You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/07/19 08:29:18 UTC

[isis] branch ISIS-2803-keycloak-rewrite updated: ISIS-2803: updates docs is all

This is an automated email from the ASF dual-hosted git repository.

danhaywood pushed a commit to branch ISIS-2803-keycloak-rewrite
in repository https://gitbox.apache.org/repos/asf/isis.git


The following commit(s) were added to refs/heads/ISIS-2803-keycloak-rewrite by this push:
     new 403cee5  ISIS-2803: updates docs is all
403cee5 is described below

commit 403cee54073051a813008e106c9d3ed9500948d3
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Mon Jul 19 09:28:00 2021 +0100

    ISIS-2803: updates docs is all
---
 .../keycloak/images/impersonate-as-fred.png        | Bin 0 -> 34393 bytes
 .../keycloak/images/keycloak-login-page.png        | Bin 0 -> 111678 bytes
 .../keycloak/images/logged-into-app-as-sven.png    | Bin 0 -> 14866 bytes
 .../main/adoc/modules/keycloak/pages/about.adoc    |  69 ++++++++++++++-------
 4 files changed, 47 insertions(+), 22 deletions(-)

diff --git a/security/keycloak/src/main/adoc/modules/keycloak/images/impersonate-as-fred.png b/security/keycloak/src/main/adoc/modules/keycloak/images/impersonate-as-fred.png
new file mode 100644
index 0000000..5da5150
Binary files /dev/null and b/security/keycloak/src/main/adoc/modules/keycloak/images/impersonate-as-fred.png differ
diff --git a/security/keycloak/src/main/adoc/modules/keycloak/images/keycloak-login-page.png b/security/keycloak/src/main/adoc/modules/keycloak/images/keycloak-login-page.png
new file mode 100644
index 0000000..c53c162
Binary files /dev/null and b/security/keycloak/src/main/adoc/modules/keycloak/images/keycloak-login-page.png differ
diff --git a/security/keycloak/src/main/adoc/modules/keycloak/images/logged-into-app-as-sven.png b/security/keycloak/src/main/adoc/modules/keycloak/images/logged-into-app-as-sven.png
new file mode 100644
index 0000000..2c6a6fe
Binary files /dev/null and b/security/keycloak/src/main/adoc/modules/keycloak/images/logged-into-app-as-sven.png differ
diff --git a/security/keycloak/src/main/adoc/modules/keycloak/pages/about.adoc b/security/keycloak/src/main/adoc/modules/keycloak/pages/about.adoc
index f4dd010..9a34eed 100644
--- a/security/keycloak/src/main/adoc/modules/keycloak/pages/about.adoc
+++ b/security/keycloak/src/main/adoc/modules/keycloak/pages/about.adoc
@@ -99,7 +99,7 @@ image::login-to-admin-console-prompt.png[width=300px]
 
 === Create a realm for simpleapp
 
-WARNING: TODO: clean up these screenshots, make consistent with text.
+It's good practice to use a separate realm for each application:
 
 * create a realm:
 +
@@ -110,7 +110,10 @@ and:
 image::define-simpleapp-realm.png[width=400px]
 
 
-=== Create a client
+=== Create a Keycloak client for the application
+
+From the perspective of Keycloak, the Apache Isis domain application is a client: the domain app redirects its login page to Keycloak (and be redirected back on success).
+We therefore need to create the Keycloak client for our app:
 
 * create the client:
 +
@@ -124,12 +127,6 @@ image::client-app-config.png[width=400px]
 +
 image::client-secret.png[width=600px]
 
-=== Create 'regular-user' role in the realm
-
-* create role:
-+
-image::create-regular-user-role.png[width=400px]
-
 
 === Configure the application as a Keycloak client
 
@@ -138,20 +135,19 @@ image::create-regular-user-role.png[width=400px]
 [source,properties]
 .config/application.properties
 ----
-isis.security.keycloak.realm=demo                                       #<.>
+isis.security.keycloak.realm=simpleapp                                  #<.>
 isis.security.keycloak.base-url=http://localhost:9090/auth              #<.>
 
 kc.realm-url=${isis.security.keycloak.base-url}/realms/${isis.security.keycloak.realm} #<.>
 
