Skip to content

Latest commit

 

History

History
224 lines (187 loc) · 7.04 KB

04-NGINX-DevPortal-Test.md

File metadata and controls

224 lines (187 loc) · 7.04 KB

How To Set Up NGINX ACM/DevPortal OIDC for Keycloak Integration

Take the following steps to set up NGINX ACM/DevPortal OIDC and test it for Keycloak integration.

1. Prerequisites

  • Set up Keycloak

    Ensure that you use different application and callback/logout URLs as the following example unlike that are already created to test your containerized NGINX Plus.

    Category Example
    Application Name nginx-devportal-app
    Valid Redirect URIs (for Login) http://nginx.devportal.keycloak.test/_codexch
    Valid Redirect URIs (for Logout) http://nginx.devportal.keycloak.test/_logout

  • Edit hosts file in your laptop via if you want to locally test your app:

    $ sudo vi /etc/hosts
127.0.0.1 nginx.devportal.keycloak.test # Note : The provided IP address should be of the host where you installed the Dev Portal packages.
# Also make sure your controller and Dev Portal /etc/hosts files have similar entries.

2. Install NGINX API Connectivity Manager

3. Set Up NGINX Dev Portal

Configure a Dev Portal by either referencing NGINX Management Suite Docs of How To Set Up a NGINX Dev Portal or taking the following steps of calling APIs:

Note:

Download an example of postman collection for easily testing the following steps.

  • Open a Postman collection, and edit ACM password and variables:

  • Create a infra > workspace:

    POST https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces

    Body:

    {
  "name": "{{infraworkspacename}}"
}

  • Create a proxy > workspace:

    POST https://{{ctrl_ip}}/api/acm/v1/services/workspaces

    Body:

    {
  "name": "{{proxyworkspacename}}"
}

  • Create an environment of Dev Portal:

    POST https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments

    Request Body:

    {
  "name": "{{environmentname}}",
  "functions": ["DEVPORTAL"],
  "proxies": [
    {
      "proxyClusterName": "{{devPinstanceGroupName}}",
      "hostnames": ["{{devPenvironmentHostname}}"],
      "runtime": "PORTAL-PROXY",
      "policies": {
        "oidc-authz": [
          {
            "action": {
              "authFlowType": "AUTHCODE",
              "jwksURI": "https://{{idpDomain}}/certs",
              "tokenEndpoint": "https://{{idpDomain}}/token",
              "userInfoEndpoint": "https://{{idpDomain}}/userinfo",
              "authorizationEndpoint": "https://{{idpDomain}}/auth",
              "logOffEndpoint": "https://{{idpDomain}}/logout",
              "logOutParams": [],
              "TokenParams": [],
              "uris": {
                "loginURI": "/login",
                "logoutURI": "/logout",
                "redirectURI": "/_codexch",
                "userInfoURI": "/userinfo"
              }
            },
            "data": [
              {
                "clientID": "{{clientId}}",
                "clientSecret": "{{clientSecret}}",
                "scopes": "openid+profile+email+offline_access"
              }
            ]
          }
        ]
      }
    }
  ]
}

  • Get an environment of Dev Portal:

    GET https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments

    Response:

    {
    :
    curl -k https://<CTRL-FQDN>/install/nginx-agent > install.sh && sudo sh install.sh -g devp-group && sudo systemctl start nginx-agent
    :
}

  • SSH into the instance of Dev Portal, and run the following commands:

    curl -k https://<CTRL-FQDN>/install/nginx-agent > install.sh && sudo sh install.sh -g devp-group && sudo systemctl start nginx-agent

  • Option 1. Upsert an environment of Dev Portal for none-PKCE

    PUT https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments/{{environmentname}}

    Request Body:

    {
  "name": "{{environmentname}}",
  "type": "NON-PROD",
  "functions": ["DEVPORTAL"],
  "proxies": [
    {
      "proxyClusterName": "{{devPinstanceGroupName}}",
      "hostnames": ["{{devPenvironmentHostname}}"],
      "runtime": "PORTAL-PROXY",
      "listeners": [
        {
          "ipv6": false,
          "isTLSEnabled": false,
          "port": 80,
          "transportProtocol": "HTTP"
        }
      ],
      "policies": {
        "oidc-authz": [
          {
            "action": {
              "authFlowType": "AUTHCODE",
              "jwksURI": "https://{{idpDomain}}/certs",
              "tokenEndpoint": "https://{{idpDomain}}/token",
              "userInfoEndpoint": "https://{{idpDomain}}/userinfo",
              "authorizationEndpoint": "https://{{idpDomain}}/auth",
              "logOffEndpoint": "https://{{idpDomain}}/logout",
              "logOutParams": [],
              "TokenParams": [],
              "uris": {
                "loginURI": "/login",
                "logoutURI": "/logout",
                "redirectURI": "/_codexch",
                "userInfoURI": "/userinfo"
              }
            },
            "data": [
              {
                "appName": "nginx-devportal-app",
                "clientID": "{{clientId}}",
                "clientSecret": "{{clientSecret}}",
                "scopes": "openid+profile+email+offline_access",
                "source": "ACM"
              }
            ]
          }
        ]
      }
    }
  ]
}

  • Option 2. Upsert an environment of Dev Portal for PKCE:

    PUT https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments/{{environmentname}}

    Body:

    {
       :
  "authFlowType": "PKCE",
       :
  "clientSecret": "",
       :
}

  • Delete an environment of Dev Portal:

    DELETE https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments/{{environmentname}}

3. Test Dev Portal OIDC with Keycloak

  • Open a web browser and access the Dev Portal's FQDN like http://nginx.devportal.keycloak.test.

  • Try Login and Logout.

  • Test the above TWO steps after changing IdP (PKCE option) and updating Dev Portal via NGINX ACM API.