[keycloak-dev] [aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC

Matthias Wessendorf matzew at apache.org
Tue Feb 4 12:21:10 EST 2014 

oh, this was a cross-post :-) (adding keycloak)


On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <matzew at apache.org>wrote:

>
>
>
> On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko at redhat.com> wrote:
>
>> Hey,
>>
>> I've combined Aerogear UPS and Keycloak cartridges together. You can
>> check the
>> results at:
>>
>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>
>>
> I think it would be awesome if the keycloak bits would be included into
> the UPS bits, to have something OOTB, instead of pointing to a different
> server (CORS)
>
>
>> For keycloak, I have used original cart [1]:
>>
>> $ rhc app create -g small --no-git keycloak
>>
>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
>>
>> For UPS, I have modified matzew's one stored in my repo [2] and modified
>> UPS
>> [3]:
>>
>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>> '
>> http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75
>> '
>>
>> There are some gotchas though:
>>
>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>
>
> the public-key needs to be, as far as I can see, included inside of the
> standalone.xml (keycloak subsystem section).
> Which is somewhat a similar issue; I think, if I get it right, that means
> as you plan to support more and more 'realms', you keep editing the
> standalone xml.
>
>
>> We
>>   still need a way how to pass keycloak.json to UPS cartridge, which is
>> AS7
>>   and we can't ask user to modify standalone.xml anyway. However, we
>> could make
>>   a hook on OpenShift - user will add keycloak.json to git repo and it
>> will
>>   automagically put at right location. Could we have a hook in Keycloak to
>>   load keycloak.json from external location? Or should we rather do some
>> war
>>   exploding magic?
>> * AS7-3227 I worked this around by doing parameter injection for
>>   SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>> Keycloak
>>   package for AS7? Any better option?
>> * Ember in UPS is firing AJAX request to REST Endpoints on the same
>> domain.
>>   However, as it goes through Keycloak Auth Server, this is considered
>> CORS
>>   request. I had to configure Web Origin for UPS application. This is
>>   confusing to me, Origin header should be transparent for Keycloak as I'm
>>   firing request to the same domain. Note this does not happen in Firefox,
>>   which identifies same domain and avoids Origin header. I need some
>> insight
>>   here from more skilled people.
>>
>
> hmmmmm .... sounds 'good' :-)
>
>
>> * I wasn't able to keep http->https rewriting valve with Keycloak to
>> avoid UPS
>>   usage via http protocol. I'll go deeper into that.
>>
>
> https is enforced on our UPS cartridge
>
>
>> * Changes to Web Origin in Keycloak admin UI are not reflected to already
>> logged
>>   users. They need to log out first.
>> * Missing logout button in UPS. Related to previous point.
>>
>> Let me know if you want me to convert some of these points to JIRAs in
>> AGPUSH
>> or KEYCLOAK projects. Also, let me please now if I should have configured
>> something differently.
>>
>> Thanks,
>>
>> Karel
>>
>> [1] https://github.com/stianst/openshift-keycloak-cartridge
>> [2]
>>
>> https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak
>> [3]
>>
>> https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift
>>
>> More detailed steps:
>>
>> 1/ Create Keycloak cart
>> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
>> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
>> location
>> 4/ Get keycloak.json
>> 5/ Enable CORS in keycloak.json, modify password
>> 6/ Add keycloak.json to
>> aerogear-unifiedpush-server/src/main/webapp/WEB-INF
>> 7/ Package UPS via 'mvn clean package'
>> 8/ Put war into
>>
>> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
>> 9/ Push that online
>> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not
>> using
>> master), enable mysql-5.1 gear as well
>> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
>> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140204/7ebc93e2/attachment.html

More information about the keycloak-dev mailing list