<div dir="ltr">On the first screens I designed for UPS there there was a first step before login to decide weather to use keycloak or not:<div><br></div><div><a href="https://rawgit.com/andresgalante/UPS/master/keycloack-setup.html">https://rawgit.com/andresgalante/UPS/master/keycloack-setup.html</a><br></div><div><a href="https://rawgit.com/andresgalante/UPS/master/login.html">https://rawgit.com/andresgalante/UPS/master/login.html</a><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 11, 2016 at 9:50 AM, Lukas Fryc <span dir="ltr">&lt;<a href="mailto:lfryc@redhat.com" target="_blank">lfryc@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Bruno, <div><div><br></div><div>are there any plans or thoughts to allow association of the UPS with Keycloak instance via web UI?</div></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Fri, Jan 8, 2016 at 2:53 PM, Bruno Oliveira <span dir="ltr">&lt;<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>&gt;</span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><p style="margin:0px 0px 1.2em!important">Good morning, today I have a conversation with Matthias about the decoupling for UPS from Keycloak[1]. Also, during the week, I have a brainstorm on some ideas with Stian, to figure out the better way to achieve this.</p>
<h2 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.4em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238)">Motivation</h2>
<p style="margin:0px 0px 1.2em!important">The reason why we want to decouple UPS from Keycloak, is due to the fact that today is not possible to have UPS and Keycloak in a separated infrastructure. Currently we bundle it. Keycloak is still and will always be our default security solution.</p>
<p style="margin:0px 0px 1.2em!important">There’s no intentions or future plans to make use of another security provider.</p>
<h2 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.4em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238)">Actions items</h2>
<p style="margin:0px 0px 1.2em!important">During these conversations I identified some action items for myself which I would like to share. Also, I’m going to start to file Jiras under AGPUSH-1047 umbrella.</p>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">1. Create a client cli script using Aesh to link UPS with Keycloak</h3>
<p style="margin:0px 0px 1.2em!important">The script would ask for admin’s username/password or an initial registration token. After that, the script would make use of the dynamic client registration service to create the required clients with Keycloak.</p>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">2. Themes</h3>
<p style="margin:0px 0px 1.2em!important">For theme definition we have 2 scenarios:</p>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px"><p style="margin:0px 0px 1.2em!important;margin:0.5em 0px!important">Already existent server in use</p>
<p style="margin:0px 0px 1.2em!important;margin:0.5em 0px!important">Nothing will be changed. It’s already an agreement that the current theme should be neutral and not changed.</p>
</li>
<li style="margin:0.5em 0px"><p style="margin:0px 0px 1.2em!important;margin:0.5em 0px!important">Brand new instance of Keycloak with UPS theme</p>
<p style="margin:0px 0px 1.2em!important;margin:0.5em 0px!important">For scenarios where people want custom theme from UPS, people can just deploy it, exactly like described here (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2340" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2340</a>)</p>
