[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC

Karel Piwko kpiwko at redhat.com
Wed Feb 5 08:35:04 EST 2014

On Tue, 04 Feb 2014 13:51:37 -0500
Bill Burke <bburke at redhat.com> wrote:

> On 2/4/2014 12:13 PM, Karel Piwko wrote:
> > Hey,
> >
> > I've combined Aerogear UPS and Keycloak cartridges together. You can check
> > the results at:
> >
> > https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> > https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> >
> > For keycloak, I have used original cart [1]:
> >
> > $ rhc app create -g small --no-git keycloak
> > https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
> >
> > For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
> > [3]:

Given your comments, I'll modify setup to have (primarily) single cart option.
Should I keep two carts setup? It at least seems as a good QE test case ;-)

Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
base cart on AS7.

> >
> > $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> > 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
> >
> > There are some gotchas though:
> >
> > * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> > We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
> >    and we can't ask user to modify standalone.xml anyway. However, we could
> > make a hook on OpenShift - user will add keycloak.json to git repo and it
> > will automagically put at right location. Could we have a hook in Keycloak
> > to load keycloak.json from external location? Or should we rather do some
> > war exploding magic?
> I need to go through Stan's work.  I want to be able to configure the 
> subsystem from the keycloak admin console without having to create a 
> keycloak.json file.  I just don't know yet if the subsystem will work on 
> AS7.

This will work for app and Keycloak being deployed on a single server. It does
not solve SaaS scenario - keycloak admin console can configure subsystem of
current WF(AS) only. Keycloak would need to manage subsystem of a remote WF - I
doubt this would ever be possible with AS7 on OpenShift and I think security
concerns of such setup are not even allowing this on WF8.

> > * AS7-3227 I worked this around by doing parameter injection for
> >    SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> > Keycloak package for AS7? Any better option?
> This is an UPS issue right?  Keycloak WAR bundles is own Resteasy and 
> excludes built in one.

Well, it is either keycloak packaging issue or documentation issue (or problem
here in Brno in between chair and keyboard). I've added
keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
Keycloak WAR. IIRC this was setup pre alpha-1.

> > * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
> >    However, as it goes through Keycloak Auth Server, this is considered CORS
> >    request. I had to configure Web Origin for UPS application. This is
> >    confusing to me, Origin header should be transparent for Keycloak as I'm
> >    firing request to the same domain. Note this does not happen in Firefox,
> >    which identifies same domain and avoids Origin header. I need some
> > insight here from more skilled people.
> JIRA for this one.  I've only tested/experimented with CORS on Firefox.


> > * I wasn't able to keep http->https rewriting valve with Keycloak to avoid
> > UPS usage via http protocol. I'll go deeper into that.
> > * Changes to Web Origin in Keycloak admin UI are not reflected to already
> > logged users. They need to log out first.
> We can't fix this.  But it will be mitigated when we add refresh tokens. 
>   We'll have a short token lifespan that needs to be refreshed.  The 
> refresh will pick up the changes.

Sounds good.

> > More detailed steps:
> >
> > 1/ Create Keycloak cart
> > 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> > 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> > location
> Couldn't the cartridge come with a pre-configured keycloak database?  We 
> also have a realm import option, but we haven't documented the json 
> format yet.  Also there's the admin REST interface you could use to 
> create the realm/application/roles etc.

If I'm able to get public key via admin REST interface, it should be possible
to preconfigure that. Setup will be complicated but possible with
Keycloak subsystem. Having realm import json format documentation will
definitely help here.

> > 4/ Get keycloak.json
> > 5/ Enable CORS in keycloak.json, modify password
> > 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> > 7/ Package UPS via 'mvn clean package'
> > 8/ Put war into
> > openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
> This may be able to be done from the keycloak console.

Right, but not in SaaS scenario, only if app and Keycloak run on same instance.

> > 9/ Push that online
> > 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> > master), enable mysql-5.1 gear as well
> > 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> > 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
> >
> :)

More information about the keycloak-dev mailing list