Securing Applications and Services

Configuring Realm, Roles, Groups and Users

Before proceeding with the next sections, we need to configure the realm, roles, and users in our Red Hat Single Sign-On instance.

Open a browser window and log in to the Red Hat Single Sign-On administration console.
Create the demo realm: click Add realm, provide the realm name, and click Create.

Create the staff group: click on Groups, then click New.

Set staff as the group name and click Save.

Create the subgroup Personal staff: click Groups, select the staff group, and click New.

Set Personal staff as the subgroup name and click Save.

Create the role vet: click Roles, then Add Role.

Set the role name and click Save.

Repeat the steps to create a role named assistant.
Create the user angel: click Users, then Add user.

Set the username and click Save.

Open the Credentials tab and set a password for the user. Make sure Temporary is set to OFF before setting the password.

Open the Role Mappings tab and assign the vet role to the user.

Open the Groups tab and assign angel to the Personal staff group by clicking the group and the Join button.

Repeat the steps to create a user named elisabeth. Assign the assistant role and include the user in the Personal staff group.

Red Hat Single Sign-On allows defining one or more default groups, where any new user is automatically added. This makes it easier to assign multiple users to the same group without repeating the process. The option is available by clicking Groups, then Default Groups.

Securing Quarkus Applications with OIDC

The sample application used in this section is the Quarkus Petclinic project.

For this tutorial, we will work with a version modified specifically for the exercises. The repository for this modified version is:

https://github.com/aolle/quarkus-petclinic.git

To get started, clone the repository and switch to the rh-sso-base-7.6 branch:

git clone -b rh-sso-base-7.6 https://github.com/aolle/quarkus-petclinic.git

The application is prepared for deployment on Red Hat OpenShift. It includes the Quarkus OpenShift extension (k8s with s2i) to automatically generate the OpenShift resources and deploy the application.

Test the application by following these steps:

Log into your Red Hat OpenShift cluster.
Switch to the sso project if you are not already using it.
Deploy the application by executing the ocp-deploy.sh script or, alternatively:

./mvnw install -Dquarkus.kubernetes.deploy=true

During the build, you may encounter an SSLHandshakeException/ValidatorException due to a self-signed certificate. To resolve this, add -Dquarkus.kubernetes-client.trust-certs=true during the build.

Open a browser window and visit the application URL.

Make a note of the application URL, as it will be required later during the security configuration.

Before securing the application, configure a new client in the Red Hat Single Sign-On demo realm:

Open the Red Hat Single Sign-On administration console.
Select the demo realm and click Clients. Click Create.

Set quarkus-petclinic as the Client ID and click Save.

On the quarkus-petclinic client configuration page:
- Change Access Type from public to confidential.
- Enable Authorization Enabled.
- Set Valid Redirect URIs to include the root context of your application, e.g., http://domain.example.com/*.
- Click Save.

At this point, we have:

The demo realm with the quarkus-petclinic client.
Two roles: vet and assistant.
Two users: angel (role vet) and elisabeth (role assistant).

Authorization rules for our application:

Any user in the demo realm, like elisabeth, can browse the application except the VETERINARIANS resource.
Only users with the vet role can access the /vets.html resource.
Any other user outside the realm will be denied access.

Configuring Client Authorization

Open the Red Hat Single Sign-On administration console, select the quarkus-petclinic client, then browse to the Authorization tab and click Resources.

Click Create Permission for the Default Resource.

quarkus petclinic auth create permission default

Click Create Policy… and select Group.

Set Default Group Policy as the Name. Select staff from the Groups list, ensure Logic is Positive, and check Extend to Children. Click Save.

Back on the Add Resource Permission page, set Default Resource Permission as Name, select Default Resource as Resources. The recently created policy should be applied automatically. Click Save.

quarkus petclinic default resource permission

Create a new resource:

Set Vets Resource as the Name and Display Name, and /vets.html as the URI. Click Save.

Browse to Authorization → Policies. Click Create Policy… and select Role.

Set Vet Role Policy as Name, select vet in Realm Roles, check Required, and click Save.

Browse to Authorization → Resources, click Create Permission for the Vets Resource.

Set Vets Resource Permission as Name and apply the Vet Role Policy. Click Save.

Configuring the Application

In the Red Hat Single Sign-On administration console, select the quarkus-petclinic client and click the Credentials tab. Write down the Secret value — it will be required later.

Create a ConfigMap with the SSO_HOST environment variable:

oc create configmap quarkus-petclinic-config --from-literal=SSO_HOST={YOUR_SSO_HOST} -n sso

Create a Secret with the OIDC client credentials:

oc create secret generic quarkus-petclinic-secret --from-literal=SSO_CLIENT_SECRET={YOUR_SSO_CLIENT_SECRET} -n sso

Update application.properties with the following configuration:

quarkus.openshift.env.secrets=quarkus-petclinic-secret
quarkus.openshift.env.configmaps=quarkus-petclinic-config

quarkus.oidc.auth-server-url=https://${SSO_HOST:localhost:8080}/auth/realms/demo
quarkus.oidc.client-id=quarkus-petclinic
quarkus.oidc.credentials.secret=${SSO_CLIENT_SECRET:secret}
quarkus.oidc.tls.verification=none
quarkus.oidc.roles.source=accesstoken

quarkus.oidc.application-type=web-app
quarkus.oidc.webapp.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc.webapp.client-id=${quarkus.oidc.client-id}
quarkus.oidc.webapp.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc.webapp.roles.source=${quarkus.oidc.roles.source}

quarkus.keycloak.policy-enforcer.enable=true

Redeploy and test application access:
- Open a new incognito browser session and browse to the application root. You will be redirected to the Red Hat Single Sign-On login page. Anonymous access is forbidden.
- Log in as elisabeth. Access to /vets.html will be denied.
- Close the browser, open a new incognito session, and log in as angel.
- Access to /vets.html will be granted, as angel has the vet role.

A fully working OIDC Petclinic Quarkus application is available at the rh-sso-oidc-7.6 branch.