[keycloak-dev] [aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC
matzew at apache.org
Tue Feb 4 12:21:10 EST 2014
oh, this was a cross-post :-) (adding keycloak)
On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <matzew at apache.org>wrote:
> On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko at redhat.com> wrote:
>> I've combined Aerogear UPS and Keycloak cartridges together. You can
>> check the
>> results at:
>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> I think it would be awesome if the keycloak bits would be included into
> the UPS bits, to have something OOTB, instead of pointing to a different
> server (CORS)
>> For keycloak, I have used original cart :
>> $ rhc app create -g small --no-git keycloak
>> For UPS, I have modified matzew's one stored in my repo  and modified
>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>> There are some gotchas though:
>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> the public-key needs to be, as far as I can see, included inside of the
> standalone.xml (keycloak subsystem section).
> Which is somewhat a similar issue; I think, if I get it right, that means
> as you plan to support more and more 'realms', you keep editing the
> standalone xml.
>> still need a way how to pass keycloak.json to UPS cartridge, which is
>> and we can't ask user to modify standalone.xml anyway. However, we
>> could make
>> a hook on OpenShift - user will add keycloak.json to git repo and it
>> automagically put at right location. Could we have a hook in Keycloak to
>> load keycloak.json from external location? Or should we rather do some
>> exploding magic?
>> * AS7-3227 I worked this around by doing parameter injection for
>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>> package for AS7? Any better option?
>> * Ember in UPS is firing AJAX request to REST Endpoints on the same
>> However, as it goes through Keycloak Auth Server, this is considered
>> request. I had to configure Web Origin for UPS application. This is
>> confusing to me, Origin header should be transparent for Keycloak as I'm
>> firing request to the same domain. Note this does not happen in Firefox,
>> which identifies same domain and avoids Origin header. I need some
>> here from more skilled people.
> hmmmmm .... sounds 'good' :-)
>> * I wasn't able to keep http->https rewriting valve with Keycloak to
>> avoid UPS
>> usage via http protocol. I'll go deeper into that.
> https is enforced on our UPS cartridge
>> * Changes to Web Origin in Keycloak admin UI are not reflected to already
>> users. They need to log out first.
>> * Missing logout button in UPS. Related to previous point.
>> Let me know if you want me to convert some of these points to JIRAs in
>> or KEYCLOAK projects. Also, let me please now if I should have configured
>> something differently.
>>  https://github.com/stianst/openshift-keycloak-cartridge
>> More detailed steps:
>> 1/ Create Keycloak cart
>> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
>> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
>> 4/ Get keycloak.json
>> 5/ Enable CORS in keycloak.json, modify password
>> 6/ Add keycloak.json to
>> 7/ Package UPS via 'mvn clean package'
>> 8/ Put war into
>> 9/ Push that online
>> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not
>> master), enable mysql-5.1 gear as well
>> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
>> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
> Matthias Wessendorf
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-dev