8.3. Third-Party Client Authentication through RH-SSO
To use the different remote services provided by the Red Hat JBoss BRMS or by a Realtime Decision Server, your client must be authenticated on the RH-SSO server and have a valid token to perform the requests. To use the remote services, the authenticated user must have assigned the following roles:
rest-all: For using the Business Central remote servicesNoteThe rest-all role must have user specified in
org.kie.server.controller.userproperty.-
kie-server: For using the Realtime Decision Server remote services
Use the RH-SSO Administrator Console to create these roles and assign them to the users that will consume the remote services.
To achieve third-party client authentication through RH-SSO, you can choose between one of these options:
- Basic authentication (if the application’s client supports it)
- Token-based authentication
8.3.1. Basic Authentication
If you have enabled the basic authentication in the RH-SSO client adapter configuration for both Business Central and Realtime Decision Server, you can avoid the token grant/refresh calls and call the services as shown in the examples below:
For web based remote repositories endpoint:
curl http://admin:password@localhost:8080/business-central/rest/repositories
For the Realtime Decision Server:
curl http://admin:password@localhost:8080/kie-server/services/rest/server/
8.3.2. Token-Based Authentication
If you want to opt for a more secure option of authentication, you can consume the remote services from both Business Central and Realtime Decision Server using a granted token provided by a new RH-SSO client.
Procedure: Obtaining and Using Token for Authorizing Remote Calls
Click Client tab from the main admin console menu and click Create to create a new client.
The Add Client page opens.
On the Add Client page, provide the required information to create a new client for your realm. For example:
- Client ID: kie-remote
- Client protocol: openid-connect
Click Save to save your changes.
Once you create a new client, its access value
publicby default. Change it toconfidential.Obtain a token from Realm Settings:
- On the RH-SSO admin console, click Realm Settings tab.
- Click Tokens tab.
Change the value for Access Token Lifespan to
15minutes.This gives you enough time to obtain a token and invoke the service before it expires.
- Click Save to save your changes.
Once a public client for your remote clients is created, you can now obtain the token by making an HTTP request to the RH-SSO server’s token endpoint using:
RESULT=`curl --data "grant_type=password&client_id=kie-remote&username=admin&password=password" http://localhost:8180/auth/realms/demo/protocol/openid-connect/token`
To view the token obtained from the RH-SSO server, use the following command:
TOKEN=`echo RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g'`
You can now use this token to authorize the remote calls. For example, if you want to check the internal Red Hat JBoss BRMS repositories, use the token as shown below:
curl -H "Authorization: bearer TOKEN" http://localhost:8080/business-central/rest/repositories
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.