<div dir="ltr">oh, this was a cross-post :-) (adding keycloak)</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <span dir="ltr"><<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <span dir="ltr"><<a href="mailto:kpiwko@redhat.com" target="_blank">kpiwko@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey,<br>
<br>
I've combined Aerogear UPS and Keycloak cartridges together. You can check the<br>
results at:<br>
<br>
<a href="https://agpushkeycloak-mobileqa.rhcloud.com/" target="_blank">https://agpushkeycloak-mobileqa.rhcloud.com/</a> (admin/password)<br>
<a href="https://keycloak-mobileqa.rhcloud.com/" target="_blank">https://keycloak-mobileqa.rhcloud.com/</a> (admin/password)<br>
<br></blockquote><div><br></div></div><div>I think it would be awesome if the keycloak bits would be included into the UPS bits, to have something OOTB, instead of pointing to a different server (CORS)</div><div class="im">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
For keycloak, I have used original cart [1]:<br>
<br>
$ rhc app create -g small --no-git keycloak<br>
<a href="https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml" target="_blank">https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml</a><br>
<br>
For UPS, I have modified matzew's one stored in my repo [2] and modified UPS<br>
[3]:<br>
<br>
$ rhc app create -g small --no-git agpushkeycloak mysql-5.1<br>
'<a href="http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75" target="_blank">http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75</a>'<br>
<br>
There are some gotchas though:<br>
<br>
* keycloak.json - I'm not sure how this will be addressed by WF subsystem.</blockquote><div><br></div></div><div>the public-key needs to be, as far as I can see, included inside of the standalone.xml (keycloak subsystem section).</div>
<div>Which is somewhat a similar issue; I think, if I get it right, that means as you plan to support more and more 'realms', you keep editing the standalone xml.</div><div class="im"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We<br>
still need a way how to pass keycloak.json to UPS cartridge, which is AS7<br>
and we can't ask user to modify standalone.xml anyway. However, we could make<br>
a hook on OpenShift - user will add keycloak.json to git repo and it will<br>
automagically put at right location. Could we have a hook in Keycloak to<br>
load keycloak.json from external location? Or should we rather do some war<br>
exploding magic?<br>
* AS7-3227 I worked this around by doing parameter injection for<br>
SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak<br>
package for AS7? Any better option?<br>
* Ember in UPS is firing AJAX request to REST Endpoints on the same domain.<br>
However, as it goes through Keycloak Auth Server, this is considered CORS<br>
request. I had to configure Web Origin for UPS application. This is<br>
confusing to me, Origin header should be transparent for Keycloak as I'm<br>
firing request to the same domain. Note this does not happen in Firefox,<br>
which identifies same domain and avoids Origin header. I need some insight<br>
here from more skilled people.<br></blockquote><div><br></div></div><div>hmmmmm .... sounds 'good' :-) </div><div class="im"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS<br>
usage via http protocol. I'll go deeper into that.<br></blockquote><div><br></div></div><div>https is enforced on our UPS cartridge</div><div><div class="h5"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Changes to Web Origin in Keycloak admin UI are not reflected to already logged<br>
users. They need to log out first.<br>
* Missing logout button in UPS. Related to previous point.<br>
<br>
Let me know if you want me to convert some of these points to JIRAs in AGPUSH<br>
or KEYCLOAK projects. Also, let me please now if I should have configured<br>
something differently.<br>
<br>
Thanks,<br>
<br>
Karel<br>
<br>
[1] <a href="https://github.com/stianst/openshift-keycloak-cartridge" target="_blank">https://github.com/stianst/openshift-keycloak-cartridge</a><br>
[2]<br>
<a href="https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak" target="_blank">https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak</a><br>
[3]<br>
<a href="https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift" target="_blank">https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift</a><br>
<br>
More detailed steps:<br>
<br>
1/ Create Keycloak cart<br>
2/ Add AeroGear-UnifiedPush realm with roles admin, user<br>
3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart<br>
location<br>
4/ Get keycloak.json<br>
5/ Enable CORS in keycloak.json, modify password<br>
6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF<br>
7/ Package UPS via 'mvn clean package'<br>
8/ Put war into<br>
openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments<br>
9/ Push that online<br>
10/ Create UPS cart using reflector cartridge (use commit sha1 if not using<br>
master), enable mysql-5.1 gear as well<br>
11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm<br>
12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.<br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div>