Liberty olo with rh sso #3390
Liberty olo with rh sso #3390
Conversation
| // change the "IMAGE CAPTION" to a couple words of what the image is | ||
| // // // // // // // // | ||
|
|
||
| Do you want to secure your Open Liberty Application deployed using Open Liberty Operator using OIDC? |
There was a problem hiding this comment.
This feels a little sudden and out of the blue. I don't think it's needed, as the paragraph underneath provides a better introduction. I would remove this sentence.
|
|
||
| Do you want to secure your Open Liberty Application deployed using Open Liberty Operator using OIDC? | ||
|
|
||
| Security is paramount in today's world, and it is important to ensure your cloud applications are protected. A common way to do that is to configure Single Sign On for your application such as GitHub, Google, Facebook or OpenID Connect (OIDC). This blog will show you step by step how to configure your Liberty application deployed in OpenShift to use a specific type of OIDC - RedHat Single SignOn (RH-SSO). Liberty application will be deployed using the Open Liberty Operator (OLO) in OpenShift, with special configuration to be able to connect to RH-SSO. Configure the RH-SSO to create a client specifically for your liberty application. Once configuration is complete, when you login to your application, you will first be re-directed to RH-SSO, and once you authenticate successfully, it will redirect you back to your application. |
There was a problem hiding this comment.
Would be nice in this section, after the second sentence, to touch upon why single sign on is useful or why it's a common way to sign on? Why do people choose it? I.e. why would the reader want to do it and therefore want to read this blog?
There was a problem hiding this comment.
Before the 3rd sentence about what this blog will teach, it would also be nice to have an intro as to what RH-SSO is and why people may choose to use it or want to use it. This, combined with the suggested sentence about why SSO is good, would together provide a solid foundation/introduction as to why a reader would need or want this blog, or why they'd want to do what we're suggesting in this blog. This feels missing at the moment.
There was a problem hiding this comment.
I would perhaps suggest splitting this paragraph in two, at the point where we start to describe what this blog will show. The first part of the paragraph needs more introduction to some of the technologies this blog covers, which will make it longer. Then the second part would be easier to read as it's own paragraph which states out exactly what we're teaching in this blog (almost like a prose version of a contents list).
| @@ -0,0 +1,394 @@ | |||
| --- | |||
| layout: post | |||
| title: "TITLE" | |||
There was a problem hiding this comment.
Need to change file name, to affect date of publication.
|
|
||
| == Set up the example application project from Social Media Guide | ||
|
|
||
| Before we get into the details of configuring Security, we will first set up an example app. For this example, we will have a look at the application used in the Open Liberty guide - link:/guides/social-media-login.html[Authenticating users through social media providers] |
There was a problem hiding this comment.
Perhaps suggest changing this paragraph slightly to something like:
"Before we get into the details of configuring Security, we first need to set up an example application to apply this security to. For this example, we will use the application provided in the Open Liberty guide -..."
|
|
||
| //https://openliberty.io/guides/social-media-login.html | ||
|
|
||
| However, instead of using GitHub to authenticate as shown in the guide above, we will first deploy this application, and use OIDC using RH-SSO to authenticate. |
There was a problem hiding this comment.
I think this paragraph could perhaps be a little confusing for anyone who has not read the guide and knows that this other guide uses GitHub for SSO. I was exacting readers to simply go to the github project, clone the repo and use the app but not to read the guide's instructions, so I'm not sure if this is needed? If it is, perhaps it could be rephrased to something like:
"In the Authenticating users through social media providers guide, GitHub is used for application authentication through the Open Liberty Social Media Login feature. However, in this blog, instead of directly using social platforms to directly authenticate with our application, we will use OIDC through RH-SSO."
|
|
||
| Since we have already deployed the guide-social-media-login app using the Open Liberty operator, we can now complete the registration for the openid client. | ||
|
|
||
| Use this url - https://keycloak-rh-sso.apps.<cluster-name>/auth/admin/master/console/ |
There was a problem hiding this comment.
Why? what does this URL allow us to access? Not clear, don't know why I'm doing this step.
| Use this url - https://keycloak-rh-sso.apps.<cluster-name>/auth/admin/master/console/ | ||
| using credentials from the secret - credential-example-keycloak | ||
|
|
||
| Click on Create to create a new client, with clientId as `gsmapp`. (The same value that you put in the secret created called `guide-social-media-login-olapp-sso`). |
There was a problem hiding this comment.
Feels again like abstract instructions. Can these different paragraphs be linked more together and have more prose to explain how I get from one to the other and why?
(e.g. No that we have used the credentials, we can now create a new client to enable this authentication" --> not sure if that's accurate, just wanted to give an example of the sort of thing I meant by this comment".
|
|
||
| Enter the URL for Valid Redirect URIs. In the scenario with 'oidcLogin', the URL will be https://<app-name>-<namespace>.apps.<cluster-name>/ibm/api/social-login/redirect/oidc | ||
|
|
||
| For my test, I put in this value |
There was a problem hiding this comment.