</li>
</ul>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">3. Creation of roles for clients</h3>
<p style="margin:0px 0px 1.2em!important">For the very first draft I’m planning to just import ups-realm.json (manual process) and see how it goes.</p>
<p style="margin:0px 0px 1.2em!important">The ideal is to extend the client registration service on Keycloak to allow creating roles for a client. For now, let’s just start simple — this can be tricky and require more discussion/time.</p>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">4. Creating of roles for users</h3>
<p style="margin:0px 0px 1.2em!important">Same as item 3, for now assume that user exist with “admin” role. The ideal is the creation of a <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">super user to access UPS</code>. For now, users can manually register/import users that can access UPS through the KC admin console.</p>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">5. UPS realm</h3>
<p style="margin:0px 0px 1.2em!important">Discussing with Matthias we came up with 2 scenarios:</p>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px">Make use of an already existent realm in use</li>
</ul>
<p style="margin:0px 0px 1.2em!important">In this scenarios, people want to make use of UPS, but don’t want to have a new realm dedicated for it. We’re going to make use of the dynamic client registration against the realm specified.</p>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px">Brand new instance of Keycloak with UPS theme</li>
</ul>
<p style="margin:0px 0px 1.2em!important">For people willing to have a separated <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">realm</code> not mixed up with <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">master</code>. In this scenario we provide <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">ups-realm.json</code> as part of documentation or demo purposes and make use of the dynamic client registration process.</p>
<p style="margin:0px 0px 1.2em!important">Note: We probably can benefit of item 1 to import the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">json</code> file if necessary.</p>
<h3 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.3em">6. Multiple UPS instances with a single instance of KC</h3>
<p style="margin:0px 0px 1.2em!important">It would require to extend the client registration service and some work on KC. Depending on the time, it can be done. But for now we’re going to assume that the relationship will be 1:1, into other words, one instance of UPS and one instance of KC.</p>
<p style="margin:0px 0px 1.2em!important">For corp scenarios we would end up with:</p>
<h4 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.2em">Test</h4>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px"><a href="http://testing.ups.mybank.com" target="_blank">testing.ups.mybank.com</a></li>
<li style="margin:0.5em 0px"><a href="http://testing.keycloak.mybank.com" target="_blank">testing.keycloak.mybank.com</a></li>
</ul>
<h4 style="margin:1.3em 0px 1em;padding:0px;font-weight:bold;font-size:1.2em">Production</h4>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px"><a href="http://ups.mybank.com" target="_blank">ups.mybank.com</a></li>
<li style="margin:0.5em 0px"><a href="http://keycloak.mybank.com" target="_blank">keycloak.mybank.com</a></li>
</ul>
<p style="margin:0px 0px 1.2em!important">If you have any questions or feedback, I’m listening.</p>
