[keycloak-dev] [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2

Stian Thorgersen stian at redhat.com
Mon Jan 19 02:42:31 EST 2015 


----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 16 January, 2015 5:41:59 PM
> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2
> 
> On 1/16/2015 10:17 AM, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Stan Silvert" <ssilvert at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 16 January, 2015 3:20:18 PM
> >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in
> >> Keycloak 1.1 Beta-2
> >>
> >> On 1/16/2015 9:07 AM, Stian Thorgersen wrote:
> >>> Currently, I'm not overly happy with releasing 1.1.0.Final and it's down
> >>> to
> >>> this issue. I should have raised it before, but it completely slipped my
> >>> mind :(
> >> We did talk about this at great length before.   I tried and tried to
> >> preserve the "drop it in the file system" approach.  It just plain won't
> >> work for domains.
> > I know we did, but I like changing my mind ;)
> >
> >>> IMO we need:
> >>>
> >>> 1. A usable way to deploy a provider without using the CLI GUI
> >>> 2. Ideally be able to deploy a provider with an offline server
> >> We have 5 ways to add a provider:
> >> 1. CLI
> >> 2. CLI GUI
> >> 3. CLI script
> >> 4. Explode the WAR in the subsystem and drop it in WEB-INF/lib
> >> 5. Use the war dist and do it the old way.
> > 1-3. If the CLI was easy to use that would work, except we also need to be
> > able to do it offline.
> We can ship a script that makes this task a little easier as you suggest
> below.
> 
> As for offline, I don't understand what the problem is.  You mentioned
> docker, which I haven't looked at much.  Why can't you have an image
> that was created from an overlaid Keycloak server?

There's two ways to create a Docker image, the most common is to use a DockerFile that can installs and configures things. Copying a file is a simple one-liner, while starting the server, waiting for it to be in a certain state and invoking the CLI is a hole different thing. You also don't want to do this really as it adds entries to the log files, initiates db, all that kinds stuff that shouldn't be in the "base" image.

Then there's another issue and that is providers that are used by Keycloak during startup. For example to replace the db with something custom the user first has to start the server with one of the built-in adapters. I could see this ending up in a situation where the server doesn't start with the current provider and a user wants to add a custom one, but can't as they can't start the server.

> >   I don't really like the deployment overalys as it all feels a bit magical
> >   and black boxed.
> Don't you think it's better than telling them to hack our WAR?

Adding a JAR to a folder is simple. Deployment overlays just doesn't give the user the feeling of being in control IMO. Maybe that's just be not understanding the feature.

> > 4.   I hate this - the user shouldn't have to explode the WAR and also it's
> > in a really strange place for a user to find
> I hate it too.  I almost wish I hadn't implemented exploded mode.  I
> re-verified that it is working, btw.
> > 5.   That's not an option for the appliance
> You still could do it with the appliance if you wanted.

I'm not sure what you're saying here, are you suggesting a user dl the appliance and the war dist as well?

> 
> But the idea of the appliance is that you shouldn't need to change it
> except through a UI.  That's where the overlay method will really shine,
> especially when we can get provider management into our own UI.  At that
> point, copying jars to a file system will look extremely primitive in
> comparison.

I don't agree with that. The idea of the appliance is that it should work OOTB and it should be easy to do any changes you need. Even if we had a very sleek way of uploading providers through the admin console, we'd still not to be able to do it from the command-line.

> >
> > Maybe what we could do for now is to create add-provider.sh/bat scripts
> > that makes it easier to do without any knowledge of CLI.
> >
> > Can we not use modules as Bill suggests? We could make the keycloak
> > subsystem depend on a keycloak-providers module and users would register
> > their provider modules there.
> >
> >> Why are these not sufficient?
> >>> ----- Original Message -----
> >>>> From: "Stan Silvert" <ssilvert at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-user at lists.jboss.org
> >>>> Sent: Friday, 16 January, 2015 2:13:24 PM
> >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in
> >>>> Keycloak 1.1 Beta-2
> >>>>
> >>>> On 1/16/2015 2:19 AM, Stian Thorgersen wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Stan Silvert" <ssilvert at redhat.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 15 January, 2015 9:23:48 PM
> >>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar
> >>>>>> in
> >>>>>> Keycloak 1.1 Beta-2
> >>>>>>
> >>>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote:
> >>>>>>> How is a provider added using the CLI? I can't find any examples on
> >>>>>>> that.
> >>>>>> In the doc there is a step-by-step example of how to do it.  See
> >>>>>> section
> >>>>>> 3.4.2.2.
> >>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350
> >>>>> That example uses the CLI GUI, we need one that uses plain CLI
> >>>> Plain CLI is harder in this case.  CLI GUI lets you browse for the file
> >>>> you need.   Overall, plain CLI is a lot more error prone.
> >>>>
> >>>> If you do this once in CLI GUI then you will generate the CLI command
> >>>> that you can cut and paste into plain CLI or a script.  But if you want,
> >>>> I can include an example of that command.
> >>>>> There's also another issue with this approach, which I didn't stress
> >>>>> enough
> >>>>> last time around, it requires the server to be running to add
> >>>>> providers.
> >>>>> That makes it much harder to for example create a Docker cartridge that
> >>>>> includes some custom providers.
> >>>> Perhaps we just need to document the fact that you can still explode the
> >>>> WAR and do it the old way?
> >>>>>>> Also, there are still several references in the docs and examples
> >>>>>>> that
> >>>>>>> uses
> >>>>>>> the old approach of copying to WEB-INF/lib.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Stan Silvert" <ssilvert at redhat.com>
> >>>>>>>> To: keycloak-user at lists.jboss.org
> >>>>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM
> >>>>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider
> >>>>>>>> jar
> >>>>>>>> in
> >>>>>>>> Keycloak 1.1 Beta-2
> >>>>>>>>
> >>>>>>>> Providers are now uploaded using WildFly CLI or CLI GUI.
> >>>>>>>>
> >>>>>>>> See
> >>>>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350
> >>>>>>>>
> >>>>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> I created a custom User Federation Provider and deployed it as per
> >>>>>>>> the
> >>>>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it
> >>>>>>>> appears
> >>>>>>>> that the location of Keycloak war in Wildfly has changed in 1.1
> >>>>>>>> Beta-2
> >>>>>>>> version and it is no longer inflated. Can someone suggest where
> >>>>>>>> exactly
> >>>>>>>> I
> >>>>>>>> have to place the Federation provider jar in 1.1 Beta-2 version?
> >>>>>>>>
> >>>>>>>> Thanks,
> >>>>>>>> Raghu
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> keycloak-user mailing list
> >>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> 
>

More information about the keycloak-dev mailing list