Hello Chris, I can suggest you Keycloak [1]. It supports OIDC (extension of OAUTH2) [2], it has adapters for apache tomcat [3] and it is quite easy to start with. I made a little proof of concept protecting the good and old /manager tomcat application using the "Client Credentials Flow". My setup looks like this:
- Keycloak server: docker run --name=keycloak_for_oidc_tests -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 9090:8080 -e KEYCLOAK_IMPORT=/tmp/test-realm.json -v $(pwd)/test-realm-with-users.json:/tmp/test-realm.json jboss/keycloak You can find the test-realm.json here [4] - Add this keycloak.json [5] to the $CATALINA_BASE/webapps/manager/WEB-INF/ folder. You can also generate via the admin console (localhost:9090/auth) - Unzip [6] into $CATALINA_BASE/lib - Declare the <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/> in the $CATALINA_BASE/webapps/manager/META-INF/context.xml I will try to put all this in a little repo, maybe it can be helpful for somebody else, but with the above steps you should be done. Maybe you want to add some debugging to your $CATALINA_BASE/conf/logging.properties to see what's happening under the hood: org.keycloak.level = ALL org.apache.catalina.realm.level = ALL org.apache.catalina.authenticator.level = ALL Hope it helps, Luis [1] https://www.keycloak.org [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-2 [3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter [4] https://gist.github.com/lurodrig/6ecab404985683e6ed6cfe6c8fa8475f#file-test-realm-with-users-json [5] https://gist.github.com/lurodrig/ac51a5cdfd3482ea20680e19b77b2558#file-keycloak-json [6] https://downloads.jboss.org/keycloak/11.0.2/adapters/keycloak-oidc/keycloak-tomcat-adapter-dist-11.0.2.zip El lun., 14 sept. 2020 a las 15:38, Christopher Schultz (< ch...@christopherschultz.net>) escribió: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I'm looking at implementing OAuth/OAuth2 on the server for both > incoming and outgoing SSO with other systems. It doesn't look like > rocket surgery, but I figure: why reinvent the wheel? > > Has anyone had any experiences in particular they'd like to share? I > think I'd prefer something that was explicitly geared-towards OAuth > and not something more general like Apache CXF, unless CXF is *super > good* as doing OAuth and also provides some other great thing that > maybe I didn't know I needed. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fcjgACgkQHPApP6U8 > pFiRcxAAtZ+rmO2i4PrFCRMPcEBWP6Z4z7IeBQUPfiotz5c84IvjOIqnJHyIx6RW > Qyy7uy/7lHXMeu5xw/4DFx4qFxdG/O1+B7mekkxBrRnDFxOFByZS5RjVo0c8SFjo > xiXvyeEy+/ucZb7Ca1M5Xryo5aIaTjXP8DSVkUWIfMqVyc9COrKt9Ds6gy/0xAll > OcUj7CrRW1LiCoZmIPhXkabHqsxHofu5oEGHzcFE1tdsFr9L8JEfAPAhSgGJnDky > yqW9P5LD8vH+34gVMqKCOOtHGVdNug7F4GTz+4z/ScHLhAcR/giRi/05ydigGvyL > umux/QLzj1C5y1Nu+7jkBGz7QnokzsMMOjHH5n29/dIBOz/LS+6P7BidKLVgycdu > HLomJpfmKRJaj6VHofMczYo6oCzGzrwdpeWBBvWwLE733CUU3IqQskUHvqIGj66C > fopFuTk0Uyeizh7TY2+NyIAdcGdQyNjb+qYHYoN19Td8V/eAM3HjcJsxC9j0WRlT > Sx16g0pMDLu36IjO2C4ltE7mUcKbD8yTZkTcs6ORTBX/88Kbj6dfymHj13DUUz5H > +d2PbLlm8NNz530OmSJ0FopnM6afjCRzlE/tfQUOmCnGyxKjo+piqnBLws6no7NB > 4+I9auIX0gmXygc/h/S2e8SH4sElCNfgRj9Cw8sgK7znc6wKTpc= > =pwRm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
