Keycloak on OpenShift

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello today I'll show you how to run tea cock-on open shift as well as deploying a node.js based service on a html5 application and securing these with keep reporting on open justice the first thing we'll do is to real log in to OC then we'll create a new project for simplicity we're going to run all key coke on the service and the application in the same project but obviously it's best practice to use separate projects for your different applications once we've created the project we need to import the template for keylock we do this by importing the template from the github repository there we are we are now ready to get started to deploy key we now go into our teacher project and we browse the catalog we now have t-cog available to deploy we don't need to change any of these properties they will all be set to default let's set a more meaningful and easy to use administration username and password before we go ahead and create a copy now we can go to the project overview and we can now wait for the pod to spin up these two just take a little while while waiting you can drink beer like I'm doing now or make yourself a cup of tea if you're doing this through doing office hours there we go now we have key up and running and we can open a cake up with a zero so at the moment we're using self-signed certificates and obviously the browser just interest these automatically so we'll have to ignore this morning and carry on right so let's go to the administration console and we'll login with the username and password that we previously passed into the open shipment were creating a code okay so we're going to now create some clients and key cook for our application and flower service we're going to start by creating the client for the service as this is a service it doesn't need to be able to login so we'll select the access type there only this means that the client won't be able to obtain tokens only verify tokens then we need to create a application outlined for the application our goal is just up for best practices you should set the valid redirect to your eyes to the exact your eyes for the application as well as the web origin for now we'll just set them to Stan we'll go back and we'll configure them to the correct URLs when we know these okay so now we can move on to our deploying our service will first have a little look at the actual service start with a point so this is a very simple no chance based application that has been secured by the Tiki clock no js' adapter we can see that we have a key clocked at Jason configuration file in this configuration file we specify the round and we specify the client ID but we have the auto server URL being injected in from an environment variable we can quickly look at the application as well to see how it secures itself with Kiko and it's relatively simple to do okay so let's go ahead and apply this to OpenShift what we'll do is that we're going to use the node es source to image template and we're going to select the Advanced Options I'll give it a name call service and then we need to pass in the URL for our github repository and since I have multiple applications in the same repository for simplicity for the demonstration I need to pass in the context directory as well I also want to enable a secure route because token base security you should always use secure so circular routes and I'm going to redirect all insecure traffic to the secure route so the next thing I'm going to have to do is to pass in the environment variable for the key coke URL which we looked at before and I can easily get this from the administration console here will display the URL since I opened key local ready I know where this and that is it I'm not ready to create my nodejs service so I can continue to project overview and we can see now that the source to image is doing its magic and it's building the image force and that's before we take a sip of out there or during office hours obviously a cup of tea and there we go we now have our service with the rebel and we can open the service on this route and again the browser is complaining about the self signed certificate so the service is listening for a URL called service and it has a few different anchor it has a public endpoint which you don't need to be authenticated to invoke so we can now see the message public which is a very simple service and that's all it returns we can also do that protected for admin there we go so the admin the access is denied so obviously we need a token to be able to invoke this service this endpoint for the service the next thing we're going to do is that we're going to deploy a very simple application and here's no five application that then invokes this service so to deploy an HTML application to OpenShift you need to have a you need to have a web container for it we're going to use PHP because the nice thing about PHP it also allows us to inject some environment variables into our application to configure it so we can look at our index.php file we can see a few things here so first of all it has a JavaScript variable ticket called service URL which injected from a environment variable this allows us to pass in the URL of the service that we just deployed into this HTML application we also can see that it's injecting the key o'clock URL and it's loading the key table JavaScript library directly from key local rather than copying it to the application finally we also have the Kiko configuration file which is in this case is the PHP to allow us to them inject environment variables into the configuration we can see that we've hard-coded the round name called master and we also have code of the client ID but we allow it to inject the key cup URL form an environment variable we can see again how easy it is to secure applications with the Kiko conductors in this case obviously the JavaScript adopted the client-side JavaScript adapter all you have to do is to a new key cocteau project and then you can initialize this to load it in this case we're saying check us or so to make the application automatically log in if you're already logged in okay so let's move on to deploying this application as I said we will use the PHP and of course again by using the source to image approach we also want to go for the advanced option this time around as well we'll just call it up and we have the application deployed in same repository but under different context directory again we want to enable secure route and we want to redirect insecure traffic so now we want to declare the service URL as this we have the service open we can easily copy and paste a URL for it we can also find this URL of course and the open ship of console under the services then we want to put a keylock URL and again we can copy that directly from the open admin console as we know the URL from there now we can create this application and let's see there we go that's currently being built and again we'll take a sip of our beer 40 in some cases and this is taking a little bit longer because I haven't loaded anything into this openshift instance I had a completely clean openshift instance it has to download the images right again and it's complaining about the self signed certificate and we'll ignore this I can see that I was already logged in that was because I was already logged into the administration console so let's log out and now you can see that I'm no longer logged in and I can log in and I'm redirected to keep coke and I can now log in with my admin password that I created before now I'm able to invoke the public endpoint and I'm also able to invoke the admin endpoint however I'm not able to invoke the secure endpoint and that's because the secure endpoint is being secured with a different role than the admin endpoint so we can go back to key code and will refresh this page because we're already logged in and we will create this role they use a role and then we also need to give the user this role as well so we're going to find the user will go to role mappings and we'll select the user role I will add it to the user so now if i refresh the page they will then be authentic ate the application and will now have both the admin and the user roles so now we can invoke secured as well as the admin as well as the public now while we are it we can see how easy it is to add additional features to your application so imagine that we want to be able to have a Remember Me option all we need to do is to go to the admin console and then we can say remember me and let's allow users to self register and maybe we also want to add an identity provider so let's say we want to add log in with github all we need to do is to go and create sorry we need to create a client in github so that we're allowed to log in and then we pass in the client ID and the client secret I'm not going to show this in this particular demo so I'll just pass in some fictitious and I'll do say ok so now let's go back to our application and log out and try to log in again and now we can see that we have remember option and we have register option and we also are able to log in Quito as you new users log in they won't actually get this user role that we created all the admin role because by default the users will not get any roles so we can go into the admin console or we can go to the default roles and we can say that all new users should get the user role so now we log out again we log in and then we'll register a new user and we're now loading we can see that will use a steer I'm now able to invoke the public I'm able to evoke the secured but I won't be able to invoke the admin endpoint and at the same time this user won't have access to the admin console of course that's it thanks for watching goodbye

Info

Channel: Stian Thorgersen

Views: 3,737

Rating: 5 out of 5

Keywords: keycloak, openshift, node.js, html5, security, openid-connect, oauth2

Id: 9zUWqbK3BqI

Channel Id: undefined

Length: 16min 15sec (975 seconds)

Published: Thu May 31 2018