Securing the WildFly Management Console with OpenID Connect

You can secure the WildFly Management Console with OpenID Connect (OIDC) using the Keycloak OpenID provider. When the WildFly Management Console is secured using OIDC, this means that when a user attempts to access the console, they will be redirected to the Keycloak OpenID provider’s login page. Upon successful authentication, the user will then be redirected back to the WildFly Management Console. This guide explains how to configure this.

Prerequisites

To complete this guide, you need:

  • Roughly 15 minutes

  • JDK 11+ installed with JAVA_HOME configured appropriately

  • Apache Maven 3.9+

  • Keycloak

Start Keycloak

This guide will be making use of Keycloak as our OpenID provider.

To start a Keycloak server in your environment, follow the appropriate guide for your environment from Keycloak’s Getting Started page.

Configure Keycloak

  1. Log into the Keycloak Admin Console.

  2. Create a new realm called wildfly-infra. For more information, see the Keycloak documentation on how to create a realm.

  3. Create a new client as follows:

    • General Settings:

      • Client type (or Client Protocol, depending on your Keycloak version): OpenID Connect

      • Client ID: wildfly-console

    • Capability config:

      • Authentication flow: Standard flow, Direct access grants

    • Login settings:

      • Set the Valid redirect URIs using the URI that will be used to access the WildFly Management Console. Since we will use a port offset of 10 when starting WildFly in this guide, we will set the Valid redirect URIs to http://localhost:10000/console/*.

      • Set the Web Origins using the management port for our WildFly instance, e.g., http://localhost:10000.

    For more information, see the Keycloak documentation on how to Manage OpenID Connect clients.

  4. Click Save to save the client.

  5. Create a second new client as follows:

    • General Settings:

      • Client type (or Client Protocol, depending on your Keycloak version): OpenID Connect

      • Client ID: wildfly-management

    • Capability config:

      • Authentication flow: This client will be a bearer-only client, be sure to uncheck Standard flow and uncheck Direct access grants.

    • Login settings: Leave the fields blank.

    For more information, see the Keycloak documentation on how to Manage OpenID Connect clients.

  6. Click Save to save the client.

  7. [Optional] If you want to configure WildFly to use Role Based Access Control, add a role called Administrator. For more information, see the Keycloak documentation on how to create a role.

  8. Add a new user named alice. For more information, see the Keycloak documentation on how to create a user.

  9. Once the new user has been created, set a password for this new user from the Credentials tab.

  10. [Optional] If you want to configure WildFly to use Role Based Access Control, from the Role Mapping tab, assign alice the Administrator role. For more information, see the Keycloak documentation on how to assign a role to a user.

Configure Elytron OIDC Client

Now that we’ve configured our OpenID provider, there are a couple things that need to be configured in the elytron-oidc-client subsystem to secure the WildFly Management Console with OIDC.

First, we need to add a secure-deployment resource that references the wildfly-management client that was created in the previous section.

A secure-server that references the wildfly-console client is also needed.

We can use the following commands to add the required configuration:

First, we need to start our WildFly server instance. Notice that we’re specifying a port offset here since our Keycloak instance is already exposed on port 8080:

./bin/standalone.sh -Djboss.socket.binding.port-offset=10

Next, we can connect to the WildFly CLI and then execute the commands below:

./bin/jboss-cli.sh --connect --controller=localhost:10000
# Configure the Keycloak provider
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url=http://localhost:8080/realms/wildfly-infra)

# Create a secure-deployment in order to secure the management interface with bearer token authentication
/subsystem=elytron-oidc-client/secure-deployment=wildfly-management:add(provider=keycloak,client-id=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)

# (Optional) Enable RBAC where roles are obtained from the identity
/core-service=management/access=authorization:write-attribute(name=provider,value=rbac)
/core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true)

# Create a secure-server to ensure that the WildFly Management Console will redirect to the Keycloak OpenID provider for log in
/subsystem=elytron-oidc-client/secure-server=wildfly-console:add(provider=keycloak,client-id=wildfly-console,public-client=true)

reload

Accessing the WildFly Management Console

With the above configuration now in place, let’s access http://localhost:10000/console. We will be redirected to the Keycloak login page. We can log in using the alice user that we created earlier. Upon successful authentication, we will be redirected back to the WildFly Management Console.

What’s next?

This guide has shown how to secure the WildFly Management Console with OIDC. To learn more about OIDC configuration, check out the Elytron OIDC Client documentation.

References

< Back to Guides

WildFly is fully open. All components are open source and follow a community-focused development process.

This website was built with Jekyll is hosted on Github Pages and is completely open source. If you want to make it better, fork it and show us what you’ve got.

Navigation
Contribute
Get Help
Find more Red Hat Middleware Community Projects
CC by 3.0 | Privacy Policy Sponsored by