From: "Lucas Holmquist" <lholmqui(a)redhat.com>
To: "AeroGear Developer Mailing List" <aerogear-dev(a)lists.jboss.org>
Sent: Wednesday, 22 January, 2014 1:38:30 PM
Subject: Re: [aerogear-dev] Keycloak integration ideas
On Jan 22, 2014, at 6:53 AM, Matthias Wessendorf < matzew(a)apache.org > wrote:
Hello Stian,
On Wed, Jan 22, 2014 at 12:40 PM, Stian Thorgersen < stian(a)redhat.com >
wrote:
It's great to see interest in the Keycloak project :)
We've been quite busy with getting the alpha out the door (hopefully it'll be
released tomorrow) hence the lack of response. Also, I don't think Bill
follows aerogear-dev.
Would be good to start discussions on these items, maybe as separate posts to
keycloak-dev?
sure, that would work for me
A few thoughts from me:
* We've got a quick and dirty OpenShift cartridge (
https://github.com/keycloak/openshift-keycloak-cartridge ) - it's based on
the WildFly cartridge by Corey Daley. Seems to work pretty well and took me
about an hour to do the mods. I was considering if it was possible to do the
Keycloak and UPS cartridges as add-ons to the WildFly cartridge (same as
postgresql and mysql cartridges). That way you can mix and match whatever
combo you want. A specific cartridge may provide a better integrated
experience though. Maybe we can ping someone in the OpenShift team to find
out the correct approach?
sounds reasonable. Farah was kindly helping us w/ our Push Cartridge
(containing Unified- and SimplePush Servers + MySQL).
There are thoughts on integrating the UPS (e.g. the user management) w/
Keycloak. Something like that makes a perfect 'mix' for adding the Keycloak
bits into our cartridge. Sure we could 're-lable' it. Is that something that
sounds good ?
* Mobile SDKs - There's not much effort yet on supporting mobiles. Maybe you
could help us with creating Keycloak SDKs, with most of the code reusable in
AeroGear and LiveOak?
Absolutely, for that I think it would be good to start a thread on
keycloak-dev regarding 'requirements' / desired functionality. Ideally these
SDKs are leveraging AeroGear's mobile client SDKs.
* JS - None in Keycloak, but I've started one in LiveOak. Again, could we do
a Keycloak JS lib that could be reused by AeroGear and LiveOak?
+1 and that would be needed pretty much once the UnifiedPushServer is
integrating w/ Keycloak :-)
what is the target for having the "implicit" auth flow, since this is needed
for JS clients.
I have a OAuth2 client in aerogear.js, currently tested against googles
OAuth2 stuff, but it is written to spec
JS clients can use authorization code flow as well. Currently Keycloak requires a client
id and secret to exchange the code for a token, but I think for public clients it should
allow these to not have a password. As it's pointless having a password in a public
client. To my understanding the authorization code flow is safer even without a
confidential password.
I think a JS client should support both flows, and Keycloak should probably also support
both flows.
I have loads of unanswered questions with regards how to best support JS clients. At the
moment there's no JS lib for Keycloak, but I've done one for LiveOak
(
If you have any issues/questions at all post to keycloak-dev and I'm sure me
and Bill will fight to see how gets to answer first ;)
yay!
Cheers!
Matthias
----- Original Message -----
> From: "Matthias Wessendorf" < matzew(a)apache.org >
> To: "AeroGear Developer Mailing List" < aerogear-dev(a)lists.jboss.org
>
> Sent: Wednesday, 22 January, 2014 7:41:10 AM
> Subject: Re: [aerogear-dev] Keycloak integration ideas
>
>
>
>
> On Tue, Jan 21, 2014 at 11:10 PM, Jay Balunas < jbalunas(a)redhat.com >
> wrote:
>
>
>
>
> On Jan 19, 2014, at 10:18 AM, Matthias Wessendorf < matzew(a)apache.org >
> wrote:
>
>
>
>
>
>
>
> On Fri, Jan 17, 2014 at 10:04 PM, Jay Balunas < jbalunas(a)redhat.com >
> wrote:
>
>
>
> Hi All,
>
> Sorry all - book mode ;-)
>
> We've had a couple of threads around keycloak integration (thanks
> Abstractj)
> and working together with them (both in our dev list and theirs). I had a
> meeting (dinner really) with Bill and talked about some possibilities and
> we're both excited to see what can happen.
