Uploaded image for project: 'Cloud Enablement'
  1. Cloud Enablement
  2. CLOUD-3209

[7.2.x-openjdk11] SSO_SECRET parameter should be required if configuring RH-SSO integration

    Details

      Description

      Today, when an user is configuring the RH-SSO integration with EAP base images, if the SSO_SECRET parameter is not set, the keycloak subsystem will be created with an empty credential:

      <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
         <realm name="bsig">
            <!-- ##KEYCLOAK_PUBLIC_KEY## -->
            <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
            <register-node-at-startup>true</register-node-at-startup>
            <register-node-period>600</register-node-period>
            <ssl-required>external</ssl-required>
            <disable-trust-manager>true</disable-trust-manager>
            <!-- ##KEYCLOAK_TRUSTSTORE## -->
            <allow-any-hostname>false</allow-any-hostname>
         </realm>
         <secure-deployment name="ROOT.war">
            <realm>bsig</realm>
            <resource>root</resource>
            <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
            <enable-basic-auth>true</enable-basic-auth>
            <credential name="secret" />
            <enable-cors>false</enable-cors>
            <bearer-only>false</bearer-only>
            <principal-attribute>preferred_username</principal-attribute>
         </secure-deployment>
      </subsystem>
      <!-- ##KEYCLOAK_SAML_SUBSYSTEM## -->
      

      This will cause WARN messages like this:

      16:15:58,005 WARN  [org.keycloak.adapters.authentication.ClientIdAndSecretCredentialsProvider] (pool-25-thread-1) Client 'root' doesn't have secret available
      16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) failed to register node to keycloak
      16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) status from server: 400
      16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1)    {"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}
      

      The integration will fail and the application will not authenticate against the RH-SSO.

      We recommend logging an error message during the subsystem configuration alerting the user to set the SSO_SECRET parameter before creating a client with an empty credential.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  zanini Ricardo Zanini Fernandes
                  Reporter:
                  zanini Ricardo Zanini Fernandes
                  Involved:
                  Ken Wills
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: