[aerogear-dev] Keycloak on AeroGear

Tue Jan 7 07:13:44 EST 2014

That should not be that difficult, only steps needed are updating RESTEasy (in
AS/EAP, not sure what version is in WF) and deploying more than a single WAR to
the server along to UPS. Pretty similar to steps used in keycloak examples:

https://github.com/kpiwko/keycloak/commit/2c93f787b60c0ec1f437983c83b79aff4a593f90

That said, it might make our OpenShift cartridge setup more complicated but
again that's not something users(read consumers) should hit. 

Karel

On Tue, 7 Jan 2014 12:33:54 +0100
Matthias Wessendorf <matzew at apache.org> wrote:

> Something that also comes to mind is: If the UPS relies on KeyCloak, it's
> one more complex component that is required for the installation process.
> Meaning: At least a running server instance of Keycloak is required. Not
> sure if that helps in simplifying things :-)
> 
> 
> On Fri, Jan 3, 2014 at 1:52 PM, Matthias Wessendorf <matzew at apache.org>wrote:
> 
> > Hello,
> >
> > it's nice to see an effort for integrating keycloak. Especially the User
> > Management part is something which sounds very promising. For instance I
> > like how a request against "http://push-abstractj.rhcloud.com/ag-push"
> > redirects me to the Keycloak server and after a sucessful login back to the
> > AdminUI. Sweet!
> >
> > I understand this is an early PoC, but the user login bits already look
> > good!
> >
> >
> > A few things I noticed:
> >
> > * After login, I get a list of PushApplications, but I can't click into
> > them to see details (I assume this is due to your changes to the ember
> > interface - with is perfectly fine)
> > * Sending Push Notifications (e.g. using the CURL command) does not work
> > (used the PushAppID/MasterSecret from the HTTP REST response on AdminUI
> > overview page ;-))
> > I assume this is because the endpoint for sending is also protected by the
> > SSO/Keycloak facility, hence the HTTP Basic auth is not triggered there
> > (guess).
> >
> > Since the HTTP Basic is also used when a device tries to register against
> > a variant, I am guess the same issue is present there as well.
> >
> > Perhaps the HTTP-Basic for SENDING and DEVICE-REGISTRATION could be done
> > w/ something else, e.g. OAuth2
> >
> >
> >
> > Greetings,
> > Matthias
> >
> >
> >
> >
> >
> > On Fri, Dec 20, 2013 at 1:11 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
> >
> >> Good morning peeps, yesterday I started to replace AeroGear Security on
> >> Unified Push server by Keycloak and you might be asking: “Why?”. Keycloak
> >> is a SSO with some handy features like TOTP, OAuth2, user management
> >> support and I think we have too much to contribute, is the only way to have
> >> some success with security, “divide to conquer" (at least for authorization
> >> and authentication).
> >>
> >> So will ag-security be discontinued? No! Keycloak is still on Alpha and
> >> we have to test it against our projects before fully replace ag-security,
> >> but the only way to upstream our needs, is to using it.
> >>
> >> This replacement only applies to authentication/authorization features,
> >> we still have a ton of projects which Keycloak is not able to replace like:
> >> TOTP, crypto and OAuth2 on mobile, our focus.
> >>
> >> - PoC
> >>
> >> So let’s talk about this replacement, any dependency on ag-security was
> >> removed from the push server and replaced by Keycloak:
> >> https://github.com/abstractj/aerogear-unifiedpush-server/tree/openshift
> >>
> >> Based on Keycloak examples, I just did copy & paste from one of the demos
> >> (https://github.com/abstractj/auth-server/tree/openshift) to create a
> >> server. Keycloak requires Resteasy 3.0.4, for this reason I had to manually
> >> replace some modules on JBoss.
> >>
> >> To test it go to: http://push-abstractj.rhcloud.com/ag-push/ you must be
> >> redirected to Keycloak, enter:
> >>
> >> username: john at doe.com
> >> password: password
> >>
> >> You must be redirected to agpush console, keep in mind that I took some
> >> shortcuts to get this demo working, so for example the create will fail
> >> because I removed everything related into the ember interface.
> >>
> >> Is also possible to enable TOTP, user’s registration and whatever you
> >> want.
> >>
> >> So what do you think?
> >>https://github.com/kpiwko/keycloak/commit/2c93f787b60c0ec1f437983c83b79aff4a593f90
> >> --
> >> abstractj
> >>
> >> _______________________________________________
> >> aerogear-dev mailing list
> >> aerogear-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> 
> 
> 