>
> I wanted to capture some of those thoughts here (as well as some that
> already
> started before), have some discussions, and more importantly talk about
> next
> steps (jira's) to get some of this in the pipeline. I'm sure this is not
> exhaustive either, so please add your own thoughts, brainstorming etc...
> (for example Cordova plugin perhaps?)
>
> *In no particular order
>
> A) AeroGear security integration
> ** Abstractj already posted and implemented some of these changes
> **
>
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Keycloak-on-AeroGe...
> ** What's left here? Is it plug-able? Does it need to be?
>
> The work started by Bruno looks promising. I like that for the login to the
> UPS Admin UI is being forwarded to the Keycloak server.
> As mentioned on the referenced thread, there is a bit of more work needed
> for
> the "protection" of the SEND (and likely device registration) URLs.
>
>
>
>
>
> B) Crypto key management
> ** Server-side encryption key management for client crypto
> ** Abstractj had some discussions here
> ***
http://lists.jboss.org/pipermail/keycloak-dev/2013-December/000915.html
> *** Where does that stand?
> ** Do we need our own impl as well?
>
> C) UnifiedPush server integration
> ** User management, Auth*
> ** Do we have our own basic impl for quickstart experience?
> ** See below for possible combined cartridge options
>
> yep, the UPS come in mind and as mentioned in A) Bruno was already actively
> starting this shortly before XMAS.
>
>
>
>
>
> D) Cross-project examples, tutorials, docs, etc...
> ** TBD
>
> Sure, combined docs/tutorials/examples are a good item once we do have a
> bit
> more :-) Not sure it makes much sense now, but I can be wrong
>
> Completely agree now is not the time. Just wanted to bring it up for
> discussion.
>
>
>
>
>
>
>
>
> KeyCloak has some things they need as well, that we could work together on.
> I'm sure the KeyCloak team could add more here :-)
>
> Z) Device support
> ** We need it, they need, and others need it
> ** Bill would like us to help them (and us at the same time) with this.
>
> yeah - that would be an extremely good fit for our Push efforts.
>
> We'll need someone to setup a mtg, or discuss on the topic. Any takers?
>
> I can reach out to them, via mailing list, to see what they are up to,
> regarding "Device support". Not 100% sure which email list is the
'right'
> choice (cross-postings are IMO a PITA :))
>
>
>
>
>
>
>
>
>
>
>
>
> Y) OpenShift Cartridge for KeyCloak
> ** I know this is already on their roadmap
> ** The work Farah and others has already done, could be very helpful to
> them
> ** We should also discuss the possibility of a joint cartridge
> *** Could be really compelling, especially if you add in device, client
> key,
> and push support with native SDKs & examples
> *** Would also want separate cartridges as well imo
>
> yeah, I see various options here:
> * 'standalone' Keycloak cartridge (on their roadmap already); Would be nice
> to get Farah involved here as well
> * combined cartridge (E.g. Push + Keycloak). If we do actually fully
> integrate Keycloak into the Push work, IMO this is a required option, to
> simply include the Keycloak offerings into our Push Cartridge
>
> Agreed, and I'd like to hear from the keycloak team on this as well. If
> they
> have plans for pairing their cartridge with others.
>
> On their list they are currently talking about standalone ones, but later,
> we
> might be able to integrate w/ their server piece.
>
>
>
>
>
>
>
>
>
>
>
> X) Client SDK support
> ** We have client SDKs & could help with their dev (either as part of
> AeroGear or KeyCloak perhaps)
> ** Primarily for iOS & Android, but would also want see where JS & Cordova
> fit.
>
> Yes, another good integration item, would be interesting to know their
> 'requirements'. I think our OAuth2 related work, would be something
that's
> interesting for them as well
>
> +1
>
>
>
>
>
>
>
>
> You start putting all of this together and there is a great set of
> functionality that really compliments each other well. After we discuss for
> a while, I'd like to find owners for the various items to help make
> progress
> on these. Abstractj is awesome, but not sure he can do it all ;-)
>
> yes, great work by Bruno w/ getting actively started on this
>
> +1
>
>
>
>
>
>
>
>
>
> -Jay
>
> PS: I'll post an email to the keycloak-dev list as well pointing to this
> thread on our list.
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> --
> Matthias Wessendorf
>
> blog:
http://matthiaswessendorf.wordpress.com/
> sessions:
http://www.slideshare.net/mwessendorf
> twitter:
http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> --
> Matthias Wessendorf
>
> blog:
http://matthiaswessendorf.wordpress.com/
> sessions:
http://www.slideshare.net/mwessendorf
> twitter:
http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev