Skip to content

OIDC Integration

Jump to bottom Edit New page
Melloware edited this page Sep 15, 2023 · 5 revisions

OIDC - KEYCLOAK

Description

Example OIDC integration using KeyCloak is found in oidc-auth branch

Using

This code base modifies the demo to use Keycloak to protect the web pages.

The main dashboard page is not protected, but all of the other links in the menu are. Clicking on any of them will redirect you to KeyCloaks login screen.

You can log in with bob:bob or alice:alice and you will see in the console output that you were logged in.

You will also see a Logout link appear at the top right of the screen.

Clicking it will automatically log you out and redirect you back to the main page.

You can see the various settings for oidc in the application.properties file.

You can learn more about OIDC at - OIDC OIDC

Properties

##### OIDC KEYCLOAK ######

# Uses the dev services Keycloak and hard codes a port
quarkus.keycloak.devservices.port=51521

# Default client id in the Docker image
quarkus.oidc.client-id=my-jsf-app
quarkus.oidc.application-type=web-app

# In Quarkus 3.3.2 this fixes issue with bad cookie name causing 401 if you cancel Keycloak login page
# https://github.com/quarkusio/quarkus/issues/35947
# According to the devs, in 3.4 this setting is the default
# so it won't be needed in here
quarkus.oidc.authentication.fail-on-missing-state-param=false

# Restore the original path after login redirect
quarkus.oidc.authentication.restore-path-after-redirect=true

# Sets up some time offserts to help prevent
# Token expiration during executions like Ajax, etc.
# Things might work fine without them
quarkus.oidc.token.refresh-token-time-skew=3M
quarkus.oidc.authentication.java-script-auto-redirect=false
quarkus.oidc.authentication.session-age-extension=15M
quarkus.oidc.token.lifespan-grace=120

# Need to split up the tokens because all 3 - ID, access, and refresh
# are too big for browser
quarkus.oidc.token-state-manager.split-tokens=true

#Automatically refresh expired tokens
quarkus.oidc.token.refresh-expired=true

# Calls Keycloaks logout process to logout the user
# This is a virtual link and doesn't exist in your code
# it just starts the logout process
# You just need to call it from your JSF
quarkus.oidc.logout.path=/secure/logout

# Where should we be redirected after logout
quarkus.oidc.logout.post-logout-path=/index.xhtml

###### OIDC END #####

##### SECURITY START ######
# Turns off denying of REST endpoints because they
# aren't annotated with @PermitAll or @Authenticated
# This is useful if you have Rest endpoints in your web-app
quarkus.security.jaxrs.deny-unannotated-endpoints=false

# Setup authenticated path for anything under /secure
quarkus.http.auth.permission.authenticated.paths=/secure/*
quarkus.http.auth.permission.authenticated.policy=authenticated
##### SECURITY END ######
Add a custom footer
Add a custom sidebar
Clone this wiki locally