-
Notifications
You must be signed in to change notification settings - Fork 43
Mission: Secured HTTP API
| ID | Short Name |
|---|---|
|
|
A user of a collection of REST services has been assigned a client secret that they can exchange for a token to access the services. The token returned conforms to the MicroProfile MP-0005 JWT RBAC proposal, for which Keycloak is the reference implementation.
A REST service should be secured using Red Hat Single Sign-on and accessible by JWT formatted bearer tokens that authorize user access on a per resource basis. A client of the services will obtain a token for access by authenticating to the RH SSO server in what is known as a Resource Owner Password Credentials Grant.
The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso project subfolders. This include a master Realm with a user “alice” assigned a password with the value password that has been given a client secret and role mappings sufficient to access the desired endpoints. The services are deployed with the RH SSO adaptor configured to allow access via appropriately signed bearer tokens issued by the RH SSO server.
A user makes a POST request, that must be over https, via a command line Java client to the RH SSO server token endpoint (SSO_AUTH_SERVER_URL), and provides the following in the body using application/x-www-form-urlencoded encoding:
-
Username
-
Password
-
ClientID
-
ClientSecret
-
grant_type=password
A JSON Web Token(JWT) bearer access token is returned. The token has an expiration beyond which it must be refreshed or replaced. The expiration can be configured in the RH SSO server. The user makes requests to the REST services providing an “Authorization: Bearer ..token..” header The user is authenticated and authorized via validation of the token.
The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso subproject folders. This project includes a java client that is used to access the secured applications.
-
a
200return code with a JSON payload indicates success -
a
401return code is presented for unauthenticated access -
a
403return code is presented for an unauthorized access.
More specifically:
|
. |
A greeting with the name “World!” as a JSON object containing and id and content are returned: {“id”: 1, “content”, “Hello, World!”, …} The id value should increment by 1 on each request. |
|
|
A greeting with the name “myname” as a JSON object containing and id and content are returned: {“id”: 1, “content”, “Hello, myname!”, …} The id value should increment by 1 on each request. |
|
|
A valid user without insufficient permissions fails with a forbidden exception. |
|
|
An invalid user fails with a 'not authorized' exception |
|
java -jar target/sso-client.jar --app secured-vertx-rest …
produces a 200 result with the expected JSON payload.
java -jar target/sso-client.jar --app secured-swarm-rest …
produces a 200 result with the expected JSON payload.