[keycloak-dev] Need advice on bootstrapping Keycloak

Stan Silvert ssilvert at redhat.com
Fri Jul 25 14:01:04 EDT 2014 

On 7/25/2014 8:34 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: keycloak-dev at lists.jboss.org, "Juraci Paixão Kröhling" <jpkroehling at redhat.com>
>> Sent: Friday, 18 July, 2014 2:29:54 PM
>> Subject: [keycloak-dev] Need advice on bootstrapping Keycloak
>>
>> Hi guys,
>>
>> My overall goal is to unite JBoss user-facing products via Keycloak
>> SSO.  The first major task is make it as easy as possible to use
>> Keycloak with the WildFly web console.  I have this working, but it
>> takes quite a bit of setup.
>>
>> Ideally, there should be a simple switch in WildFly that says, "Use
>> Keycloak for web console", and it all just works.
>>
>> So I'm looking for ideas on how to automate these setup tasks:
>> * Deploy Keycloak auth server and keycloak-ds.xml
> Is the plan eventually to deploy Keycloak as an extension instead of a WAR? I reckon that would solve a fair amount of issues. Could even go as far as creating KeycloakDS with a persistent H2 db from within the subsystem if it's not available?
Interesting idea.  What issues are you thinking this will solve?
>
>> * Seed the database with an initial realm, user, roles, and two applications
> What about defining a boostrap-realm.json file. We already have mechanisms in place for importing a file at startup, which is only imported if the realm doesn't already exist.
How does the mechanism work?  I don't see the doco for it.  This might 
solve much of my problem.  But I need to let it generate new keys for 
the realm.  It should also generate a new secret for each application.  
Otherwise, everyone's installation would be the same.

Can I get a callback to know when the import is complete?  After all 
that is done, I need to create the subsystem definitions for the 
applications.  So I have to query Keycloak to find out what the 
installation parameters are.  Is all that doable?
>
>> * Create keycloak.json files or populate keycloak subsystem for the two
>> apps.
> Would be cool if you had an option to automatically create Keycloak subsystem definitions for apps as they're creating in KC. Could have some sort of co-located option or something.
Actually, you don't even need the co-located option.  It could issue a 
CLI command to any server that has a Keycloak subsystem.  Not only that, 
you could even deploy the WAR from Keycloak Admin if you wanted to.  But 
I don't think you want Keycloak to be in the business of managing 
deployments.

This is where true integration with our other tools comes in. Keycloak 
manages security.  Web Console and JON manage deployments. All three 
should work together.  So when I want to deploy something, I should be 
able to do all this from an integrated UI:
* Scan the WAR to find out its roles.
* Auto-populate Keycloak with the application and role definitions.
* Auto-populate Keycloak with the application's Redirect URI, Base URL, etc.
* Create the Keycloak subsystem entries
* Decide which WildFly instances the app will be deployed to.
* Upload and deploy the WAR
>
>> Thanks in advance,
>>
>> Stan
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

More information about the keycloak-dev mailing list