Identity & Access Management
Hosting Authentication Portal in Docker for WSO2-IS 6.0.0
We needed to host the authentication endpoint externally rather than the default way of having the authentication endpoint hosted with the WSO2 Identity server. This feature has been there from wso2 Identity server 5.10 and has not been given the attention it deserves. When everything fell in place, we refreshed our knowledge and tried to host in docker since the industry is heading cloud-native.
Note: You can refer the https://is.docs.wso2.com/en/6.0.0/references/extend/host-authentication-endpoint-on-a-different-server to try to host the authentication portal in a locally hosted tomcat.
We consider this in two sections
- Externalizing the portal which mainly concerns hosting this in the docker
- Removing the authentication portal from IS
Externalize the Authentication Portal
- Download and install WSO2 IS 6.0.0
- Download docker to your machine if you don't have one installed already
- Update the deployment. toml of the WSO2IS which resides inside the repository/conf folder changing the host configurations of IS (attaching a sample one in later steps.
4. Move the copy of IS 6.0.0 to a new workplace. And unzip it. Then please update the wso2carbon.jks and the clientstore.jks by creating new ones. Once it is done, you can zip it again so that the docker file can work on it. Here, we have added DNS with host.docker.internal (mapped to 127.0.0.1) which will serve as the host for the Identity server.
keytool -genkey -keystore wso2carbon.jks -dname “CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US” -keypass wso2carbon -storepass wso2carbon -keyalg RSA -alias wso2carbon -ext SAN=dns:localhost,dns:host.docker.internal- then export the public key
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickey.pem- and import the key to client-truststore
keytool -import -alias wso2 -file publickey.pem -keystore client-truststore.jks -storepass wso2carbonYou can follow this blog for details of the key creation
5. Now you can build the docker image from this docker file shared using the command
docker build -t extauthportal60 .and also ensure that you keep this copy.sh file to the same folder as of docker file. This file copies the necessary jars and does the necessary modifications for the authentication portal web-app.
6. Run the built image using
docker run — add-host=host.docker.internal:host-gateway — user root -p 8085:8080 extauthportal60- We change the host to host.docker.internal since the container and the IS are running locally. Still, the container will consider the localhost:9443 as a part of its localhost whereas the Identity server is hosted external to the docker container where the authentication portal is going to run. This is specifically for Linux and for mac, you can run it without the adding host part. And for Linux, do not forget to add the host to the etc/hosts file
127.0.0.1 host.docker.internal7. Now from IS
- Add these configurations to deployment.toml
[authentication.endpoints]
login_url=”http://localhost:8085/authenticationendpoint/login.do"
retry_url=”http://localhost:8085/authenticationendpoint/retry.do"
request_missing_claims_url=”http://localhost:8085/authenticationendpoint/claims.do"[oauth.endpoints]
oauth2_consent_page= “http://localhost:8085/authenticationendpoint/oauth2_authz.do"
oauth2_error_page= “http://localhost:8085/authenticationendpoint/oauth2_error.do"
oidc_consent_page= “http://localhost:8085/authenticationendpoint/oauth2_consent.do"
oidc_logout_consent_page= “http://localhost:8085/authenticationendpoint/oauth2_logout_consent.do"
oidc_logout_page= “http://localhost:8085/authenticationendpoint/oauth2_logout.do"[saml.endpoints]
logout= “http://localhost:8085/authenticationendpoint/samlsso_logout.do"
notification= “http://localhost:8085/authenticationendpoint/samlsso_notification.do"[passive_sts.endpoints]
retry= “http://localhost:8085/authenticationendpoint/retry.do"
- Update the host in the same file
[server]
hostname = "host.docker.internal"
node_ip = "127.0.0.1"
base_path = "https://host.docker.internal:9443"- And also ensure you have mapped the hostname to 127.0.0.1
- Might require adding CORS
[cors]
allow_generic_http_requests = true
allow_any_origin = false
allowed_origins = [
"http://localhost:8080","https://localhost:9443", "http://localhost:8085", "https://host.docker.internal:9443"
]
allow_subdomains = true
supported_methods = [
"GET",
"POST",
"HEAD",
"OPTIONS"
]
support_any_header = true
supported_headers = []
exposed_headers = []
supports_credentials = true
max_age = 3600
tag_requests = false- And also since we might need to modify the system application like myAccount and console
[system_applications]
read_only_apps = []Now, start the server and try to login into the console, and ensure that you are taken to the localhost:8085 where the tomcat inside that docker is running.
Removing the authentication portal from IS
So far we have tried to run auth portal hosted in an external environment but we haven't removed the one inside IS. To make the effort complete and clean, let's remove it. But removing will cause server startup issues. To prevent this it is recommended to remove the authentication endpoint in the following places.
<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint
<IS_HOME>/repository/resources/conf/templates/repository/deployment/server/webapps/authenticationendpointNow start the Identity server and try to log in to the locally hosted console
https://host.docker.internal:9443/consoleand you can realize that you are redirected to an externally hosted authentication portal that is running in docker localhost, ie:
https://localhost:8085/autenticationendpoint/login.do?…NOTE: If there is an issue of reloading the console or myaccount page constantly in a loop when loading the login page, change browser settings to block only
cross-site tracking cookiesinstead of the default option:cross-site tracking cookies and isolate other cross-site tracking cookies.
