sso.adoc

Use a SSO server to secure microservices

Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

Users authenticate with Keycloak rather than individual applications. This means that your applications don’t have to deal with login forms, authenticating users, and storing users. Once logged-in to Keycloak, users don’t have to login again to access a different application.

This also applied to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged-out of all applications that use Keycloak.

Create a project for the SSO

$ oc new-project sso

Deploy a custom Keycloak instance

$ git clone https://github.com/redhat-helloworld-msa/sso
$ cd sso/
$ oc new-build --binary --name keycloak
$ oc start-build keycloak --from-dir=. --follow
$ oc new-app keycloak
$ oc expose svc/keycloak

(Optional) Enable Readiness probe

$ oc set probe dc/keycloak --readiness --get-url=http://:8080/auth

Specify the OpenShift domain

$ oc set env dc/keycloak OS_SUBDOMAIN=<OPENSHIFT-DOMAIN>

#Using CDK3
$ oc set env dc/keycloak OS_SUBDOMAIN=app.$(minishift ip).nip.io

#Example: OS_SUBDOMAIN=app.192.168.64.11.nip.io
$ oc set env dc/keycloak OS_SUBDOMAIN=app.192.168.64.11.nip.io

Tell microservices where to find the Keycloak server

$ oc project helloworld-msa

# Using CDK3
$ oc set env dc KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.`minishift ip`.nip.io/auth -l app

# Example: OS_SUBDOMAIN=192.168.64.11.nip.io
$ oc set env dc KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.192.168.64.11.nip.io/auth -l app

$ oc set env dc/frontend ENABLE_SSO=true