Something that also comes to mind is: If the UPS relies on KeyCloak, it's one more complex component that is required for the installation process. Meaning: At least a running server instance of Keycloak is required. Not sure if that helps in simplifying things :-)

On Fri, Jan 3, 2014 at 1:52 PM, Matthias Wessendorf <> wrote:

it's nice to see an effort for integrating keycloak. Especially the User Management part is something which sounds very promising. For instance I like how a request against "" redirects me to the Keycloak server and after a sucessful login back to the AdminUI. Sweet!

I understand this is an early PoC, but the user login bits already look good!

A few things I noticed:

* After login, I get a list of PushApplications, but I can't click into them to see details (I assume this is due to your changes to the ember interface - with is perfectly fine)
* Sending Push Notifications (e.g. using the CURL command) does not work (used the PushAppID/MasterSecret from the HTTP REST response on AdminUI overview page ;-))
I assume this is because the endpoint for sending is also protected by the SSO/Keycloak facility, hence the HTTP Basic auth is not triggered there (guess).

Since the HTTP Basic is also used when a device tries to register against a variant, I am guess the same issue is present there as well.

Perhaps the HTTP-Basic for SENDING and DEVICE-REGISTRATION could be done w/ something else, e.g. OAuth2


On Fri, Dec 20, 2013 at 1:11 PM, Bruno Oliveira <> wrote:
Good morning peeps, yesterday I started to replace AeroGear Security on Unified Push server by Keycloak and you might be asking: “Why?”. Keycloak is a SSO with some handy features like TOTP, OAuth2, user management support and I think we have too much to contribute, is the only way to have some success with security, “divide to conquer" (at least for authorization and authentication).

So will ag-security be discontinued? No! Keycloak is still on Alpha and we have to test it against our projects before fully replace ag-security, but the only way to upstream our needs, is to using it.

This replacement only applies to authentication/authorization features, we still have a ton of projects which Keycloak is not able to replace like: TOTP, crypto and OAuth2 on mobile, our focus.

- PoC

So let’s talk about this replacement, any dependency on ag-security was removed from the push server and replaced by Keycloak:

Based on Keycloak examples, I just did copy & paste from one of the demos ( to create a server. Keycloak requires Resteasy 3.0.4, for this reason I had to manually replace some modules on JBoss.

To test it go to: you must be redirected to Keycloak, enter: 

password: password

You must be redirected to agpush console, keep in mind that I took some shortcuts to get this demo working, so for example the create will fail because I removed everything related into the ember interface.

Is also possible to enable TOTP, user’s registration and whatever you want.

So what do you think?


aerogear-dev mailing list

Matthias Wessendorf


Matthias Wessendorf