-spring.security.oauth2.client.registration.demo.client-id=app-demo      #<.>
-spring.security.oauth2.client.registration.demo.client-name=Demo App
-spring.security.oauth2.client.registration.demo.client-secret=e3f519b4-0272-4261-9912-8b7453ac4ecd                    #<.>
-
+spring.security.oauth2.client.registration.simpleapp.client-id=simpleapp-client #<.>
+spring.security.oauth2.client.registration.simpleapp.client-name=Simple App
+spring.security.oauth2.client.registration.simpleapp.client-secret=a04b1b32-3e8a-4803-b7ec-70bfb7e8ec2b #<.>
 
-spring.security.oauth2.client.registration.demo.provider=keycloak       #<.>
-spring.security.oauth2.client.registration.demo.authorization-grant-type=authorization_code
-spring.security.oauth2.client.registration.demo.scope=openid, profile
-spring.security.oauth2.client.registration.demo.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
+spring.security.oauth2.client.registration.simpleapp.provider=keycloak       #<.>
+spring.security.oauth2.client.registration.simpleapp.authorization-grant-type=authorization_code
+spring.security.oauth2.client.registration.simpleapp.scope=openid, profile
+spring.security.oauth2.client.registration.simpleapp.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
 spring.security.oauth2.client.provider.keycloak.authorization-uri=${kc.realm-url}/protocol/openid-connect/auth
 spring.security.oauth2.client.provider.keycloak.jwk-set-uri=${kc.realm-url}/protocol/openid-connect/certs
 spring.security.oauth2.client.provider.keycloak.token-uri=${kc.realm-url}/protocol/openid-connect/token
@@ -162,12 +158,11 @@ spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_us
 The registration properties below must specify this property as the `registration` key.
 <.> URL where keycloak is running
 <.> application-defined property, just to reduce the boilerplate below
-<.> must match the client name entered in the admin console
+<.> must match the client name entered in the admin console.
 <.> as taken from the credential tab of the realm
 <.> remaining property values are boilerplate and should not need to change.
-+
-IMPORTANT: Make sure though to change the key itself: `spring.security.oauth2.client.registration.xxx` where "xxx" is the name of the realm being registered to Spring Security.
 
+IMPORTANT: Make sure that with the key prefix `spring.security.oauth2.client.registration.xxx`, the "xxx" is the name of the realm being registered to Spring Security.
 
 
 === Create sven user in the realm
@@ -180,6 +175,22 @@ image::add-sven-user-prompt.png[width=400px]
 +
 image::sven-credentials.png[width=400px]
 
+
+//=== Create 'regular-user' role in the realm
+//
+//This is optional, but illustrates that roles to users within keycloak:
+//
+//* create role:
+//+
+//image::create-regular-user-role.png[width=400px]
+//
+//* add our 'sven' user to the 'regular-user' role:
+//+
+//image::add-sven-to-regular-user-role.png[width=800px]
+
+
+=== Check the account
+
 * check that the account is setup by navigating to link:http://localhost:9090/auth/realms/simpleapp/account/[]:
 +
 image::account-mgmt.png[width=800px]
@@ -192,10 +203,24 @@ image::test-sven-login.png[width=300px]
 +
 image::logged-in-as-sven.png[width=800px]
 
-* add to 'regular-user' role:
+
+=== Test
+
+Finally, start the Apache Isis application:
+
+* and confirm that navigating to http://localhost:8080 redirects to the keycloak login:
++
+image::keycloak-login-page.png[width=400px]
+
+* you should be able to log into the app:
++
+image::logged-into-app-as-sven.png[width=300px]
+
+* if running in prototype mode, you should still be able to impersonate other users:
 +
-image::add-sven-to-regular-user-role.png[width=800px]
+image::impersonate-as-fred.png[width=300px]
 
+* Logout should of course take you back to the login page.
 
 
 == Resources: