[keycloak-dev] Adapters
Bill Burke
bburke at redhat.com
Mon Sep 15 11:17:35 EDT 2014
Much of you want is already the reality, but there are some caveats you
must know about:
* Adapters need specific integration with each app server as they need
to extract and set role mappings prior to the servlet container's roles
allowed checks. This can't be done in a filter.
* Being able to propagate the Subject between component layers
(Servlet->EJB) requires specific app server integration.
* A keycloak logout invokes on adapter's admin url to invalidate the
HTTP session. The HTTP session invalidation is app server specific.
* I don't believe you can obtain client cert information from the
servlet API which will be come important when we add client-cert support
Wildfly and JBossWeb have different integration SPIs for security, but
most of the adapter code lives in a common library whose only dependency
is Apache HTTP Client. The core adapter library has a tiny Http message
and http session mgmt facde to bridge between the two different containers.
On 9/15/2014 10:38 AM, Stian Thorgersen wrote:
> I think it would make sense to provide a plain Java adapter, as well as a plain Servlet adapter. Further this should be the base for all other adapters.
>
> +--------+ +---------+ +-----------+ +---------+
> | Tomcat | |JBoss AS | |PicketLink | | WildFly |
> | Jetty | |JBoss EAP| | | | |
> | ... | | | | | | |
> +----+---+ +---+-----+ +---+-------+ +----+----+
> | | | |
> | +---v-----+ | +----v----+
> +----->Servlet <------+ | Undertow|
> | | | |
> +----+----+ +----+----+
> | +---------+ |
> +------->Java <------------+
> | |
> +---------+
>
> The Java adapter should have minimum dependencies (maybe only http-client?).
>
> Don't get to hung-up with the syntax (I knocked this together in 2 min), but the general idea would be something like:
>
> InputStream is = new FileInputStream("keycloak.json");
>
> KeycloakOAuthClient client = KeycloakClient.createOAuth(is);
>
> // get login url
> URL loginUrl = client.createLoginUrl(redirectUri);
>
> // exchange code to token
> AccessTokenResponse response = client.getToken(code, clientCredentials);
>
> // refresh token
> client.refreshToken(response.getToken());
>
> We have most of the code, but what we don't is a public Java API.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list