[aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC

Hey, I've combined Aerogear UPS and Keycloak cartridges together. You can check the results at: https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password) https://keycloak-mobileqa.rhcloud.com/ (admin/password) For keycloak, I have used original cart [1]: $ rhc app create -g small --no-git keycloak https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada... For UPS, I have modified matzew's one stored in my repo [2] and modified UPS [3]: $ rhc app create -g small --no-git agpushkeycloak mysql-5.1 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75' There are some gotchas though: * keycloak.json - I'm not sure how this will be addressed by WF subsystem. We still need a way how to pass keycloak.json to UPS cartridge, which is AS7 and we can't ask user to modify standalone.xml anyway. However, we could make a hook on OpenShift - user will add keycloak.json to git repo and it will automagically put at right location. Could we have a hook in Keycloak to load keycloak.json from external location? Or should we rather do some war exploding magic? * AS7-3227 I worked this around by doing parameter injection for SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak package for AS7? Any better option? * Ember in UPS is firing AJAX request to REST Endpoints on the same domain. However, as it goes through Keycloak Auth Server, this is considered CORS request. I had to configure Web Origin for UPS application. This is confusing to me, Origin header should be transparent for Keycloak as I'm firing request to the same domain. Note this does not happen in Firefox, which identifies same domain and avoids Origin header. I need some insight here from more skilled people. * I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS usage via http protocol. I'll go deeper into that. * Changes to Web Origin in Keycloak admin UI are not reflected to already logged users. They need to log out first. * Missing logout button in UPS. Related to previous point. Let me know if you want me to convert some of these points to JIRAs in AGPUSH or KEYCLOAK projects. Also, let me please now if I should have configured something differently. Thanks, Karel [1] https://github.com/stianst/openshift-keycloak-cartridge [2] https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/k... [3] https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-opens... More detailed steps: 1/ Create Keycloak cart 2/ Add AeroGear-UnifiedPush realm with roles admin, user 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart location 4/ Get keycloak.json 5/ Enable CORS in keycloak.json, modify password 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF 7/ Package UPS via 'mvn clean package' 8/ Put war into openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments 9/ Push that online 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using master), enable mysql-5.1 gear as well 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.