<p style="margin:0px 0px 1.2em!important"><a href="https://issues.jboss.org/browse/AGPUSH-1047" target="_blank">https://issues.jboss.org/browse/AGPUSH-1047</a></p>
<div title="MDH:PGRpdj5Hb29kIG1vcm5pbmcsIHRvZGF5IEkgaGF2ZSBhIGNvbnZlcnNhdGlvbiB3aXRoIE1hdHRo
aWFzIGFib3V0IHRoZSBkZWNvdXBsaW5nIGZvciBVUFMgZnJvbSBLZXljbG9ha1sxXS4gQWxzbywg
ZHVyaW5nIHRoZSB3ZWVrLCBJIGhhdmUgYSBicmFpbnN0b3JtIG9uIHNvbWUgaWRlYXMgd2l0aCBT
dGlhbiwgdG8gZmlndXJlIG91dCB0aGUgYmV0dGVyIHdheSB0byBhY2hpZXZlIHRoaXMuPC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj48ZGl2PiMjIE1vdGl2YXRpb248L2Rpdj48ZGl2Pjxicj48L2Rp
dj48ZGl2PlRoZSByZWFzb24gd2h5IHdlIHdhbnQgdG8gZGVjb3VwbGUgVVBTIGZyb20gS2V5Y2xv
YWssIGlzIGR1ZSB0byB0aGUgZmFjdCB0aGF0IHRvZGF5IGlzIG5vdCBwb3NzaWJsZSB0byBoYXZl
IFVQUyBhbmQgS2V5Y2xvYWsgaW4gYSBzZXBhcmF0ZWQgaW5mcmFzdHJ1Y3R1cmUuIEN1cnJlbnRs
eSB3ZSBidW5kbGUgaXQuIEtleWNsb2FrIGlzIHN0aWxsIGFuZCB3aWxsIGFsd2F5cyBiZSBvdXIg
ZGVmYXVsdCBzZWN1cml0eSBzb2x1dGlvbi48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZXJl
J3Mgbm8gaW50ZW50aW9ucyBvciBmdXR1cmUgcGxhbnMgdG8gbWFrZSB1c2Ugb2YgYW5vdGhlciBz
ZWN1cml0eSBwcm92aWRlci48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiMjIEFjdGlvbnMgaXRl
bXM8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkR1cmluZyB0aGVzZSBjb252ZXJzYXRpb25zIEkg
aWRlbnRpZmllZCBzb21lIGFjdGlvbiBpdGVtcyBmb3IgbXlzZWxmIHdoaWNoIEkgd291bGQgbGlr
ZSB0byBzaGFyZS4gQWxzbywgSSdtIGdvaW5nIHRvIHN0YXJ0IHRvIGZpbGUgSmlyYXMgdW5kZXIg
QUdQVVNILTEwNDcgdW1icmVsbGEuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj4jIyMgMS4gQ3Jl
YXRlIGEgY2xpZW50IGNsaSBzY3JpcHQgdXNpbmcgQWVzaCB0byBsaW5rIFVQUyB3aXRoIEtleWNs
b2FrPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGUgc2NyaXB0IHdvdWxkIGFzayBmb3IgYWRt
aW4ncyB1c2VybmFtZS9wYXNzd29yZCBvciBhbiBpbml0aWFsIHJlZ2lzdHJhdGlvbiB0b2tlbi4g
QWZ0ZXIgdGhhdCwgdGhlIHNjcmlwdCB3b3VsZCBtYWtlIHVzZSBvZiB0aGUgZHluYW1pYyBjbGll
bnQgcmVnaXN0cmF0aW9uIHNlcnZpY2UgdG8gY3JlYXRlIHRoZSByZXF1aXJlZCBjbGllbnRzIHdp
dGggS2V5Y2xvYWsuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj4jIyMgMi4gVGhlbWVzPC9kaXY+
PGRpdj48YnI+PC9kaXY+PGRpdj5Gb3IgdGhlbWUgZGVmaW5pdGlvbiB3ZSBoYXZlIDIgc2NlbmFy
aW9zOjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+KiBBbHJlYWR5IGV4aXN0ZW50IHNlcnZlciBp
biB1c2U8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiZuYnNwOyBOb3RoaW5nIHdpbGwgYmUgY2hh
bmdlZC4gSXQncyBhbHJlYWR5IGFuIGFncmVlbWVudCB0aGF0IHRoZSBjdXJyZW50IHRoZW1lIHNo
b3VsZCBiZSBuZXV0cmFsIGFuZCBub3QgY2hhbmdlZC48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2
PiogQnJhbmQgbmV3IGluc3RhbmNlIG9mIEtleWNsb2FrIHdpdGggVVBTIHRoZW1lPC9kaXY+PGRp
dj48YnI+PC9kaXY+PGRpdj4mbmJzcDsgRm9yIHNjZW5hcmlvcyB3aGVyZSBwZW9wbGUgd2FudCBj
dXN0b20gdGhlbWUgZnJvbSBVUFMsIHBlb3BsZSBjYW4ganVzdCBkZXBsb3kgaXQsIGV4YWN0bHkg
bGlrZSBkZXNjcmliZWQgaGVyZSAoaHR0cDovL2tleWNsb2FrLmdpdGh1Yi5pby9kb2NzL3VzZXJn
dWlkZS9rZXljbG9hay1zZXJ2ZXIvaHRtbC90aGVtZXMuaHRtbCNkNGUyMzQwKTwvZGl2PjxkaXY+
PGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+IyMjIDMuIENyZWF0aW9uIG9mIHJvbGVzIGZv
ciBjbGllbnRzPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5Gb3IgdGhlIHZlcnkgZmlyc3QgZHJh
ZnQgSSdtIHBsYW5uaW5nIHRvIGp1c3QgaW1wb3J0IHVwcy1yZWFsbS5qc29uIChtYW51YWwgcHJv
Y2VzcykgYW5kIHNlZSBob3cgaXQgZ29lcy48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlRoZSBp
ZGVhbCBpcyB0byBleHRlbmQgdGhlIGNsaWVudCByZWdpc3RyYXRpb24gc2VydmljZSBvbiBLZXlj
bG9hayB0byBhbGxvdyBjcmVhdGluZyByb2xlcyBmb3IgYSBjbGllbnQuIEZvciBub3csIGxldCdz
IGp1c3Qgc3RhcnQgc2ltcGxlIOKAlCB0aGlzIGNhbiBiZSB0cmlja3kgYW5kIHJlcXVpcmUgbW9y
ZSBkaXNjdXNzaW9uL3RpbWUuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRp
