<div dir="ltr">Hi Bill, <div><br></div><div>Sorry for missing your ping as this is something that we definitely need. I was going down the keycloak.js path (since we use AngularJS as our UI layer) but doing it on the server side is so much more elegant.<div>
<br></div><div>Picking the realm name from the URI is the way to go. Maybe we have it as a query parameter rather than within the path as then it is less invasive for the war application.</div><div><br></div><div>I don't understand the keycloak code base enough to comment on how we can deploy the new <span style="font-family:arial,sans-serif;font-size:13px">AdapterDeploymentContext but what if this feature is plugged into the current </span><span style="font-family:arial,sans-serif;font-size:13px">AdapterDeploymentContext and this is a feature of the core product? </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Also with regard to getting realm information from the server using a </span><font face="arial, sans-serif">shared client secret, or public clients, another way to do this might be to provide an alternate way to pick the keycloak.json file by storing it outside the war in the file system and then based on the realm name in the uri, pick the corresponding keycloak.json file and run the </font><span style="font-family:arial,sans-serif;font-size:13px">KeycloakDeployment. We can name the the files as keycloak-{realmname}.json </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Note we can keep the current functionality where it can pick it from within the war but if the file is missing, currently its throwing an exception. Maybe before we throw the exception, we also check the file system as well.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Then maybe we don't need to load this on request but can have a directory scanner and whenever a new file is added or removed, it will automatically pick it up. Sort of how the JBoss/Wildfly deployment scanner works. On each request of course it will need to pick the correct realm to perform the authentication.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">This might be more elegant but once again I don't know enough of the core keycloak code to comment if doing this is more complex than the other option.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Obviously these changes will not go into 1.0 release but a subsequent release (hopefully the first beta release after 1.0 :) </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Therefore it might be good to give some thought and get this right. For me this and the multi-lingual are the two key items that we need to tick off to be able to use this in a multi tenancy environment.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><font face="arial, sans-serif">Keen to know your thoughts. </font></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Cheers</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Travis</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Travis, I did do most of the work for this. I think I pinged you to see<br>
if you still wanted the feature, but never followed through. I'm sorry.<br>
<br>
All this would require a shared client secret, or public clients. It<br>
would require you to extract the realm name somehow based on the current<br>
HTTP request. Probably a URI pattern.<br>
<br>
There is an AdapterDeploymentContext class. This class has a method:<br>
<br>
KeycloakDeployment resolveDeployment(HttpFacade)<br>
<br>
This method get's called every request. You would extend this class and<br>
override resolveDeployment and create (and then cache) your<br>
KeycloakDeployment based on the incoming HTTP request.<br>
<br>
The only problem is that the current code has no way for you to plug in<br>
a new implementation of the AdapterDeploymentContext.<br>
<div class=""><br>
On 9/4/2014 2:36 AM, Travis De Silva wrote:<br>
> Hi Stian,<br>
><br>
> You proposed solution would not cover the use case where we can create<br>
> tenants at runtime as the realm config in the keycloak.json would be<br>
> hard coded into the war.<br>
><br>
> I had discussed this identical use case a while ago on this forum and<br>
> Bill was planning to refactor the adapters to support this use case.<br>
> Unfortunately he got caught up in other tasks and was not able to<br>
> proceed on this.<br>
><br>
> The discussion thread is here<br>
> <a href="http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html</a><br>
><br>
> Basically what I believe Bill suggested which would meet this use case<br>
> is to:<br>
><br>
</div>> 1. Have a shared secret between clients for all realms.<br>
> 2. The adapter would just extract the realm name from the request,<br>
<div class="">> invoke on the keycloak server to get the public information about<br>
> the realm (i.e. public key) and then cache the information locally.<br>
><br>
> The key bit here is extracting the realm name from the request and then<br>
> pulling the realm info from the keycloak server.<br>
><br>
> I had a look at the keycloak source code and I believe the magic happens<br>
> in the KeycloakServletExtension class under the<br>
> org.keycloak.adapters.undertow package for my use case (since I deploy<br>
> it on wildfly)<br>
><br>
> What I have got stumped is that this class gets loaded when my war is<br>
> deployed and I am wondering how I can do it per request (if the info is<br>
> not already cached locally)<br>
><br>
> Maybe with the imminent release of 1.0 (btw congrats for the great work<br>
> to everyone in the team and for Bill and your leadership), maybe we<br>
> should start thinking about this multi tenancy use case to be included<br>
> in future releases.<br>
><br>
> I believe that SaaS models are going to be popular and having this<br>
> feature added will make keycloak a major player in this space.<br>
><br>
> Cheers<br>
> Travis<br>
><br>
><br>
><br>
><br>
</div>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div>