LiveOak Security

Auth

Powered by Keycloak

Auth resource

  • Starts embedded Keycloak instance during bootstrap
  • Keycloak running on Undertow server (localhost:8383 by default)
  • Creates "admin" realm and "default" realm including users, roles, application

Javascript SDK

  • Handles client-side of OAuth2 flow between HTML5 user application (client) and Keycloak (server)
  • sources in clients/javascript/src/main/javascript/auth/client.js

Example of JS code in HTML5 page

                    <script src="/client/liveoak.js" type="text/javascript" />

                    var liveOak = LiveOak({
                        auth: {
                            clientId: 'test-app',
                            clientSecret: 'password',
                            onload: 'check-sso',
                            success: authSuccess,
                            error: authError
                        }
                    });

                    liveOak.auth.init();
  • Signed JWT access token available in "window.oauth.init"
  • Requests to LiveOak sent with Javascript SDK will contain header: Authorization: Bearer <access token>

Auth Example

Sources at https://github.com/liveoak-io/liveoak-examples/tree/master/auth

Request processing in LiveOak

SecurityContext

  • Part of LiveOak SPI. Accessible from RequestContext
  • Contract between authentication and authorization

SecurityContext interface

                    public interface SecurityContext {
                        String getSubject();
                        boolean isAuthenticated();
                        Set<String> getRoles();
                        boolean hasRole(String role);
                        String getRealm();
                        long lastVerified();
                    }

Authz

Powered by Policies

Authz resource

delegates decision to one ore more policies

Policies are invoked over REST (async)

A policy can include/exclude specific resources

Configuration example

                "policies": [
                    {
                        "policyName" : "URIPolicy",
                        "policyResourceEndpoint": "uriPolicy/authzCheck"
                    },
                    {
                        "policyName" : "ACLPolicy",
                        "policyResourceEndpoint": "aclPolicy/authzCheck",
                        "includedResourcePrefixes": [ "/storage" ]
                    }
                ]

Policy Decisions

Accept

Reject

Ignore

Accepted if at least one accept and no rejects

Policies implementation

  • URIPolicy
    • Implementation based on Drools
    • Allows to authorize based on request itself (URI, request parameters, request body)
  • ACLPolicy
    • Allows to authorize based on ACL properties attached to resource

TodoMVC example

Sources at https://github.com/liveoak-io/liveoak-examples/tree/master/todomvc

  • Administrators can do anything
  • Normal "users" can CRUD just their own stuff
  • Guests can do nothing

MAD - needed steps

  1. Configure auth resource (Keycloak) by either:
    • Configure realm with predefined users,roles and application in keycloak-config.json
    • Login to keycloak admin console and create realm and all the necessary object in it
  2. Configure policies and endpoints in authz-config.json (which resource should be subject to which policies)
  3. Configure policies rules in uri-policy-config.json and/or acl-policy-config.json
  4. Integrate your HTML5 application with Javascript SDK