dj4jIyMgNC4gQ3JlYXRpbmcgb2Ygcm9sZXMgZm9yIHVzZXJzPC9kaXY+PGRpdj48YnI+PC9kaXY+
PGRpdj5TYW1lIGFzIGl0ZW0gMywgZm9yIG5vdyBhc3N1bWUgdGhhdCB1c2VyIGV4aXN0IHdpdGgg
ImFkbWluIiByb2xlLiBUaGUgaWRlYWwgaXMgdGhlIGNyZWF0aW9uIG9mIGEgYHN1cGVyIHVzZXIg
dG8gYWNjZXNzIFVQU2AuIEZvciBub3csIHVzZXJzIGNhbiBtYW51YWxseSByZWdpc3Rlci9pbXBv
cnQgdXNlcnMgdGhhdCBjYW4gYWNjZXNzIFVQUyB0aHJvdWdoIHRoZSBLQyBhZG1pbiBjb25zb2xl
LjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+IyMjIDUuIFVQUyByZWFsbTwvZGl2PjxkaXY+PGJy
PjwvZGl2PjxkaXY+RGlzY3Vzc2luZyB3aXRoIE1hdHRoaWFzIHdlIGNhbWUgdXAgd2l0aCAyIHNj
ZW5hcmlvczo8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiogTWFrZSB1c2Ugb2YgYW4gYWxyZWFk
eSBleGlzdGVudCByZWFsbSBpbiB1c2U8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkluIHRoaXMg
c2NlbmFyaW9zLCBwZW9wbGUgd2FudCB0byBtYWtlIHVzZSBvZiBVUFMsIGJ1dCBkb24ndCB3YW50
IHRvIGhhdmUgYSBuZXcgcmVhbG0gZGVkaWNhdGVkIGZvciBpdC4gV2UncmUgZ29pbmcgdG8gbWFr
ZSB1c2Ugb2YgdGhlIGR5bmFtaWMgY2xpZW50IHJlZ2lzdHJhdGlvbiBhZ2FpbnN0IHRoZSByZWFs
bSBzcGVjaWZpZWQuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj4qIEJyYW5kIG5ldyBpbnN0YW5j
ZSBvZiBLZXljbG9hayB3aXRoIFVQUyB0aGVtZTwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+Rm9y
IHBlb3BsZSB3aWxsaW5nIHRvIGhhdmUgYSBzZXBhcmF0ZWQgYHJlYWxtYCBub3QgbWl4ZWQgdXAg
d2l0aCBgbWFzdGVyYC4gSW4gdGhpcyBzY2VuYXJpbyB3ZSBwcm92aWRlIGB1cHMtcmVhbG0uanNv
bmAgYXMgcGFydCBvZiBkb2N1bWVudGF0aW9uIG9yIGRlbW8gcHVycG9zZXMgYW5kIG1ha2UgdXNl
IG9mIHRoZSBkeW5hbWljIGNsaWVudCByZWdpc3RyYXRpb24gcHJvY2Vzcy48L2Rpdj48ZGl2Pjxi
cj48L2Rpdj48ZGl2Pk5vdGU6IFdlIHByb2JhYmx5IGNhbiBiZW5lZml0IG9mIGl0ZW0gMSB0byBp
bXBvcnQgdGhlIGBqc29uYCBmaWxlIGlmIG5lY2Vzc2FyeS48L2Rpdj48ZGl2Pjxicj48L2Rpdj48
ZGl2PiMjIyA2LiBNdWx0aXBsZSBVUFMgaW5zdGFuY2VzIHdpdGggYSBzaW5nbGUgaW5zdGFuY2Ug
b2YgS0M8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pkl0IHdvdWxkIHJlcXVpcmUgdG8gZXh0ZW5k
IHRoZSBjbGllbnQgcmVnaXN0cmF0aW9uIHNlcnZpY2UgYW5kIHNvbWUgd29yayBvbiBLQy4gRGVw
ZW5kaW5nIG9uIHRoZSB0aW1lLCBpdCBjYW4gYmUgZG9uZS4gQnV0IGZvciBub3cgd2UncmUgZ29p
bmcgdG8gYXNzdW1lIHRoYXQgdGhlIHJlbGF0aW9uc2hpcCB3aWxsIGJlIDE6MSwgaW50byBvdGhl
ciB3b3Jkcywgb25lIGluc3RhbmNlIG9mIFVQUyBhbmQgb25lIGluc3RhbmNlIG9mIEtDLjwvZGl2
PjxkaXY+PGJyPjwvZGl2PjxkaXY+Rm9yIGNvcnAgc2NlbmFyaW9zIHdlIHdvdWxkIGVuZCB1cCB3
aXRoOjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+IyMjIyBUZXN0PC9kaXY+PGRpdj48YnI+PC9k
aXY+PGRpdj4mbmJzcDsgLSB0ZXN0aW5nLnVwcy5teWJhbmsuY29tPC9kaXY+PGRpdj4mbmJzcDsg
LSB0ZXN0aW5nLmtleWNsb2FrLm15YmFuay5jb208L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiMj
IyMgUHJvZHVjdGlvbjwvZGl2PjxkaXY+Jm5ic3A7IC0gdXBzLm15YmFuay5jb208L2Rpdj48ZGl2
PiZuYnNwOyAtIGtleWNsb2FrLm15YmFuay5jb208L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pjxi
cj48L2Rpdj48ZGl2PklmIHlvdSBoYXZlIGFueSBxdWVzdGlvbnMgb3IgZmVlZGJhY2ssIEknbSBs
aXN0ZW5pbmcuPC9kaXY+PGRpdj48YnI+PC9kaXY+PC9kaXY+PGRpdj48YnI+PC9kaXY+aHR0cHM6
Ly9pc3N1ZXMuamJvc3Mub3JnL2Jyb3dzZS9BR1BVU0gtMTA0Nzxicj48YnI+" style="min-height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0">​</div></div><span><font color="#888888">-- <br>- abstractj<br></font></span></div>
<br></div></div>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><span class="HOEnZb"><font color="#888888"><br></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Lukáš Fryč</div><div>Software Engineer</div><div><span style="font-size:12.8000001907349px">Red Hat Mobile | AeroGear.org, </span><span style="font-size:12.8000001907349px">FeedHenry.org</span></div></div></div></div></div></div></div></div>
</font></span></div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br></div>