sso.adoc

Use a SSO server to secure microservices

Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

Users authenticate with Keycloak rather than individual applications. This means that your applications don’t have to deal with login forms, authenticating users, and storing users. Once logged-in to Keycloak, users don’t have to login again to access a different application.

This also applied to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged-out of all applications that use Keycloak.

Create a project for the SSO

$ oc new-project sso

Deploy a custom Keycloak instance

$ git clone https://github.com/redhat-helloworld-msa/sso
$ cd sso/
$ oc new-build --binary --name keycloak
$ oc start-build keycloak --from-dir=. --follow
$ oc new-app keycloak
$ oc expose svc/keycloak

(Optional) Enable Readiness probe

$ oc set probe dc/keycloak --readiness --get-url=http://:8080/auth

Tell microservices where to find the Keycloak server

$ oc project helloworld-msa
$ oc env dc/hola     KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.rhel-cdk.10.1.2.2.xip.io/auth
$ oc env dc/aloha    KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.rhel-cdk.10.1.2.2.xip.io/auth
$ oc env dc/ola      KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.rhel-cdk.10.1.2.2.xip.io/auth
$ oc env dc/bonjour  KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.rhel-cdk.10.1.2.2.xip.io/auth
$ oc env dc/frontend ENABLE_SSO=true KEYCLOAK_AUTH_SERVER_URL=http://keycloak-sso.rhel-cdk.10.1.2.2.xip.io/auth