diff --git a/tiddlers/content/labs/04/_Labs_04_Keycloak Setup.md b/tiddlers/content/labs/04/_Labs_04_Keycloak Setup.md index 0c711f2..834ea84 100644 --- a/tiddlers/content/labs/04/_Labs_04_Keycloak Setup.md +++ b/tiddlers/content/labs/04/_Labs_04_Keycloak Setup.md @@ -89,59 +89,4 @@ Under "Login settings", specify the Front-channel logout URL as `http://localhost:8081/logout`. - -TODO - -1. In the client settings, find the <> setting. Change it from `public` to `confidential`. Click the <> button at the bottom of the page. - -1. Click the <> tab. This is where we can get the *client secret* that was talked about in lecture 11. - -1. Back in NetBeans, comment out the code that creates the pac4j module. - -1. Add a new version of the pac4j module using the following: - - ```java - Pac4jModule pac4j = new Pac4jModule().client(routeAuthoriser, joobyCfg -> { - KeycloakOidcConfiguration config = new KeycloakOidcConfiguration(); - config.setRealm("lab7_realm"); - config.setClientId("lab7_client"); - config.setBaseUri("http://localhost:8080"); - config.setSecret("CLIENT SECRET GOES HERE"); - KeycloakOidcClient client = new KeycloakOidcClient(config); - return client; - }); - ``` - - This code is using pac4j's Keycloak OpenID Connect client to authenticate against the Keycloak server that you are running. Note that pac4j also has a generic OpenID Connect client that can talk to any OpenID Connect identity provider, however you have to do a bit more work to map the roles from the provider into something that pac4j can use. There are also clients for using Google, Facebook, and Twitter as identity providers via OpenID Connect. - - Copy the client secret from the Keycloak client settings into the `setSecret` method. - -1. Restart the service. - - Note that the routes displayed by Jooby in the NetBeans output pane include `/callback` and `/logout`. These are added by pac4j and provide the webhook endpoints that were discussed in lecture 11 --- authorisation providers like Keycloak can use these routes to send authorisation tokens to the web service, or inform the service that the tokens have been invalidated by the user logging out. - - This time we can use a web browser. Open the following URL: - - http://localhost:8081/api/catalogue - - Your browser will be redirected to the realm's sign in page. This page could be styled to match the style of your AJAX client (we don't have an AJAX client for this lab, but you did this in lab 3). Enter your user's details. - - Whoops --- `403/Forbidden`. We forgot to add the MANAGER role to the user. - -1. Back in Keycloak, click <> in the left pane. Click the <> button on the right. - -1. Enter `MANAGER` as the role name. We want it to match the role that we are using in the roles that were added to the operations earlier. - -1. Click the <> button in the left pane again. Click the <> buton. - -1. Open the user by clicking the ID link. - -1. Click the <> tab. - - Add the `MANAGER` role to the assigned roles for this user. - - You need to logout the user's sessions to force the service to sign the user in again to get the updated profile. Do this via the <> tab. Click the <> button. - -1. Reload the `/api/catalogue` URL in the web browser. This time it should work. - -We can now provide all user and role data for our web service via Keycloak (or any other OIDC provider). \ No newline at end of file + Click <> to save your client details. \ No newline at end of file diff --git a/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md b/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md new file mode 100644 index 0000000..8628b7d --- /dev/null +++ b/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md @@ -0,0 +1,5 @@ +Next, we can perform some investigation of what's happening at the network level when SSO is being used. To do this, run two instances of `tcpflow` in separate Terminal tabs/windows, one listening on port `8081` for the Web service, and one monitoring port `8080` for the Keycloak interactions. Observe what happens in each while you are interacting with the site via your browser. + +In the tcpflow output, you should be able to identify where auth and access tokens are being communicated. You can decode and view the contents of these using the https://jwt.io Web site. Try this and see how much information is contained within these tokens. Discuss the security implications of this, with respect to whether such traffic would be travelling over the broader Internet, or just within a company's IT infrastructure. + +Try to figure out what's going on with the OIDC protocol (reverse-engineering), in particular examining the flow of the various tokens. What does the application need to do in order to obtain the `access_token` and `id_token` values? \ No newline at end of file diff --git a/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md.meta b/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md.meta new file mode 100644 index 0000000..1fd5c75 --- /dev/null +++ b/tiddlers/content/labs/04/_Labs_04_Protocol snooping.md.meta @@ -0,0 +1,4 @@ +section: 6 +tags: lab lab04 +title: /Labs/04/Protocol snooping +type: text/x-markdown \ No newline at end of file diff --git a/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md b/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md new file mode 100644 index 0000000..52b6f44 --- /dev/null +++ b/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md @@ -0,0 +1,29 @@ +Next you will be modifying the `OIDCServer` class in your NetBeans project to use Keycloak. + +1. Switch to NetBeans. + +1. Check that your basic authentication service is not running (stop it if necessary). + +1. Open the `service.OIDCServer` class definition. + +1. Find the code that sets the various properties of the auth provider (e.g. the `config.setRealm()` call). + +1. Update those settings to match your Keycloak configuration. For the client secret, you can find this in Keycloak under the `COMP210` client details, under Credentials (click the Copy to Clipboard button). + +1. Start the service by right-clicking the `OIDCServer` class and choosing Run File. + + Note that the routes displayed by Jooby in the NetBeans output pane include `/callback` and `/logout`. These are added by the pac4j security framework and provide *webhook endpoints*---authorisation providers like Keycloak can use these routes to send authorisation tokens to the web service, or inform the service that the tokens have been invalidated by the user logging out. + + This time we can use a web browser. Open the following URL: + + http://localhost:8081/ + + Your browser will be redirected to the realm's sign in page. Log in as `doris`. + + Whoops --- `403/Forbidden`. We forgot to add the MANAGER role to the user. + +1. Back in Keycloak, go into the user settings and add the MANAGER and EMPLOYEE roles to the Doris, and just the EMPLOYEE role to Boris. Then re-check the behaviour of the system. + + Note that you will need to logout the user's sessions to force the service to sign the user in again to get the updated profile. Do this via the <> tab for the user, and click <>. + +1. Revisit the restricted pages in your Web browser. This time it should work. \ No newline at end of file diff --git a/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md.meta b/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md.meta new file mode 100644 index 0000000..38fb6a2 --- /dev/null +++ b/tiddlers/content/labs/04/_Labs_04_Using Keycloak.md.meta @@ -0,0 +1,4 @@ +section: 5 +tags: lab lab04 +title: /Labs/04/Using Keycloak +type: text/x-markdown \ No newline at end of file