I am attempting to use the JBOSS EAP Client adapter as a Relying Party to the CA Single Sign-On OpenID Connect Provider.
I have followed instructions found at Configure CA Single Sign-On as OpenID Connect Provider - CA Single Sign-On - 12.7 - CA Technologies Documentation to configure the provider side.
I used a url similar to https://fed.mydomain.com/affwebservices/realms/JDBCRealm/protocol/openid-connect/auth for the authentication url
I deselected Use Secure Authentication URL and changed the authentication URL to match the structure of the Keycloak client redirection
I had to do a servlet mapping in the "/app/CA/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF/web.xml" file to comply with the inflexibility of the Keycloak/Red Hat OpenID Connect Client adapter
<servlet-mapping>
<servlet-name>openidconnect-authorize</servlet-name>
<url-pattern>/realms/JDBCRealm/protocol/openid-connect/auth/*</url-pattern>
</servlet-mapping>
I believe that this creates a virtual path.
I created a realm that uses the Resource Filter /affwebservices/realms/JDBCRealm/protocol/openid-connect/ to protect the various endpoint urls that keycloak client redirects to such as
.../realms/JDBCRealm/protocol/openid-connect/auth/
.../realms/JDBCRealm/protocol/openid-connect/token/
.../realms/JDBCRealm/protocol/openid-connect/userinfo/
.../realms/JDBCRealm/protocol/openid-connect/logout/
.../realms/JDBCRealm/protocol/openid-connect/certs/
I created a client using the CA SSO Administrative UI disabling user Consent and specifying the Application Type: Confidential and Authentication Type: Basic. The Redirect URI specified is the exact same URI that the user begins with when they start a session.
I referenced the instructions found at Chapter 2. OpenID Connect - Red Hat Customer Portal under "Securing WARs via Adapter Subsystem" to configure the client side.
The client builds the redirection uri from the the <realm> and <auth-server-url> parameters under the urn:jboss:domain:keycloak:1.1 subsystem in the standalone.xml for the JBOSS instance. The <resource> parameter is taken from the client id produced when creating the client from the Provider side using the CA SSO Administrative UI
The resulting redirect uri looks like https://fed.mydomain.com/affwebservices/realms/JDBCRealm/protocol/openid-connect/auth
This configuration does not work yet. When I access the client, I am redirected, but it looks like a GET rather than a POST (I have X'd out the redirect URI) I am redirected back the the redirect_uri but I am not prompted for a username and password
GET /affwebservices/realms/JDBCRealm/protocol/openid-connect/auth?response_type=code&client_id=0003804e-57aa-1a90-b5eb-9ae8ac147b7f&redirect_uri=https%3A%2F%2FXXX.XX.XX.XX%3A8443%2Fbot%2F&state=73d26f4f-5e88-478c-bb04-c0b1926353ac&login=true&scope=openid HTTP/1.1
Should the OPENID Connect Authorization Provider using BASIC authentication be able to respond to a GET? How do I test my Provider independent of the client?
Thanks
Doyle