Details
-
Enhancement
-
Resolution: Done
-
Major
-
RH-SSO-7.2.4.CR1
Description
JIRA opened to track work on this customer feedback escalation in Salesforce:
EN-12772 - https://gss--rh-escalimpl.na94.visual.force.com/apex/Escalation_View?id=a3nA000001Ll2ttIAB&sfdc.override=1
The escalation relates to this Salesforce case:
02202186 - https://gss--c.na94.visual.force.com/apex/Case_View?id=500A000000cFFOR&sfdc.override=1
The JBoss EAP team reviewed the escalation and case and think the issues like with RH-SSO documentation and quickstarts.
Copies of important information from the escalation and case, to use in investigation:
Product adoption score: 2 [this low score triggered the escalation]
Product adoption comment: The documentation and quickstarts detailing how to use RH-SSO and JBoss EAP need to be updated and expanded. The examples are incomplete, and some behaviors of the rh-sso-7.2.4-eap7-adapter are undocumented, like the that the name of the WAR must Exactly match the name of the "resource".
Survey Link: https://gss.my.salesforce.com/a1aA000000L4U9OIAV
What problem/issue/behavior are you having trouble with? What do you expect to see?
I am attempting to secure a Rest Web Service on JBoss 7.1.4 w/rh-sso-7.2.4-eap7-adapter and RH-SSO 7.2.0. I am securing the Rest Web Service using a b The error I am experiencing is identical to the error detailed and fixed in KEYCLOAK-7309 (https://issues.jboss.org/browse/KEYCLOAK-7309). How can I get a patch for rh-sso-7.2.4-eap7-adapter?
Where are you experiencing the behavior? What environment?
As stated above, I am experiencing exactly the same behavior as detailed in KEYCLOAK-7309. I am experiencing this on JBoss 7.1.4 w/rh-sso-7.2.4-eap7-adapter and RH-SSO 7.2.0. I have duplicated this on both Windows 7 and RHEL 6.
When does the behavior occur? Frequently? Repeatedly? At certain times?
This behavior happens every time I try to access the secured Rest service. See the attached server.log starting at line 2262.
Here is the web.xml SSO configuration:
<module-name>RecruitingAPI</module-na...
As I described in my original problem description, I am having Exactly the same issue/behavior as described in https://issues.jboss.org/browse/KEYCLOAK-7309. The only difference is that I am running on JBoss EAP 7.1.4, w/rh-sso-7.2.4-eap7-adapter and RH-SSO 7.2.0. For our Rest API we started with the jboss-eap-quickstarts-7.1\contacts-jquerymobile project, and once we had that modified to suit our needs and working with our Oracle DB and tables we used the redhat-sso-quickstarts-7.2.x\service-jee-jaxrs project as a template for securing our Rest API. You should be able to use the example in https://issues.jboss.org/browse/KEYCLOAK-7309 to duplicate the issue on JBoss EAP 7.1.4, w/rh-sso-7.2.4-eap7-adapter and RH-SSO 7.2.0. If not, then I will try to sanitize my code to give you an example. I am a government contractor, so I cannot send you my current code.
If the patch/fix for https://issues.jboss.org/browse/KEYCLOAK-7309 is available for the rh-sso-7.2.4-eap7-adapter, that is probably all I need.
What the Red Hat Support person did to solve the problem:
I followed the below steps with TRACE logging enabled as suggested.
- Open the Red Hat SSO admin console
- Added realm i.e Mobilerealm
- Created OIDC client RestAPIKeyCloakError with Access Type: bearer-only for securing REST API.
- Select `Clients` from the menu
- Click `Create`
- Add the following values:
- Client ID: RestAPIKeyCloakError
- Client Protocol: `openid-connect`
- Click `Save`
Once saved you need to change the `Access Type` to `bearer-only` and click save."
- Created OIDC client RestAuth Access Type: public to get access or bearer token which is passed in authorization header when invoking a Rest service.
- Select `Clients` from the menu
- Click `Create`
- Add the following values:
- Client ID: RestAuth
- Client Protocol: `openid-connect`
- Click `Save`
- Created realm role 'mobilerole' and mapped with user 'john doe'.
- Install RH-SSO 7.1.4 adapter.
- Included below configuration under keycloak-adapter subsystem in EAP standalone.xml
<secure-deployment name="RestAPIKeyCloakError.war">
<realm>mobilerealm</realm>
<resource>RestAPIKeyCloakError</resource>
<bearer-only>true</bearer-only>
<auth-server-url>http://localhost:8080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
- Deploy RestAPIKeyCloakError.war on EAP 7.1.4
Generate access token with client-id 'RestAuth' and hit http://localhost:8180/RestAPIKeyCloakError/heartbeat using Postman and let me know the outcome.
Please correct if i have missed something.
Note : The example https://github.com/DennisBayer/playground-mp-jwt-auth.git alos has two clients Public and bearer-only.
The customer confirmed that the work above solved the problem:
Adding the RestAuth public client SOLVED my problem.
I guess that's somewhere in the redhat-sso-quickstarts-7.2.x instructions as well as being buried in the SSO documentation, but it is not "obvious".
Thanks again for all of the help. You can close this issue.
Red Hat Support, additional response:
I am very pleased to hear that the suggestion worked for you.
I guess that's somewhere in the redhat-sso-quickstarts-7.2.x instructions as well as being buried in the SSO documentation, but it is not "obvious".
>> The service-jee-jaxrs quickstart mentions that:
You can open the public endpoint directly in the browser to test the service. But, the two other endpoints (/service/secured and /service/admin) do require invoking them with a bearer token. So, you would need to login first (via app-jee-html5 or app-jee-jsp) in order to successfully invoke these endpoints.
Basically what we are doing here is invoking Keycloaks OpenID Connect token endpoint with grant type set to password which is the Resource Owner Credentials flow that allows swapping a username and a password for a token.
Tokens should be obtained by web applications by redirecting to the Keycloak login page. There is a documented article for the same [1].
Let me know in case of any concern.
[1] https://access.redhat.com/solutions/3128251
Red Hat Support person: Saurabh Shriramwar, sshriram@redhat.com
Customer: Shawn Firth, Senior JAVA Developer, shawn.firth@asrcfederal.com, USA-New York.