First time you've used "my" and it jars with the rest of the tenses used in this article. Also, what test? what are we testing? why? This seems disjointed from the rest of the instructions.
| == Running the application, and logging in using OIDC | ||
|
|
||
|
|
||
| Since all the configuration is complete, you are ready to run the application now. |
There was a problem hiding this comment.
Could make this more engaging to audience as it's a lot of instructions they've just followed and has probably taken quite a bit of time. Maybe something more like: "Congratulations! You've now completed all the required configuration. Now, you're ready to run the application. To do this...."
| image::img/blog/rh_social_media_login.png[Social Media Login,width=50%,align="center"] | ||
|
|
||
|
|
||
| Since I have already created the RH-SSO client for this application, when I click on the "Log In" button for this app, it will redirect me to the RH-SSO client, as shown below. |
There was a problem hiding this comment.
Use of I again, doesn't work with tenses used within rest of blog. Also isn't engaging for readers.
There was a problem hiding this comment.
This seems to be the crux of the whole article (i.e. what we've been trying to achieve this whole time), but it feels like a throwaway side comment with the short length. I think this section should have more prose and more impact.
|
Target to complete this now end of Feb 2024 |
|
|
||
|
|
||
| Security is paramount in today's world, and it is important to ensure your cloud applications are protected. A common way to do that is to configure Single Sign On for your application such as GitHub, Google, Facebook or OpenID Connect (OIDC). Single Sign-On (SSO) is a mechanism that allows users to authenticate themselves once and gain access to multiple applications or systems without the need to re-enter their credentials every time. This improves productivity by reducing the number of times you have to sign in. At the same time SSO reduces the reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Also, by using Oauth, you are protecting the user credentials by storing a tokem, and not the credentials in local storage, filesystem or cookies. | ||
|
|
There was a problem hiding this comment.
Would be nice to have a sentence here to introduce OIDC and why someone may want to specifically use this type of single-sign on (i.e. why we felt the need to write this blog/why it's helpful). At the moment it seems to dive into assuming people want to use this specific type of single sign on, when previously in the paragraph above it was only listed as one of the many options.
|
|
||
| Security is paramount in today's world, and it is important to ensure your cloud applications are protected. A common way to do that is to configure Single Sign On for your application such as GitHub, Google, Facebook or OpenID Connect (OIDC). Single Sign-On (SSO) is a mechanism that allows users to authenticate themselves once and gain access to multiple applications or systems without the need to re-enter their credentials every time. This improves productivity by reducing the number of times you have to sign in. At the same time SSO reduces the reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Also, by using Oauth, you are protecting the user credentials by storing a tokem, and not the credentials in local storage, filesystem or cookies. | ||
|
|
||
| This blog will show you step by step how to configure your Liberty application deployed in OpenShift to use a specific type of OIDC - RedHat Single SignOn (RH-SSO). Liberty application will be deployed using the Open Liberty Operator (OLO) in OpenShift, with special configuration to be able to connect to RH-SSO. Configure the RH-SSO to create a client specifically for your liberty application. Once configuration is complete, when you login to your application, you will first be re-directed to RH-SSO, and once you authenticate successfully, it will redirect you back to your application. |
There was a problem hiding this comment.
May be worth commenting here why we've focused on RH-SSO - i.e.this is the default SSO for any applications running on openshift, or something like that so that people know why they may use this.
Second sentence also needs to start with The - so "The Liberty application will be...."
Might be worth a short sentence here to cover why we're using the Liberty operator - i.e. The Open Liberty Operator (OLO) is being used here to help simplify the deployment process. To find out more about OLO and the benefits it offers see our documentation...." or something like this.
This sentence doesn't make sense on it's own, don't understand how it links to previous sentences - "Configure the RH-SSO to create a client specifically for your liberty application".
|
|
||
| Build the application image using the Docker File shown above, and upload to a repository of your choice (for e.g. dockerhub or artifactory), and note the image location so that you can use it later on for deploying this application to OpenShift using the Open Liberty Operator (OLO) | ||
|
|
||
|
|
There was a problem hiding this comment.
Can we add a sentence here to summarise that they have now successfully set up the sample application and can now move onto the next setp of installing and configuring their openshift cluster for us to deploy this too? This will help to round off this section and make a clear distinction between the steps we laid out at the start of this blog.
|
|
||
|
|
||
|
|
||
| == Installing and configuring RH-SSO (RedHat Single Sign-On) Operator in the OpenShift cluster |
There was a problem hiding this comment.
This section is hard to read at the moment as it's very instructional and not written as a blog. We need more context and chatty prose in this section. I'll try and give some examples at the start of this section. Please could you try and copy my format for the rest of this section?
|
|
||
| https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_installation_and_configuration_guide/operator#doc-wrapper | ||
|
|
||
| Install the Operator in the namespace - "rh-sso". |
There was a problem hiding this comment.
| Install the Operator in the namespace - "rh-sso". |
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Co-authored-by: Grace Jansen <32962135+GraceJansen@users.noreply.github.com>
Pull request to get the blog content into staging. Please let me know of any comments and or updates. Thanks.