Add a guide for securing a wildfly application using Okta #2097
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fjuma
reviewed
Feb 21, 2024
| layout: post | ||
| title: 'Securing WildFly Applications Using Okta on OpenShift' | ||
| date: 2024-02-14 | ||
| tags: oidc OpenShift auth0 |
fjuma
reviewed
Feb 21, 2024
| --- | ||
| layout: post | ||
| title: 'Securing WildFly Applications Using Okta on OpenShift' | ||
| date: 2024-02-14 |
There was a problem hiding this comment.
Please adjust to today's date.
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
f3c6cba to
de5429c
Compare
fjuma
reviewed
Feb 21, 2024
There was a problem hiding this comment.
Thanks very much for the updates @PrarthonaPaul!
These are all very minor comments, looks great!
|
|
||
| == Example application | ||
|
|
||
| We will use a simple web application in this guide that consists of a single https://github.com/PrarthonaPaul/elytron-examples/blob/simple-webapp-okta/simple-webapp-okta/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We will use the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-okta[simple-webapp-okta] application in this repository. |
There was a problem hiding this comment.
Should update the elytron-examples URL to wildfly-security-incubator
| * Last name: *Smith* | ||
| * Email: *[email protected]* | ||
| * User Name: *[email protected]* | ||
| * From the dropdown list for _Password_, choose _Set by admin_ and set a password that fits the password requirements. |
There was a problem hiding this comment.
Password -> Password
Set by admin -> Set by admin
(I think bold stands out a bit more)
| * Email: *[email protected]* | ||
| * User Name: *[email protected]* | ||
| * From the dropdown list for _Password_, choose _Set by admin_ and set a password that fits the password requirements. | ||
| * Uncheck _User must change password on first login_ and hit `Save`. For more information about how to add a user manually https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-add-users.htm[click here]. |
There was a problem hiding this comment.
Same here, bold instead of italic would be good for:
User must change password on first login
Applications
simple-webapp-okta
Assignments
| * Name: *IDTClaim* | ||
| * Include in token type: *ID Token* and keep it at always. | ||
| * Value type: *Expression* | ||
| * Value: *appuser.userName* and hit `Save`. |
There was a problem hiding this comment.
Might be good to add a quick sentence here that says you'll be using this claim to get the username of the logged in user.
| replicas: 1 | ||
| env: | ||
| - name: OIDC_PROVIDER_URL | ||
| value: <okta_URL> <1> |
| Now we can access our application using the *Application Url* from the previous section. | ||
| Click on "Access Secured Servlet". | ||
|
|
||
| Now you will be redirected to the login page for Okta. Login using Alice. You will be prompted for the username. Although we set the username to be *[email protected]*, we can just input alice here. You will be presented with three options for loggin in. Choose `Password` and enter the password you selected for Alice. |
There was a problem hiding this comment.
Would be good to make Alice bold
There was a problem hiding this comment.
Should it be "Alice" or "alice"?
There was a problem hiding this comment.
fixed!
Should be alice as in the first part the email
|
|
||
| Now you will be redirected to the login page for Okta. Login using Alice. You will be prompted for the username. Although we set the username to be *[email protected]*, we can just input alice here. You will be presented with three options for loggin in. Choose `Password` and enter the password you selected for Alice. | ||
|
|
||
| Once you have entered the correct password, you will be prompted to perform 2 factor authentication using the Okta Verify mobile application. You can go ahead and follow the instructions to set it up and once you complete the 2 factor authentication, you will be redirected to the secured page. |
| Once you have entered the correct password, you will be prompted to perform 2 factor authentication using the Okta Verify mobile application. You can go ahead and follow the instructions to set it up and once you complete the 2 factor authentication, you will be redirected to the secured page. | ||
|
|
||
| == Summary | ||
| This guide demonstrates how to use an OpenID provider other than Keycloak to secure an application deployed to WildFly. There are other OpenID providers that can be used to secure WildFly applications as well. And while the specific terms may be slightly different, the overall process should be similar. Please refer to documentations by your OpenID provider for more information. |
There was a problem hiding this comment.
s/There are other OpenID providers that can be used to secure WildFly applications as well/ Other OpenID providers can be used to secure WildFly applications as well
|
|
||
| == Resources | ||
| * https://help.okta.com/oie/en-us/content/topics/identity-engine/oie-index.htm[Okta Documentation] | ||
| * https://docs.wildfly.org/30/wildscribe/subsystem/elytron-oidc-client/index.html[Elytron-oidc-client subsystem] |
| == Resources | ||
| * https://help.okta.com/oie/en-us/content/topics/identity-engine/oie-index.htm[Okta Documentation] | ||
| * https://docs.wildfly.org/30/wildscribe/subsystem/elytron-oidc-client/index.html[Elytron-oidc-client subsystem] | ||
| * https://docs.wildfly.org/30/Admin_Guide.html#Elytron_OIDC_Client[elytron-oidc-client docs] |
PrarthonaPaul
force-pushed
the
develop
branch
2 times, most recently
from
82b5996 to
a645256
Compare
|
Hi @fjuma |
fjuma
reviewed
Feb 21, 2024
|
|
||
| == Example application | ||
|
|
||
| We will use a simple web application in this guide that consists of a single https://github.com/wildfly-security-incubator/elytron-examples/blob/simple-webapp-okta/simple-webapp-okta/src/main/java/org/wildfly/security/examples/SecuredServlet.java[servlet]. We will use the https://github.com/wildfly-security-incubator/elytron-examples/tree/main/simple-webapp-okta[simple-webapp-okta] application in this repository. |
There was a problem hiding this comment.
The servlet link doesn't work, I think it should be:
fjuma
reviewed
Feb 21, 2024
| === Behind the scenes | ||
| While our application is building, let’s take a closer look at our application. | ||
|
|
||
| Examine the https://github.com/wildfly-security-incubator/elytron-examples/blob/simple-webapp-okta/simple-webapp-okta/pom.xml[pom.xml] file. Notice that it contains an openshift profile. A profile in Maven lets you create a set of configuration values to customize your application build for different environments. The openshift profile in this example defines a configuration that will be used by the WildFly Helm Chart when provisioning the WildFly server on OpenShift. |
There was a problem hiding this comment.
The pom.xml link doesn't work
fjuma
reviewed
Feb 21, 2024
| <2> *elytron-oidc-client* automatically adds the native OIDC client subsystem to our WildFly installation. | ||
|
|
||
|
|
||
| Now examine the https://github.com/wildfly-security-incubator/elytron-examples/blob/simple-webapp-okta/simple-webapp-okta/src/main/webapp/WEB-INF/web.xml[web.xml] file. |
There was a problem hiding this comment.
This link also doesn't seem to work
There was a problem hiding this comment.
I have updated the links to include the correct branch!
Tanks for noticing it.
PrarthonaPaul
force-pushed
the
develop
branch
from
a645256 to
40bd656
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue: wildfly/wildfly.org#508
Uses wildfly-security-incubator/elytron-examples#199
https://prarthonapaul.github.io/wildfly-elytron/blog/securing-wildfly-apps-okta-openshift/