[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC

Bill Burke bburke at redhat.com
Tue Feb 4 13:51:37 EST 2014

On 2/4/2014 12:13 PM, Karel Piwko wrote:
> Hey,
> I've combined Aerogear UPS and Keycloak cartridges together. You can check the
> results at:
> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> For keycloak, I have used original cart [1]:
> $ rhc app create -g small --no-git keycloak
> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
> For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
> [3]:
> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
> There are some gotchas though:
> * keycloak.json - I'm not sure how this will be addressed by WF subsystem. We
>    still need a way how to pass keycloak.json to UPS cartridge, which is AS7
>    and we can't ask user to modify standalone.xml anyway. However, we could make
>    a hook on OpenShift - user will add keycloak.json to git repo and it will
>    automagically put at right location. Could we have a hook in Keycloak to
>    load keycloak.json from external location? Or should we rather do some war
>    exploding magic?

I need to go through Stan's work.  I want to be able to configure the 
subsystem from the keycloak admin console without having to create a 
keycloak.json file.  I just don't know yet if the subsystem will work on 

> * AS7-3227 I worked this around by doing parameter injection for
>    SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak
>    package for AS7? Any better option?

This is an UPS issue right?  Keycloak WAR bundles is own Resteasy and 
excludes built in one.

> * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
>    However, as it goes through Keycloak Auth Server, this is considered CORS
>    request. I had to configure Web Origin for UPS application. This is
>    confusing to me, Origin header should be transparent for Keycloak as I'm
>    firing request to the same domain. Note this does not happen in Firefox,
>    which identifies same domain and avoids Origin header. I need some insight
>    here from more skilled people.

JIRA for this one.  I've only tested/experimented with CORS on Firefox.

> * I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS
>    usage via http protocol. I'll go deeper into that.
> * Changes to Web Origin in Keycloak admin UI are not reflected to already logged
>    users. They need to log out first.

We can't fix this.  But it will be mitigated when we add refresh tokens. 
  We'll have a short token lifespan that needs to be refreshed.  The 
refresh will pick up the changes.

> More detailed steps:
> 1/ Create Keycloak cart
> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> location

Couldn't the cartridge come with a pre-configured keycloak database?  We 
also have a realm import option, but we haven't documented the json 
format yet.  Also there's the admin REST interface you could use to 
create the realm/application/roles etc.

> 4/ Get keycloak.json
> 5/ Enable CORS in keycloak.json, modify password
> 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> 7/ Package UPS via 'mvn clean package'
> 8/ Put war into
> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments

This may be able to be done from the keycloak console.

> 9/ Push that online
> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> master), enable mysql-5.1 gear as well
> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.


Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list