[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC

Wed Feb 5 09:23:06 EST 2014

On 2/5/2014 8:35 AM, Karel Piwko wrote:
> On Tue, 04 Feb 2014 13:51:37 -0500
> Bill Burke <bburke at redhat.com> wrote:
>
>>
>>
>> On 2/4/2014 12:13 PM, Karel Piwko wrote:
>>> Hey,
>>>
>>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
>>> the results at:
>>>
>>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>>
>>> For keycloak, I have used original cart [1]:
>>>
>>> $ rhc app create -g small --no-git keycloak
>>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
>>>
>>> For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
>>> [3]:
>
> Given your comments, I'll modify setup to have (primarily) single cart option.
> Should I keep two carts setup? It at least seems as a good QE test case ;-)
>
> Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
> base cart on AS7.
>
>>>
>>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
>>>
>>> There are some gotchas though:
>>>
>>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>>> We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
>>>     and we can't ask user to modify standalone.xml anyway. However, we could
>>> make a hook on OpenShift - user will add keycloak.json to git repo and it
>>> will automagically put at right location. Could we have a hook in Keycloak
>>> to load keycloak.json from external location? Or should we rather do some
>>> war exploding magic?
>>
>> I need to go through Stan's work.  I want to be able to configure the
>> subsystem from the keycloak admin console without having to create a
>> keycloak.json file.  I just don't know yet if the subsystem will work on
>> AS7.
>
>
> This will work for app and Keycloak being deployed on a single server. It does
> not solve SaaS scenario - keycloak admin console can configure subsystem of
> current WF(AS) only. Keycloak would need to manage subsystem of a remote WF - I
> doubt this would ever be possible with AS7 on OpenShift and I think security
> concerns of such setup are not even allowing this on WF8.
>

You can make authenticated HTTP requests to the WF/AS7 admin interface. 
  Maybe Openshift is disallowing this, but its certainly not the case 
with WF.  My understanding is that the new WF admin console will be a 
pure HTML 5 application making CORS requests to the admin REST interface 
of WF.

What I'm saying is, this will work in the SaaS scenario if Openshift has 
not turned off the AS7/WF admin interface.

>>
>>
>>> * AS7-3227 I worked this around by doing parameter injection for
>>>     SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>>> Keycloak package for AS7? Any better option?
>>
>> This is an UPS issue right?  Keycloak WAR bundles is own Resteasy and
>> excludes built in one.
>
> Well, it is either keycloak packaging issue or documentation issue (or problem
> here in Brno in between chair and keyboard). I've added
> keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
> cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
> if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
> Keycloak WAR. IIRC this was setup pre alpha-1.

There are two things:

* The keycloak auth-server.war which is the authentication server
* The adapter zip which installs "client" modules and used only for 
WF/AS7 instances that want to interact with a Keycloak auth server.

The adapter does not have a dependency on Resteasy, only on Apache HTTP 
Client 4.1.x (or higher).  The auth-server does have a dependency on 
Resteasy.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com