Skip to main content

Haventec IAM: From Development to Production

Permanently deleted user
  • Updated

Introduction

This guide explains how to install Haventec IAM in your production environment

  1. Best Practices to support High Availability
  2. Create Admin Credentials for the Master Realm
  3. Disable Direct Access Grants for Clients

This setup guide assumes that you'll be running Haventec IAM in Amazon Web Services with technologies such as Elastic Compute Service and Fargate.

 

Main Steps

  • High Availability/Clustering
  • Admin Credentials
  • Disabling Direct Access Grants

High Availability

To enable clustering and support a High Availability solution in Haventec IAM, we need to use one of the discovery protocols by JGroups. This is because Haventec IAM uses Infinispan for caching and Infinispan utilises JGroups for discovery.

In our case we support and recommend the use of JDBC_PING.

JDBC_PING uses a DB to store information about cluster nodes used for discovery. All cluster nodes are supposed to be able to access the same DB. When a node starts, it queries information about existing members from the database, determines the coordinator and then asks the coord to join the cluster. It also inserts information about itself into the table, so others can subsequently find it. You can read more about it here.

 

Environment Variables

To enable JDBC_PING we need to provide the following environment variables to the docker image at startup:

JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING
JGROUPS_DISCOVERY_PROPERTIES=datasource_jndi_name=java:jboss/datasources/KeycloakDS
JGROUPS_TRANSPORT_STACK=tcp

Another environment variable, JGROUPS_DISCOVERY_EXTERNAL_IP, will be automatically set via docker_entrypoint.sh for AWS Fargate deployments.

If you're not using AWS Fargate for the deployment, you need to provide the IP address of the node to the parameter JGROUPS_DISCOVERY_EXTERNAL_IP for node discovery

If you're running your Haventec IAM instance on AWS, we need to add some rules on the Security Groups

  • An Ingress and Egress rule referencing itself on TCP port 7600

Once that is configured we can increase the ECS tasks to 2.

 

Admin Credentials

Once we have configured Haventec IAM, we also need to provide the required environment variables to create an admin user in the master realm

Environment Variables

The following environment variables need to be provided to the docker image at startup:


        KEYCLOAK_USER=admin
        KEYCLOAK_PASSWORD=admin

NOTE: We strongly recommend a strong password for KEYCLOAK_PASSWORD or we recommend changing the password through the Haventec IAM admin console.

 

Disable Direct Access Grants

Once we have configured Haventec IAM with Haventec Authenticate and OpenID Landing Page, we need to disable the direct access grants authentication flow to disable the grant_type password so that users are no longer able to retrieve an access_token (JWT) with their Usernames and Passwords.

The Direct Access Grant flow is aimed towards REST clients that want to obtain a token on behalf of a user.

 

Configuration per Client:

When creating a client if you disable the option Direct Access Grants, that will revoke that client from allowing Passwords as a grant_type for issues access_tokens

Haventec IAM Client Config

This should disable the Direct Access Grants flow for your client

Finally when you disable the flow for your client when you try the following command you should receive the following error

        curl \ -d 'client_id={client-id}' \ -d 'client_secret=d8......e5' \ -d 'username={username}' \ -d 'password={password}' \ -d 'grant_type=password' \ 'http://{haventec-iam-location}/auth/realms/{realm}/protocol/openid-connect/token' \ | python -m json.tool
    
            {
                "error": "unauthorized_client",
                "error_description": "Client not allowed for direct access grants"
            }

Comments

0 comments

Please sign in to leave a comment.