oh, this was a cross-post :-) (adding keycloak)
On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <matzew(a)apache.org>wrote:
On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko(a)redhat.com> wrote:
> Hey,
>
> I've combined Aerogear UPS and Keycloak cartridges together. You can
> check the
> results at:
>
>
https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>
https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>
>
I think it would be awesome if the keycloak bits would be included into
the UPS bits, to have something OOTB, instead of pointing to a different
server (CORS)
> For keycloak, I have used original cart [1]:
>
> $ rhc app create -g small --no-git keycloak
>
>
https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
>
> For UPS, I have modified matzew's one stored in my repo [2] and modified
> UPS
> [3]:
>
> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> '
>
http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...
> '
>
> There are some gotchas though:
>
> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
the public-key needs to be, as far as I can see, included inside of the
standalone.xml (keycloak subsystem section).
Which is somewhat a similar issue; I think, if I get it right, that means
as you plan to support more and more 'realms', you keep editing the
standalone xml.
> We
> still need a way how to pass keycloak.json to UPS cartridge, which is
> AS7
> and we can't ask user to modify standalone.xml anyway. However, we
> could make
> a hook on OpenShift - user will add keycloak.json to git repo and it
> will
> automagically put at right location. Could we have a hook in Keycloak to
> load keycloak.json from external location? Or should we rather do some
> war
> exploding magic?
> * AS7-3227 I worked this around by doing parameter injection for
> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> Keycloak
> package for AS7? Any better option?
> * Ember in UPS is firing AJAX request to REST Endpoints on the same
> domain.
> However, as it goes through Keycloak Auth Server, this is considered
> CORS
> request. I had to configure Web Origin for UPS application. This is
> confusing to me, Origin header should be transparent for Keycloak as I'm
> firing request to the same domain. Note this does not happen in Firefox,
> which identifies same domain and avoids Origin header. I need some
> insight
> here from more skilled people.
>
hmmmmm .... sounds 'good' :-)
> * I wasn't able to keep http->https rewriting valve with Keycloak to
> avoid UPS
> usage via http protocol. I'll go deeper into that.
>
https is enforced on our UPS cartridge
> * Changes to Web Origin in Keycloak admin UI are not reflected to already
> logged
> users. They need to log out first.
> * Missing logout button in UPS. Related to previous point.
>
> Let me know if you want me to convert some of these points to JIRAs in
> AGPUSH
> or KEYCLOAK projects. Also, let me please now if I should have configured
> something differently.
>
> Thanks,
>
> Karel
>
> [1]
https://github.com/stianst/openshift-keycloak-cartridge
> [2]
>
>
https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/k...
> [3]
>
>
https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-opens...
>
> More detailed steps:
>
> 1/ Create Keycloak cart
> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> location
> 4/ Get keycloak.json
> 5/ Enable CORS in keycloak.json, modify password
> 6/ Add keycloak.json to
> aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> 7/ Package UPS via 'mvn clean package'
> 8/ Put war into
>
> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
> 9/ Push that online
> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not
> using
> master), enable mysql-5.1 gear as well
> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf