/demo-authz

Demo of Authorization Services on Red Hat Single Sign-On

Demo of Authorization Services on Red Hat Single Sign-On

Slide Deck

https://docs.google.com/presentation/d/1FxKu6pZAFMumdpagicyV0JQrscxA2dKqZelibO1Czhw/edit

Setup

Software Downloads:

  • Red Hat Single Sign-On 7.2 (rh-sso-7.2.0.zip)
  • Red Hat Single Sign-On 7.2.5 Server Patch (rh-sso-7.2.5-patch.zip)
  • Red Hat Single Sign-On 7.2.5 Client Adapter for JBoss EAP 7 (rh-sso-7.2.5-eap7-adapter.zip)
  • Red Hat JBoss Enterprise Application Platform 7.1.0 (jboss-eap-7.1.0.zip)

Red Hat Single Sign-On and JBoss EAP installation and configuration

unzip rh-sso-7.2.0.zip

1 - Adding admin user:

./rh-sso-7.2/bin/add-user.sh

2 - Appling Patch 7.2.5

./rh-sso-7.2/bin/standalone.sh &

./rh-sso-7.2/bin/jboss-cli.sh --connect
  patch apply rh-sso-7.2.5-patch.zip

3 - Installing JBoss EAP 7.1

unzip jboss-eap-7.1.0.zip

4 - Adding admin user:

./jboss-eap-7.1/bin/add-user.sh

5 - Installing RH-SSO Adapter for JBoss EAP 7.1

cd jboss-eap-7.1
unzip rh-sso-7.2.5-eap7-adapter.zip
./bin/standalone.sh &

./bin/jboss-cli.sh --connect --file=./bin/adapter-install.cli

Preparing applications and dependencies

git clone https://github.com/keycloak/keycloak
git checkout tags/3.4.3.Final
mvn clean package -f keycloak/testsuite/integration-arquillian/test-apps/photoz/pom.xml
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-authz-policy/target/photoz-authz-policy-3.4.3.Final.jar rh-sso-7.2/standalone/deployments
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-html5-client/target/photoz-html5-client.war jboss-eap-7.1/standalone/deployments
cp keycloak/testsuite/integration-arquillian/test-apps/photoz/photoz-restful-api/target/photoz-restful-api.war jboss-eap-7.1/standalone/deployments

Demo Preparation

Starting Red Hat Single Sign-On

./rh-sso-7.2/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 -bunsecure 0.0.0.0 -Djboss.socket.binding.port-offset=1 -Dkeycloak.profile=preview

1 - Open Red Hat Single Sign-On and enter the admin username and password (or create an admin user) on http://localhost:8180/auth/admin/.

2 - Click on Add-Realm and add a realm photoz importing the file photoz-realm.json

3 - Open the tab Authorization of client photoz-restful-api and import the file photoz-restful-api-authz-service.json

4 - Starting Red Hat JBoss EAP with deployed applications

./jboss-eap-7.1/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 -bunsecure 0.0.0.0

Demo Presentation

Applications

  • photoz-html5-client
  • photoz-restful-api

Users/passwords

  • alice/alice
  • jdoe/jdoe
  • admin/admin

1 - Access Red Hat Single Sign-On in http://localhost:8180/auth/admin

2 - Click on Clients in photoz realm. Open photoz-restful-api client configuration click on Authorization tab and show the Settings in Resources, Authorization Scopes, Policies and Permissions. Explain each one if possible.

3 - Access the photoz-html5-client application in http://localhost:8080/photoz-html5-client

4 - Login with user alice

5 - Consent the use of your data from photoz-restful-api by photoz-html-client

6 - Click on Show Requesting Party Token to see the authorization permissions on Token from Album URL that you just requested on main page

7 - Now click on My Profile. Then click back on Show Requesting Party Token to check you received a new profile:view permission in RPT

8 - Click back on browser then create an album alices album. This will be the album #1

9 - Click on Sign Out and log-in with user jdoe

10 - Click on Yes to authorize photoz-html-client on consent screen

11 - Create an album jdoes album. This will be the album #2

12 - Log-in with admin in Red Hat Single Sign-On and go to Clients -> photoz-restful-api -> Authorization -> Permissions and edit the permission Album Resource Permission. Remove the Policy Any User Policy

13 - Refresh the page in photoz-html5-client to check you don't have access anymore

14 - Update the URL in browser with photoz-html5-client/#/album/2 to guarantee you don't have access

15 - Now log-out and log-in again in photoz-html5-client with user admin and access the same URL photoz-html5-client/#/album/2 to confirm admin can see jdoes album.

16 - Log-out and log-in again with user jdoe and access the same URL photoz-html5-client/#/album/2 to see you still cannot see the resource.

17 - Change the Album Resource Policy again and add again Any User policy and Refresh the jdoes album page.

18 - Now go to RH-SSO and create a Policy based on time. Create a negative time policy that will deny access of jdoes album for 2 minutes. As the example below from the minute 42 to 43 the access wil be denied.

19 - Then create a new permission based on jdoes album and add the time policy you just created

20 - Refresh the page to confirm that you cannot access album resource in the specified minutes you have defined.

Cleanup:

  • Delete photoz Realm in RH-SSO and import it again
  • Import permissions definitions again in Authorization tab of photoz-restful-api
  • Delete the content of folders tmp and data in JBoss EAP 7.1 and restart JBoss