<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 4, 2014 at 6:34 PM, Karel Piwko <span dir="ltr"><<a href="mailto:kpiwko@redhat.com" target="_blank">kpiwko@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On Tue, 4 Feb 2014 18:21:10 +0100<br>
Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:<br>
<br>
> oh, this was a cross-post :-) (adding keycloak)<br>
><br>
><br>
> On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>>wrote:<br>
><br>
> ><br>
> ><br>
> ><br>
> > On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <<a href="mailto:kpiwko@redhat.com">kpiwko@redhat.com</a>> wrote:<br>
> ><br>
> >> Hey,<br>
> >><br>
> >> I've combined Aerogear UPS and Keycloak cartridges together. You can<br>
> >> check the<br>
> >> results at:<br>
> >><br>
> >> <a href="https://agpushkeycloak-mobileqa.rhcloud.com/" target="_blank">https://agpushkeycloak-mobileqa.rhcloud.com/</a> (admin/password)<br>
> >> <a href="https://keycloak-mobileqa.rhcloud.com/" target="_blank">https://keycloak-mobileqa.rhcloud.com/</a> (admin/password)<br>
> >><br>
> >><br>
> > I think it would be awesome if the keycloak bits would be included into<br>
> > the UPS bits, to have something OOTB, instead of pointing to a different<br>
> > server (CORS)<br>
<br>
</div>I've added Keycloak AS7 modules to UPS cart but not admin console. I believe<br>
that Keycloak is SaaS, so usage with two different carts reflect reality better.<br>
Configuring Keycloak cart once and let all other carts use is seems the right<br>
way to me.<br>
<div class="im"><br></div></blockquote><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">there is IMO pros and cons in both ways </span><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">
> ><br>
> ><br>
> >> For keycloak, I have used original cart [1]:<br>
> >><br>
> >> $ rhc app create -g small --no-git keycloak<br>
> >><br>
> >> <a href="https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml" target="_blank">https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml</a><br>
> >><br>
> >> For UPS, I have modified matzew's one stored in my repo [2] and modified<br>
> >> UPS<br>
> >> [3]:<br>
> >><br>
> >> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1<br>
> >> '<br>
> >> <a href="http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75" target="_blank">http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75</a><br>
> >> '<br>
> >><br>
> >> There are some gotchas though:<br>
> >><br>
> >> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.<br>
> ><br>
> ><br>
> > the public-key needs to be, as far as I can see, included inside of the<br>
> > standalone.xml (keycloak subsystem section).<br>
> > Which is somewhat a similar issue; I think, if I get it right, that means<br>
> > as you plan to support more and more 'realms', you keep editing the<br>
> > standalone xml.<br>
<br>
</div>That is great improvement w.r.t. current situation but does not handle OpenShift<br>
cart scenarios.<br>
<div><div class="h5"><br>
> ><br>
> ><br>
> >> We<br>
> >> still need a way how to pass keycloak.json to UPS cartridge, which is<br>
> >> AS7<br>
> >> and we can't ask user to modify standalone.xml anyway. However, we<br>
> >> could make<br>
> >> a hook on OpenShift - user will add keycloak.json to git repo and it<br>
> >> will<br>
> >> automagically put at right location. Could we have a hook in Keycloak to<br>
> >> load keycloak.json from external location? Or should we rather do some<br>
> >> war<br>
> >> exploding magic?<br>
> >> * AS7-3227 I worked this around by doing parameter injection for<br>
> >> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of<br>
> >> Keycloak<br>
> >> package for AS7? Any better option?<br>
> >> * Ember in UPS is firing AJAX request to REST Endpoints on the same<br>
> >> domain.<br>
> >> However, as it goes through Keycloak Auth Server, this is considered<br>
> >> CORS<br>
> >> request. I had to configure Web Origin for UPS application. This is<br>
> >> confusing to me, Origin header should be transparent for Keycloak as I'm<br>
> >> firing request to the same domain. Note this does not happen in Firefox,<br>
> >> which identifies same domain and avoids Origin header. I need some<br>
> >> insight<br>
> >> here from more skilled people.<br>
> >><br>
> ><br>
> > hmmmmm .... sounds 'good' :-)<br>
:-)<br>
> ><br>
> ><br>
> >> * I wasn't able to keep http->https rewriting valve with Keycloak to<br>
> >> avoid UPS<br>
> >> usage via http protocol. I'll go deeper into that.<br>
> >><br>
> ><br>
> > https is enforced on our UPS cartridge<br>
</div></div>RI had to remove this enforcement. I'm just trying to put it back.<br>
<div><div class="h5">> ><br>
> ><br>
> >> * Changes to Web Origin in Keycloak admin UI are not reflected to already<br>
> >> logged<br>
> >> users. They need to log out first.<br>
> >> * Missing logout button in UPS. Related to previous point.<br>
> >><br>
> >> Let me know if you want me to convert some of these points to JIRAs in<br>
> >> AGPUSH<br>
> >> or KEYCLOAK projects. Also, let me please now if I should have configured<br>
> >> something differently.<br>
> >><br>
> >> Thanks,<br>
> >><br>
> >> Karel<br>
> >><br>
> >> [1] <a href="https://github.com/stianst/openshift-keycloak-cartridge" target="_blank">https://github.com/stianst/openshift-keycloak-cartridge</a><br>
> >> [2]<br>
> >><br>
> >> <a href="https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak" target="_blank">https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak</a><br>
> >> [3]<br>
> >><br>
> >> <a href="https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift" target="_blank">https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift</a><br>
> >><br>
> >> More detailed steps:<br>
> >><br>
> >> 1/ Create Keycloak cart<br>
> >> 2/ Add AeroGear-UnifiedPush realm with roles admin, user<br>
> >> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart<br>
> >> location<br>
> >> 4/ Get keycloak.json<br>
> >> 5/ Enable CORS in keycloak.json, modify password<br>
> >> 6/ Add keycloak.json to<br>
> >> aerogear-unifiedpush-server/src/main/webapp/WEB-INF<br>
> >> 7/ Package UPS via 'mvn clean package'<br>
> >> 8/ Put war into<br>
> >><br>
> >> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments<br>
> >> 9/ Push that online<br>
> >> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not<br>
> >> using<br>
> >> master), enable mysql-5.1 gear as well<br>
> >> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm<br>
> >> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.<br>
> >><br>
> >><br>
> >> _______________________________________________<br>
> >> aerogear-dev mailing list<br>
> >> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> >> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> >><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Matthias Wessendorf<br>
> ><br>
> > blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> > sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> > twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
> ><br>
><br>
><br>
><br>
<br>
</div></div>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>