elytron-oidc-client secure-deployment on wildfly26
1,629 views
Skip to first unread message
Stephen Sill II
Feb 18, 2022, 1:26:00 PM2/18/22
to WildFly
Do defined secure-deployment entries work for .war files nested in .ear files?
I have application-ear.ear which contains application-web.war
I have application-ear.ear which contains application-web.war
If I put an oidc.json inside the .war, it works as you'd expect. However, if I add configuration via jboss-cli, I get
UT005023: Exception handling request to /: java.lang.IllegalArgumentException: ELY23003: Either provider-url or auth-server-url needs to be configured
UT005023: Exception handling request to /: java.lang.IllegalArgumentException: ELY23003: Either provider-url or auth-server-url needs to be configured
The app is normally run in a kubernetes container and my container configures wildfly via jboss-cli and kubernetes configmaps and secrets. This keeps the image the same for lab, staging, prod, etc.
I've tried defining the following:
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url="myproviderurl", enable-cors=true, always-refresh-token=true)
/subsystem=elytron-oidc-client/secure-deployment=application-ear.ear:add(client-id="guardian-dns-wildfly", provider=keycloak, credential={secret="s00perSecret"}, public-client=false)
/subsystem=elytron-oidc-client/secure-deployment=application-web.war:add(client-id="guardian-dns-wildfly", provider=keycloak, credential={secret="s00perSecret"}, public-client=false)
/subsystem=elytron-oidc-client/secure-deployment=application-ear.ear:add(client-id="guardian-dns-wildfly", provider=keycloak, credential={secret="s00perSecret"}, public-client=false)
/subsystem=elytron-oidc-client/secure-deployment=application-web.war:add(client-id="guardian-dns-wildfly", provider=keycloak, credential={secret="s00perSecret"}, public-client=false)
An option for me might be to move the .war out of the ear and have the war access ejb resources via remote interface instead. I might try this next just to see if having the .war deploy as a separate deployment would make a difference.
Stephen Sill II
Feb 20, 2022, 2:29:23 PM2/20/22
to WildFly
So I actually made some progress on this while my message was in moderation lol
As it turns out the commands above don't populate the credential correctly in the standalone.xml.
If I run the commands it creates the the skeleton secure-deployments but the credentials are undefined.
If you try to go in and set the credentials after the fact using cli commands, it gets an error.
If you stop wildfly and add the credentials by hand in standalone.xml and start wildfly again, it works as you would expect.
I had to pivot away from this for a few days but I hope to get back to this next week and I'll post more details results.
Stephen Sill II
Feb 21, 2022, 8:57:08 AM2/21/22
to WildFly
I'll clarify, I made progress when I moved the .war outside the .ear. So returning to my original question, should it be possible to add a secure deployment for a .war packaged inside an ear or will the requirement be to add oidc.json? I script all this into a docker image for deployment to kubernetes via helm. I already script the configuration of wildfly for the app being deployed so it would be ideal to add some additional commands for jboss-cli to supply the secret info from a kubernetes secret.
I'm digging into this again this morning so I'll report back after I've taken stock of where I left off.
Thanks,
Stephen
Stephen Sill II
Feb 21, 2022, 10:00:18 AM2/21/22
to WildFly
ok, here's an example of how I'm trying to configure the oidc subsystem via cli.
If I'm not mistaken it seems like a bug in setting of credentials. If I stop the server and add the credentials with a text editor it seems to read them as you'd expect.
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/provider=keycloak:add(provider-url="http://localhost:8080/realms/application", enable-cors=true, always-refresh-token=true)
{"outcome" => "success"}
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war:add(client-id="application-wildfly", provider=keycloak, public-client=false)
{"outcome" => "success"}
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=creds:add(secret="somesecret")
{"outcome" => "success"}
# Note that credential creds is still undefined below
{"outcome" => "success"}
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war:add(client-id="application-wildfly", provider=keycloak, public-client=false)
{"outcome" => "success"}
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=creds:add(secret="somesecret")
{"outcome" => "success"}
# Note that credential creds is still undefined below
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war:read-resource
{
"outcome" => "success",
"result" => {
"adapter-state-cookie-path" => undefined,
"allow-any-hostname" => false,
"always-refresh-token" => false,
"auth-server-url" => undefined,
"autodetect-bearer-only" => false,
"bearer-only" => false,
"client-id" => "application-wildfly",
"client-key-password" => undefined,
"client-keystore" => undefined,
"client-keystore-password" => undefined,
"confidential-port" => 8443,
"connection-pool-size" => undefined,
"connection-timeout-millis" => undefined,
"connection-ttl-millis" => undefined,
"cors-allowed-headers" => undefined,
"cors-allowed-methods" => undefined,
"cors-exposed-headers" => undefined,
"cors-max-age" => undefined,
"credential" => {"creds" => undefined},
"disable-trust-manager" => false,
"enable-basic-auth" => false,
"enable-cors" => false,
"expose-token" => false,
"ignore-oauth-query-parameter" => false,
"min-time-between-jwks-requests" => undefined,
"principal-attribute" => undefined,
"provider" => "keycloak",
"provider-url" => undefined,
"proxy-url" => undefined,
"public-client" => false,
