[Hawkular-dev] Should Keycloak integration be optional?

[John Sanda]

> On Jan 23, 2015, at 12:54 PM, Juraci Paixão Kröhling <jpkroehling at redhat.com> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As I mentioned on the previous email, one of the questions during the
> demo was if it would be possible to have the Keycloak integration as
> an optional part.
> 
> In the backend part, it's not hard to disable Keycloak as the
> authentication mechanism, as it's just JAAS. That would require,
> though, a second JAAS implementation to replace it.
> 
> In the frontend part, however, it's a bit more complicated. The setup
> right now is that the web console is treated as an HTML5 single-page
> app. This means that the web console is one application and the
> backend is a different one, and they propagate the authentication by
> using the tokens: the web console gets a token from the Keycloak
> JavaScript adapter once the user logs in and sends it along with each
> request to the backend. The backend (Keycloak Wildfly Adapter) reads
> this token and retrieves the user data from the Keycloak server,
> allowing the request to execute or not.
> 
> This means that either:
> 
> 1) web console and REST API (and possibly other wars) become one, so
> that the HTML5 single-page app can be served only after the user logs
> in (classic Java EE application)
> 
> 2) the backend JAAS adapter would need to support also some sort of
> token exchange, with the frontend abstracting the Keycloak adapter to
> work with one auth mechanism or another, possibly auto identifying
> what is the backend's auth mechanism.
> 
> 3) ??
> 
> I don't think that the first option is a real one. Having small wars,
> each taking care of one concern, is a goal on the project.
> 
> So, would an effort in making Keycloak an optional part be worth it?
> Should I pursue it?
> 

I am not sure about for production use, but for development I like the idea of being able to flip a switch to turn it on/off. I also agree that option 1 is undesirable.