I am using Pivotal Cloud Foundry with Spring Cloud Services 1.0.0. I am wondering what the proper way to access the /encryption endpoint is on our Config Server service instance? I get an OAuth "Full authentication required" error when trying to access the endpoint but I am not sure with what credentials I should authenticate with I don't even know if the encryption endpoint is setup, there is nothing in the documentation to suggest it is or isn't available.
You either need to look at the logs during startup to capture the generated password OR you need to provide a password in your startup configs.
Add this to your bootstrap.yml
security:
user:
password: yourPasswordHere
Or add this to your bootstrap.properties:
security.user.password: yourPasswordHere
You can login with user/yourPasswordHere to authenticate once your application has been deployed.
Related
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
I want to secure a rest service with basic authentication. The credentials should be used to obtain an access token from a keycloak instance for that client and check the allowed roles on the service.
The quarkus security architecture guide states that at least one extension installed that provides a username/password based IdentityProvider is required. It refers to JPA IdentityProvider and JDBC IdentityProvider, only. But I want to authenticate agains keycloak.
I have successfully setup a web app and a rest service with quarkus-oidc. It authenticates the user and provides access to the rest service via access token.
I also used properties files with basic authentication successfully.
My keycloak myclient setup has Direct Access Grants Enabled with Access Type set to confidential.
My configuration in application.properties:
quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/myrealm
quarkus.oidc.client-id=myclient
quarkus.oidc.credentials.secret=secret
quarkus.http.auth.basic=true
Is this a valid combination?
When I debug into HttpAuthenticator constructor the only mechanism found is OidcAuthenticationMechanism, I'd expect BasicAuthenticationMechanism to be present.
I am running a web application packaged as WAR inside WildFly, with authentication configured via a secure deployment managed by the Keycloak adapter subsystem.
The corresponding client in Keycloak is configured with a service account. Now, I'd like to send requests to Keycloak (and possibly other services) using the service account and associated roles.
What is the best way to obtain a token for authentication "as the service", i.e. using the service account?
Is there a way to access the client secret specified in the secure deployment definition from the runtime context of my WAR?
Am I doing things wrong? What is the optimal approach here?
Note that I still need to be able to authenticate requests from the web inbound to the service with Keycloak.
I have a backend REST service providing authentication and authorization. How can I configure my Wildfly server or the deployed application so that the REST calls are made to verify any user credentials and retrieve user roles over REST? The application itself can access the REST service.
I try to authenticate the user by calling javax.servlet.http.HttpServletRequest.login(username, password).
http://www.mastertheboss.com/jboss-server/jboss-security/creating-a-custom-jboss-login-module
Try create custom login module
I have created an API via basic secure connector (SOAP). The API works but I am wondering why I can't retrieve the endpoint URL from VCAP_SERVICES. Anything I miss here?
Are you using the secure connector portion of the Cloud Integration service in Bluemix? You might want to try the Secure Gateway service, which is newer and is basically just the secure connector as a standalone service without the rest of Cloud Integration.
"Reaching enterprise backend with Bluemix Secure Gateway via console" explains how to set up a Secure Gateway instance. When you create a destination, that creates an integration.ibmcloud.com URL that your app can then use to connect to your destination via the gateway. The gateway is a proxy, preserving the interface, so the cloud host URL has the same API as the destination host.