[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
bburke at redhat.com
Tue Feb 4 13:51:37 EST 2014
On 2/4/2014 12:13 PM, Karel Piwko wrote:
> I've combined Aerogear UPS and Keycloak cartridges together. You can check the
> results at:
> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> For keycloak, I have used original cart :
> $ rhc app create -g small --no-git keycloak
> For UPS, I have modified matzew's one stored in my repo  and modified UPS
> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> There are some gotchas though:
> * keycloak.json - I'm not sure how this will be addressed by WF subsystem. We
> still need a way how to pass keycloak.json to UPS cartridge, which is AS7
> and we can't ask user to modify standalone.xml anyway. However, we could make
> a hook on OpenShift - user will add keycloak.json to git repo and it will
> automagically put at right location. Could we have a hook in Keycloak to
> load keycloak.json from external location? Or should we rather do some war
> exploding magic?
I need to go through Stan's work. I want to be able to configure the
subsystem from the keycloak admin console without having to create a
keycloak.json file. I just don't know yet if the subsystem will work on
> * AS7-3227 I worked this around by doing parameter injection for
> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak
> package for AS7? Any better option?
This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
excludes built in one.
> * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
> However, as it goes through Keycloak Auth Server, this is considered CORS
> request. I had to configure Web Origin for UPS application. This is
> confusing to me, Origin header should be transparent for Keycloak as I'm
> firing request to the same domain. Note this does not happen in Firefox,
> which identifies same domain and avoids Origin header. I need some insight
> here from more skilled people.
JIRA for this one. I've only tested/experimented with CORS on Firefox.
> * I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS
> usage via http protocol. I'll go deeper into that.
> * Changes to Web Origin in Keycloak admin UI are not reflected to already logged
> users. They need to log out first.
We can't fix this. But it will be mitigated when we add refresh tokens.
We'll have a short token lifespan that needs to be refreshed. The
refresh will pick up the changes.
> More detailed steps:
> 1/ Create Keycloak cart
> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
Couldn't the cartridge come with a pre-configured keycloak database? We
also have a realm import option, but we haven't documented the json
format yet. Also there's the admin REST interface you could use to
create the realm/application/roles etc.
> 4/ Get keycloak.json
> 5/ Enable CORS in keycloak.json, modify password
> 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> 7/ Package UPS via 'mvn clean package'
> 8/ Put war into
This may be able to be done from the keycloak console.
> 9/ Push that online
> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> master), enable mysql-5.1 gear as well
> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
JBoss, a division of Red Hat
More information about the keycloak-dev