Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Mission: Secured HTTP API

Stefan Sitani edited this page Jun 23, 2017 · 30 revisions

Secured HTTP API

ID Short Name

103

secured

Description

A user of a collection of REST services has been assigned a client secret that they can exchange for a token to access the services. The token returned conforms to the MicroProfile MP-0005 JWT RBAC proposal, for which Keycloak is the reference implementation.

User Problem

A REST service should be secured using Red Hat Single Sign-on and accessible by JWT formatted bearer tokens that authorize user access on a per resource basis. A client of the services will obtain a token for access by authenticating to the RH SSO server in what is known as a Resource Owner Password Credentials Grant.

Concepts and Architectural Patterns

  • OAuth2

  • Single Sign-on

  • JWT bearer tokens

Prerequisites

The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso project subfolders. This include a master Realm with a user “alice” assigned a password with the value password that has been given a client secret and role mappings sufficient to access the desired endpoints. The services are deployed with the RH SSO adaptor configured to allow access via appropriately signed bearer tokens issued by the RH SSO server.

Use Case

A user makes a POST request, that must be over https, via a command line Java client to the RH SSO server token endpoint (SSO_AUTH_SERVER_URL), and provides the following in the body using application/x-www-form-urlencoded encoding:

  • Username

  • Password

  • ClientID

  • ClientSecret

  • grant_type=password

A JSON Web Token(JWT) bearer access token is returned. The token has an expiration beyond which it must be refreshed or replaced. The expiration can be configured in the RH SSO server. The user makes requests to the REST services providing an “Authorization: Bearer ..token..” header The user is authenticated and authorized via validation of the token.

Acceptance Criteria

The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso subproject folders. This project includes a java client that is used to access the secured applications.

  • a 200 return code with a JSON payload indicates success

  • a 401 return code is presented for unauthenticated access

  • a 403 return code is presented for an unauthorized access.

More specifically:

java -jar target/sso-client.jar -app <APP> Where <APP> is one of the following: * secured-springboot-rest * secured-swarm-rest * secured-vertx-rest

A greeting with the name “World!” as a JSON object containing and id and content are returned: {“id”: 1, “content”, “Hello, World!”, …​} The id value should increment by 1 on each request.

200 - OK with the JSON payload

java -jar target/sso-client.jar -app <APP> --from myname

A greeting with the name “myname” as a JSON object containing and id and content are returned: {“id”: 1, “content”, “Hello, myname!”, …​} The id value should increment by 1 on each request.

200 - OK with the JSON payload

java -jar target/sso-client.jar -app <APP> --user admin --password admin

A valid user without insufficient permissions fails with a forbidden exception.

403 - Forbidden

java -jar target/sso-client.jar -app <APP> --user bad

An invalid user fails with a 'not authorized' exception

401 - Unauthorized

Vert.x-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-vertx-rest …​ produces a 200 result with the expected JSON payload.

Swarm-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-swarm-rest …​ produces a 200 result with the expected JSON payload.

Spring Boot-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-springboot-rest …​ produces a 200 result with the expected JSON payload.

Integration Requirements

Tags

Notes

Approval

PM

Name

DevExp

Name

Vert.x

Name

WildFly Swarm

Name

Spring Boot

Name

QE

Name

Docs

Name

Architect

Name