[keycloak-user] Connecting Wildfly Adapter with Javascript

phantomjinx p.g.richardson at phantomjinx.co.uk
Mon Mar 6 17:41:05 EST 2017 

Hey,

I am looking into implementing keycloak integration with our application.

The application:
* java-based providing a rest interface using RestEasy
* deployed to wildfly as a war archive
* contains a web.xml detailing the security constraints, eg. runs over https only
* has used BASIC authentication
* has provided the swagger-ui interface for documentation and debugging of the REST operations

Switching to keycloak has meant:
* adding configuration to the keycloak xml element in wildfly's standalone.xml file
* separation of the main application and its swagger documentation into 2 separate wars. This was to
ensure
 ** the main application uses a bearer-only client implementation (no login page)
 ** the swagger page uses a public client implementation (login page displays and redirects back to
the swagger api)

Since the application is going to be released and distributed, the keycloak server-auth-url cannot
be assumed anywhere in the configuration. The use of the wildfly xml configuration has meant that
instructions can be provided to end-users to configure their own keycloak installations and specify
the correct auth url appropriately. However, I am now faced with a problem.

The swagger webpage redirects correctly to the keycloak login page, authenticates correctly and
displays accordingly. However, its internal urls, eg. swagger.json, cannot be loaded from wildfly
since these urls are not provided with the page's token. How do I provide the token from the main
page to the swagger.json (so as to load the REST API documentation) and to each REST API operation
when I want to "try it out"?

As the swagger page is javascript, the keycloak adapter is available for use and I have prototyped
using this. Yet the Keycloak object constructor requires a minimum of config, either directly or
from a keycloak.json file. This config mandates the specifying of a keycloak server-auth-url, which
is not appropriate to our situation. Therefore, is it possible to extract the token used to
successfully login from the keycloak login page from the metadata available in the loaded swagger page?

I have found that 'state' and 'code' are being passed as parameters to the logged-in swagger page.
However, it seems this page is refreshed and the request that includes these parameters is replaced
with the original url so impossible to glean them from the window.location.

In summary:
* Can the token or auth url be passed from the login page provided either to the javascript adapter
or made available directly as a global variable?
* Can the javascript adapter keycloak instance be initialised without needing to specify a
server-auth-url with the expectation that the init method would simple call 'check-sso' and extract
a token?
* Is there even a way to serve a keycloak.json file, free-standing, in a wildfly instance that could
at least be configured by end-users on installation of our application?

If someone is able to shed light on any part of this rather protracted problem, I would be most
grateful.

Thanks and regards

Paul

-- 
Paul Richardson

  * p.g.richardson at phantomjinx.co.uk
  * p.g.richardson at redhat.com
  * pgrichardson at linux.com

More information about the keycloak-user mailing list