[keycloak-dev] Adapters

Bill Burke bburke at redhat.com
Mon Sep 15 11:17:35 EDT 2014 

Much of you want is already the reality, but there are some caveats you 
must know about:

* Adapters need specific integration with each app server as they need 
to extract and set role mappings prior to the servlet container's roles 
allowed checks.  This can't be done in a filter.

* Being able to propagate the Subject between component layers 
(Servlet->EJB) requires specific app server integration.

* A keycloak logout invokes on adapter's admin url to invalidate the 
HTTP session.  The HTTP session invalidation is app server specific.

* I don't believe you can obtain client cert information from the 
servlet API which will be come important when we add client-cert support

Wildfly and JBossWeb have different integration SPIs for security, but 
most of the adapter code lives in a common library whose only dependency 
is Apache HTTP Client.  The core adapter library has a tiny Http message 
and http session mgmt facde to bridge between the two different containers.

On 9/15/2014 10:38 AM, Stian Thorgersen wrote:
> I think it would make sense to provide a plain Java adapter, as well as a plain Servlet adapter. Further this should be the base for all other adapters.
>
>    +--------+ +---------+  +-----------+     +---------+
>    | Tomcat | |JBoss AS |  |PicketLink |     | WildFly |
>    | Jetty  | |JBoss EAP|  |           |     |         |
>    | ...    | |         |  |           |     |         |
>    +----+---+ +---+-----+  +---+-------+     +----+----+
>         |         |            |                  |
>         |     +---v-----+      |             +----v----+
>         +----->Servlet  <------+             | Undertow|
>               |         |                    |         |
>               +----+----+                    +----+----+
>                    |       +---------+            |
>                    +------->Java     <------------+
>                            |         |
>                            +---------+
>
> The Java adapter should have minimum dependencies (maybe only http-client?).
>
> Don't get to hung-up with the syntax (I knocked this together in 2 min), but the general idea would be something like:
>
>          InputStream is = new FileInputStream("keycloak.json");
>
>          KeycloakOAuthClient client = KeycloakClient.createOAuth(is);
>
>          // get login url
>          URL loginUrl = client.createLoginUrl(redirectUri);
>
>          // exchange code to token
>          AccessTokenResponse response = client.getToken(code, clientCredentials);
>
>          // refresh token
>          client.refreshToken(response.getToken());
>
> We have most of the code, but what we don't is a public Java API.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list