-
Notifications
You must be signed in to change notification settings - Fork 43
Mission: Secured HTTP API
| ID | Short Name |
|---|---|
|
|
A user of a collection of REST services has been assigned a client secret that they can exchange for a token to access the services. The token returned conforms to the MicroProfile MP-0005 JWT RBAC proposal, for which Keycloak is the reference implementation.
A REST service should be secured using Red Hat Single Sign-on and accessible by JWT formatted bearer tokens that authorize user access on a per resource basis. A client of the services will obtain a token for access by authenticating to the RH SSO server in what is known as a Resource Owner Password Credentials Grant.
The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso project subfolders. This include a master Realm with a user “alice” assigned a password with the value password that has been given a client secret and role mappings sufficient to access the desired endpoints. The services are deployed with the RH SSO adaptor configured to allow access via appropriately signed bearer tokens issued by the RH SSO server.
A user makes a POST request, that must be over https, via a command line Java client to the RH SSO server token endpoint (SSO_AUTH_SERVER_URL), and provides the following in the body using application/x-www-form-urlencoded encoding:
-
Username
-
Password
-
ClientID
-
ClientSecret
-
grant_type=password
A JSON Web Token(JWT) bearer access token is returned. The token has an expiration beyond which it must be refreshed or replaced. The expiration can be configured in the RH SSO server. The user makes requests to the REST services providing an “Authorization: Bearer ..token..” header The user is authenticated and authorized via validation of the token.
java -jar target/sso-client.jar --app secured-vertx-rest …
Produces a 200 result with the expected JSON payload.
java -jar target/sso-client.jar --app secured-swarm-rest …
Produces a 200 result with the expected JSON payload.