
|
|
||
| === Testing By | ||
| // Put an x in the relevant field to indicate if testing will be done by Engineering or QE. | ||
| // Discuss with QE during the Kickoff state to decide this | ||
| * [ ] Engineering | ||
|
|
||
| * [x] QE | ||
|
|
||
| === Affected Projects or Components | ||
|
|
||
| This RFE affects the management console. It depends on the management resources defined by {issue-base-url}/EAP7-1796[EAP7-1796]. | ||
|
|
||
| === Other Interested Projects | ||
|
|
||
| None | ||
|
|
||
| === Relevant Installation Types | ||
| // Remove the x next to the relevant field if the feature in question is not relevant | ||
| // to that kind of WildFly installation | ||
| * [x] Traditional standalone server (unzipped or provisioned by Galleon) | ||
|
|
||
| * [ ] Managed domain | ||
|
|
||
| * [ ] OpenShift s2i | ||
|
|
||
| * [ ] Bootable jar | ||
|
|
||
| == Requirements | ||
|
|
||
| Affected UI:: Configuration / Subsystems / Elytron OIDC Client | ||
| Affected Resources:: `/subsystem=elytron-oidc-client` | ||
|
|
||
| === Hard Requirements | ||
|
|
||
| The console shows the new `elytron-oidc-client` subsystem. The UI for this subsystem is backed by the https://hal.github.io/documentation/concepts/#applications[model browser] which generates a UI based on the resource descriptions. | ||
|
|
||
| The UI makes it possible to configure the necessary resources as described in the Elytron admin guide: `docs/src/main/asciidoc/_admin-guide/subsystem-configuration/Elytron_OIDC_Client.adoc`, section "Securing the management console with OpenID Connect". | ||
|
|
||
| If the console is secured by the Keycloak OpenID Connect (OIDC) adapter, the "Access Control" top level category shows a screen which summarizes the basic settings. This screen, contains also a link to the Keycloak admin console. | ||
|
|
||
| === Nice-to-Have Requirements | ||
|
|
||
| None | ||
|
|
||
| === Non-Requirements | ||
|
|
||
| The console does not offer a dedicated UI/wizards to configure the `elytron-oidc-client` subsystem. This might be addressed in a future RFE. | ||
|
|
||
| == Open Questions | ||
|
|
||
| * None | ||
|
|
||
| == Test Plan | ||
|
|
||
| Additional tests are added to the test suite that verify that the hash is visible in the deployment preview. | ||
|
There was a problem hiding this comment. Are you going to add the new tests to the new Berg test suite? There was a problem hiding this comment. Well, I thought someone from QE would be able to add the tests 😬 There was a problem hiding this comment.
I haven't read this thoroughly, now I can't imagine what meant by this/what will be verified (which hash, which deployment preview) There was a problem hiding this comment. Sorry, this is a copy/paste issue. Going to fix this... |
||
|
|
||
| == Community Documentation | ||
|
|
||
| See the official HAL website at https://hal.github.io | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you mean secured by Keycloak OpenID Connect (OIDC) provider, as the client part is covered by the native support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I fixed that and added a bit more context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks better now, thanks a lot.