Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Mission: Secured HTTP API

Zach Rhoads edited this page Jul 7, 2017 · 30 revisions

Secured HTTP API

ID Short Name




A user of a collection of REST services has been assigned a client secret that they can exchange for a token to access the services. The token returned conforms to the MicroProfile MP-0005 JWT RBAC proposal, for which Keycloak is the reference implementation.

User Problem

A REST service should be secured using Red Hat Single Sign-on and accessible by JWT formatted bearer tokens that authorize user access on a per resource basis. Both a web-based UI and a client of the services can obtain a token for access by authenticating to the RH SSO server in what is known as a Resource Owner Password Credentials Grant.

Concepts and Architectural Patterns

  • OAuth2

  • Single Sign-on

  • JWT bearer tokens


The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso project subfolders. This include a master Realm with a user “alice” assigned a password with the value password that has been given a client secret and role mappings sufficient to access the desired endpoints. The services are deployed with the RH SSO adaptor configured to allow access via appropriately signed bearer tokens issued by the RH SSO server.

Use Case

Web-based UI

A user navigates to the index.html page of the secured booster. On this page, a use can:

  • Submit a GET request to the secured booster with their current token (if they have one).

  • Link to log in to the RH SSO server and obtain a token (for use in accessing the secured booster)

  • Link to log out of the RH SSO server.

Client Application

A user makes a POST request, that must be over https, via a command line Java client to the RH SSO server token endpoint (SSO_AUTH_SERVER_URL), and provides the following in the body using application/x-www-form-urlencoded encoding:

  • Username

  • Password

  • ClientID

  • ClientSecret

  • grant_type=password

A JSON Web Token(JWT) bearer access token is returned. The token has an expiration beyond which it must be refreshed or replaced. The expiration can be configured in the RH SSO server. The user makes requests to the REST services providing an “Authorization: Bearer ..token..” header The user is authenticated and authorized via validation of the token.

Acceptance Criteria

The redhat-sso needs to be deployed following the instructions in any of the secured REST application sso subproject folders. This project includes a java client that is used to access the secured applications.

  • a 200 return code with a JSON payload indicates success

  • a 401 return code is presented for unauthenticated access

  • a 403 return code is presented for an unauthorized access.

More specifically:

java -jar target/sso-client.jar -app <APP> Where <APP> is one of the following: secured-springboot-rest, secured-swarm-rest, secured-vertx-rest

A greeting with the name “World!” as a JSON object containing and id and content are returned: {“id”: 1, “content”, “Hello, World!”, …​} The id value should increment by 1 on each request.

200 - OK with the JSON payload

java -jar target/sso-client.jar -app <APP> --from myname

A greeting with the name myname as a JSON object containing and ID and content are returned: {“id”: 1, “content”, “Hello, myname!”, …​} The id value should increment by 1 on each request.

200 - OK with the JSON payload

java -jar target/sso-client.jar -app <APP> --user admin --password admin

A valid user without insufficient permissions fails with a forbidden exception.

403 - Forbidden

java -jar target/sso-client.jar -app <APP> --user bad

An invalid user fails with a 'not authorized' exception

401 - Unauthorized

Vert.x-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-vertx-rest …​ produces a 200 result with the expected JSON payload.

Swarm-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-swarm-rest …​ produces a 200 result with the expected JSON payload.

Spring Boot-specific Acceptance Criteria

java -jar target/sso-client.jar --app secured-springboot-rest …​ produces a 200 result with the expected JSON payload.

Integration Requirements




Coordination Owner

Scott Stark







WildFly Swarm


Spring Boot





