[keycloak-dev] Programatic configuration

Bruno Oliveira bruno at abstractj.org
Tue Nov 25 14:12:25 EST 2014 

I might be missing something, here is my attempt:

[standalone at localhost:9990 /] /system-property=keycloak.url:add(value="http://10.0.1.7/auth")
{"outcome" => "success"}

or

public class UpsKeycloakApplication extends KeycloakApplication {
    public UpsKeycloakApplication(@Context ServletContext context, @Context Dispatcher dispatcher) {
        super(context, dispatcher);
        System.setProperty("keycloak.url", "http://10.0.1.7/auth");
    }
}

JSON files:

- keycloak.json

{
  "realm" : "aerogear",
  "auth-server-url" : "${keycloak.url}",
  "ssl-required" : "external",
  "resource" : "unified-push-server",
  "bearer-only" : true,
  "disable-trust-manager" : true
}

- admin-ui-keycloak.json


{
    "realm" : "aerogear",
    "auth-server-url" : "${keycloak.url}",
    "ssl-required" : "external",
    "resource" : "unified-push-server-js",
    "public-client" : true
}


Exception:

17:07:38,649 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 2) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "ag-push.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./ag-push" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./ag-push: Failed to start service
    Caused by: java.lang.IllegalArgumentException: Illegal character in path at index 1: ${keycloak.url}
    Caused by: java.net.URISyntaxException: Illegal character in path at index 1: ${keycloak.url}"}}


I also tried to make use of keycloak.auth-sever available here
https://github.com/keycloak/keycloak/blob/master/integration/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/extension/LocalDescriptions.properties. But got the same exception.


On 2014-11-25, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno at abstractj.org>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Tuesday, 25 November, 2014 2:35:58 PM
> > Subject: Re: [keycloak-dev] Programatic configuration
> >
> > Double checking to see if my understanding is correct. On UPS realm we
> > have 2 applications:
> >
> > "applications": [
> >         {
> >             "name": "unified-push-server",
> >             "enabled": true,
> >             "bearerOnly": true
> >         },
> >         {
> >             "name": "unified-push-server-js",
> >             "enabled": true,
> >             "publicClient": true,
> >             "baseUrl": "/ag-push",
> >             "redirectUris": [
> >                 "http://localhost:8080/ag-push/*"
> >             ]
> >         }
> >     ]
> >
> > The only resource which requires to be modified dinamically is
> > unified-push-server-js. So making
> > use of servlet listeners like Bill did in the past for UPS we have:
> >
> > AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext)
> > sce.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
> > AdapterConfig config = new AdapterConfig();
> > config.setRealm("aerogear");
> > //Dinamically replaced
> > config.setRealmKey("MIGfMA0GCSqGSIb3DQEBAQUAA");
> > //Dinamically replaced
> > config.setAuthServerUrl("http://mydomain.com:8081/auth");
> > config.setResource("unified-push-server-js");
> > config.setSslRequired("external");
> > config.setPublicClient(true);
> > deploymentContext.updateDeployment(config);
> >
> > Into this way we can remove unified-push-server-js from ups-realm.json,
> > right? One thing not totally clear is about Keycloak.js. Currently we
> > have something like:
> >
> > Keycloak kc = new Keycloak('config/keycloak.json')
> >
> > With the changed mentioned above, the JSON file is still required? Or
> > not necessary?
>
> I don't see any point in having all of that, just use the keycloak.json with a system property for the auth-server url. The realm keys are automatically downloaded so no need to specify those.
>
> >
> >
> > On 2014-11-25, Bill Burke wrote:
> > >
> > >
> > > On 11/25/2014 7:50 AM, Stian Thorgersen wrote:
> > > >
> > > >
> > > > ----- Original Message -----
> > > >> From: "Bruno Oliveira" <bruno at abstractj.org>
> > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > >> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > >> Sent: Tuesday, 25 November, 2014 1:29:24 PM
> > > >> Subject: Re: [keycloak-dev] Programatic configuration
> > > >>
> > > >> On 2014-11-25, Stian Thorgersen wrote:
> > > >>>
> > > >>>
> > > >>> ----- Original Message -----
> > > >>>> From: "Bruno Oliveira" <bruno at abstractj.org>
> > > >>>> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > >>>> Sent: Tuesday, 25 November, 2014 12:22:22 PM
> > > >>>> Subject: [keycloak-dev] Programatic configuration
> > > >>>>
> > > >>>> Good morning, we've been discussing the following workflow on
> > > >>>> AeroGear:
> > > >>>>
> > > >>>> First time
> > > >>>>
> > > >>>> 1. Developer create an UPS instance on OpenShift
> > > >>>> 2. Visit https://myups-abstractj.rhcloud.com/ag-push
> > > >>>> 3. The application automagically redirect to the configuration page
> > > >>>> the
> > > >>>> with
> > > >>>> options default or Custom — where default make use of the embbeded
> > > >>>> Keycloak on UPS and custom our developer would be able to specify
> > > >>>> another Keycloak instance (http://andresgalante.com/configuration/)
> > > >>>> 4. App changes the keycloak.json/ups-realm.json file based on the URL
> > > >>>> provided.
> > > >>>>
> > > >>>> Second time
> > > >>>>
> > > >>>> 1. Visit https://myups-abstractj.rhcloud.com/ag-push
> > > >>>> 2. The application check if some configuration already exists (default
> > > >>>> or custom)
> > > >>>> 3. Redirect users to UPS login page or Keycloak login page. It pretty
> > > >>>> much depends.
> > > >>>>
> > > >>>> I would like to programatically change (via Java) `ups-realm.json`,
> > > >>>> `keycloak.json`
> > > >>>> and `admin-ui-keycloak.json`. See
> > > >>>> https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-356b0e49e775810162fd2be9110bb5f4R3
> > > >>>>
> > > >>>> Possible alternatives off the top of my head:
> > > >>>>
> > > >>>> 1. Read/manipulate JSON files from the database and provide
> > > >>>> `keycloak.json`
> > > >>>> and
> > > >>>> `admin-ui-keycloak.json` as a resource like Keycloak team did for
> > > >>>> JavaScript
> > > >>>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/JsResource.java
> > > >>>> 2. Dinamically generate to a shared place on WildFly `keycloak.json`
> > > >>>> and
> > > >>>> `admin-ui-keycloak.json` files.
> > > >>>>
> > > >>>> Do you have a better idea?
> > > >>>
> > > >>> Is it only the auth-server url you're changing? keycloak.json supports
> > > >>> system properties so you can use for example { "auth-server" :
> > > >>> "${keycloak.url}" }. If you do that you don't have to rewrite the file
> > > >>> at
> > > >>> all.
> > > >>
> > > >> Yes! That's gorgeous! Am I supposed to define it during the bootstrap?
> > > >> For ups-realm.json file, I'm considering to make use of
> > > >> AdapterDeploymentContext like we did in the past, because the redirect
> > > >> url must dinamically change
> > > >> https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-b8df82f22499b0118c37e0e363c4342aR80
> > > >
> > > > How would AdapterDeploymentContext work for a remote KC server?
> > > >
> > > > In the past I had an idea of adding support for server aliases, so you
> > > > could for example do "http://${ups}/ag-push" as the redirect-uri in KC.
> > > > Then we could provide some easy way to manage server-aliases, even
> > > > allowing it to resolve to one or more urls.
> > > >
> > >
> > > The idea was that the UPS mgmt console would allow you to specify a
> > > remote keycloak URL.  It would store this URL, then update the
> > > AdapterDeploymentContext at runtime.
> > >
> > >
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914

More information about the keycloak-dev mailing list