[keycloak-dev] Current state of OSGi in Keycloak; Keycloak at adaptTo()'2018 conference & more

Thu Jun 14 03:37:19 EDT 2018

OSGi http service is a generic one. Hence servlet filter is the only choice
offered by Keycloak for generic http adapters. We would welcome
contribution of OSGi bundle packaging.

Keycloak contains adapters specific to a particular http servers, like
Undertow, Jetty and others. For these to work, specific adapters have been
implemented but they obviously need access to the underlying
implementation. That's where pax-web comes in - it contains server-specific
parts for undertow, jetty, tomcat, and keycloak can bind to it with its
server-specific adapter implementations. This is not possible with generic
OSGi http service though.

Re contributing Sling adapter to keycloak codebase - that depends on the
complexity of the adapter. If that would be some simple adjustments
leveraging the servlet filetr that would apply to any OSGi adapter (which
may or may not be part of the OSGi bundle packaging above), feel free to
open a PR when you have it ready. For a more complex scenario, this would
need a separate discussion. Let's see when the contribution would be ready.

Thank you for your willingness to contribute!

On Wed, Jun 13, 2018 at 4:35 PM, Grzegorz Grzybek <gr.grzybek at gmail.com>
wrote:

> Hello
>
> First, let me introduce myself (I've subscribed to keycloak-dev list
> just recently). I'm Grzegorz Grzybek and I'm contributing to both
> Apache Karaf (and JBoss Fuse) and ops4j PAX-WEB project.
>
> "Keycloak OSGi adapter" (GA = org.keycloak:keycloak-osgi-adapter)
> indeed has some Fuse specific features. Or rather pax-web specific
> features.
> It uses org.ops4j.pax.web.service.WebContainer OSGi service to
> register "something more" than what's possible to register using plain
> org.osgi.service.http.HttpService.
>
> In fact, org.ops4j.pax.web.service.WebContainer simply extends
> org.osgi.service.http.HttpService adding methods to register filters,
> listeners, login configurations security constraints, etc.
> So org.ops4j.pax.web.service.WebContainer allows you to directly
> register what's possible with WEB-INF/web.xml elements.
>
> I never used Felix' http service (because Karaf uses pax-web), so I'm
> not sure how keycloak works with plain OSGi http service.
>
> I think, for sling integration you should not use
> org.keycloak:keycloak-osgi-adapter, but
> org.keycloak:keycloak-servlet-filter-adapter.
>
> best regards
> Grzegorz Grzybek
>
> 2018-06-12 21:59 GMT+02:00 Dmitry Telegin <dt at acutus.pro>:
> >
> > Hi,
> >
> > Together with Ioan Eugen Stan (in CC) we'll be doing a talk at
> > adaptTo()'2018 conference [1] that will take place 12-13 September in
> > Potsdam, Germany. It's an event dedicated to Apache Sling and
> > everything around it. The talk will be titled "Modern authentication in
> > Sling with OpenID Connect and Keycloak".
> >
> > As you might guess, we're going to present Sling + Keycloak integration
> > which I hope we'll manage to implement by the time of the conference :)
> > that said, we welcome any thoughts that might help us with that.
> >
> > Now for technical details, Sling is an OSGi-based content-oriented web
> > framework that runs on top of Apache Felix and uses Felix HTTP Service.
> > I've examined Keycloak OSGi adapter and found its name a bit confusing;
> > seems like it's only suitable for JBoss Fuse, depending on Pax Web
> > (correct me if I'm wrong).
> >
> > Right now I see two scenarios, the first is to take current OSGi
> > adapter and adapt it (sorry for tautology) to Felix HTTP Service; the
> > second is to use the existing servlet filter adapter. I'd say I would
> > prefer the second variant, as it's more straightforward. Felix and
> > Sling have a proven and well-documented support for servlet filters,
> > however, we'll have to solve the problems of packaging for OSGi, filter
> > registration, configuration and more deep integration with Sling's
> > security framework.
> >
> > Also please let us know if you consider our (future) code worth being
> > contributed to Keycloak codebase. Most likely, the deliverables will
> > include 1) servlet filter adapter packaged as OSGi bundle, 2) the Sling
> > adapter proper.
> >
> > Cheers and hope to hear from you,
> > Dmitry
> >
> > [1] https://adapt.to/2018/en/schedule/modern-authentication-in-sling-wi
> > th-openid-connect-and-keycloak.html
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 

--Hynek