"public-key-cache-ttl" => undefined,
"realm" => undefined,
"realm-public-key" => undefined,
"redirect-rewrite-rule" => undefined,
"register-node-at-startup" => false,
"register-node-period" => undefined,
"resource" => undefined,
"socket-timeout-millis" => undefined,
"ssl-required" => "external",
"token-minimum-time-to-live" => undefined,
"token-signature-algorithm" => "RS256",
"token-store" => undefined,
"truststore" => undefined,
"truststore-password" => undefined,
"turn-off-change-session-id-on-login" => false,
"use-resource-role-mappings" => false,
"verify-token-audience" => false
}
}
# Error trying to set secret attribute
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=creds:write-attribute(name=secret, value="somesecret")
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true
}
{
"outcome" => "success",
"result" => {
"adapter-state-cookie-path" => undefined,
"allow-any-hostname" => false,
"always-refresh-token" => false,
"auth-server-url" => undefined,
"autodetect-bearer-only" => false,
"bearer-only" => false,
"client-id" => "application-wildfly",
"client-key-password" => undefined,
"client-keystore" => undefined,
"client-keystore-password" => undefined,
"confidential-port" => 8443,
"connection-pool-size" => undefined,
"connection-timeout-millis" => undefined,
"connection-ttl-millis" => undefined,
"cors-allowed-headers" => undefined,
"cors-allowed-methods" => undefined,
"cors-exposed-headers" => undefined,
"cors-max-age" => undefined,
"credential" => {"creds" => undefined},
"disable-trust-manager" => false,
"enable-basic-auth" => false,
"enable-cors" => false,
"expose-token" => false,
"ignore-oauth-query-parameter" => false,
"min-time-between-jwks-requests" => undefined,
"principal-attribute" => undefined,
"provider" => "keycloak",
"provider-url" => undefined,
"proxy-url" => undefined,
"public-client" => false,
"public-key-cache-ttl" => undefined,
"realm" => undefined,
"realm-public-key" => undefined,
"redirect-rewrite-rule" => undefined,
"register-node-at-startup" => false,
"register-node-period" => undefined,
"resource" => undefined,
"socket-timeout-millis" => undefined,
"ssl-required" => "external",
"token-minimum-time-to-live" => undefined,
"token-signature-algorithm" => "RS256",
"token-store" => undefined,
"truststore" => undefined,
"truststore-password" => undefined,
"turn-off-change-session-id-on-login" => false,
"use-resource-role-mappings" => false,
"verify-token-audience" => false
}
}
# Error trying to set secret attribute
[standalone@localhost:10090 /] /subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=creds:write-attribute(name=secret, value="somesecret")
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true
}
Stephen Sill II
Feb 21, 2022, 12:31:31 PM2/21/22
to WildFly
So interestingly, even though it throws an exception, the credentials are actually set in the .xml file.
Is the intent that the oidc client will allow secure-deployment definitions for .wars that are packaged inside .ear files? If it's not that I'm going to have to restructure my application to deploy an ear and a .war.
If I add a secure deployment for "mywar.war" and mywar.ear is in myear.ear, it throws this:
UT005023: Exception handling request to /favicon.ico: java.lang.IllegalArgumentException: ELY23003: Either provider-url or auth-server-url needs to be configured
If restructure so that myear.ear does not contain mywar.war and instead deploy ear and then war, the secure-deployment seems to take effect.
I feel like secure-deployments should see sub-deployments by their name.
Stephen Sill II
Feb 23, 2022, 10:17:29 AM2/23/22
to WildFly
So after repackaging my app to have an ear and a separate war I've gotten things to work with an oidc.json inside the war. However, I'd really really like to configure a secure-deployment instead since my process of deploying on kubernetes scripts all the wildfly configuration using a configmap and secrets.
Is this a bug, or is it a flaw in the way I'm trying to set the credentials?
/subsystem=elytron-oidc-client/provider=keycloak:add(provider-url="MYKEYCLOAKPROVIDERURL", enable-cors=true, always-refresh-token=true)
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war:add(client-id="myclientid", provider=keycloak, public-client=false)
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=secret:add()
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=secret:write-attribute(name=secret,value="myS00perSecret!")
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war:add(client-id="myclientid", provider=keycloak, public-client=false)
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=secret:add()
{"outcome" => "success"}
/subsystem=elytron-oidc-client/secure-deployment=mywar.war/credential=secret:write-attribute(name=secret,value="myS00perSecret!")
Stephen Sill II
Feb 23, 2022, 1:26:36 PM2/23/22
to WildFly
Ok, so I ended up just working around this by using a deployment overlay that lays in oidc.json that's built during container deploy using environmental settings from kubernetes configmap and secrets.
Hopefully this helps someone else that comes across this.
Farah Juma
Feb 23, 2022, 6:01:56 PM2/23/22
to WildFly
There's a known issue with configuring a provider:
The workaround for now is to either configure the provider-url directly in the secure-deployment configuration or to include the configuration directly in the deployment via an oidc.json file instead of using subsystem configuration.
To set a credential in the subsystem configuration, a command like the following can be used:
/subsystem=elytron-oidc-client/secure-deployment=NAME/credential=secret:add(secret="...")
If you're still hitting issues, feel free to create an ELY issue with a reproducer if possible.
Reply all
Reply to author
Forward
0 new messages