Follow up thread, on better integration:

http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001164.html

Looks like we have several options...



On Wed, Jan 29, 2014 at 4:02 PM, Matthias Wessendorf <matzew@apache.org> wrote:



On Wed, Jan 29, 2014 at 3:57 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Sorry I just missed your e-mail during while the syncalipse was happening.

What I meant was something like: admin, developers, regular users and how to deal with these roles. Maybe this is planned to the next steps, but at some point we need to test how KeyCloak could protect our endpoints and deal with multiple roles.

yes, the 'ui part' (and the underlying endpoints) being protected by keycloak;
On the next steps is also looking at different roles for this. I was never speaking about a specific user/role - more generically protecting the "Admin UI", which can be consumed by users w/ different roles

-Matthias
 


On Sun, Jan 26, 2014 at 10:41 AM, Matthias Wessendorf <matzew@apache.org> wrote:
Hello Bruno,


On Sun, Jan 26, 2014 at 1:20 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Any specific reason to limit the scope to admin page only? I'm thinking about login for regular users

Not sure I follow. What do you mean w/ "regular users"? 


Before my change very thing was restricted by Keycloak (/*). I did not really change there a lot, however I just removed the URLs for 'device-registration' and 'sending':

So, currently the following is protected by Keycloak:
* Admin UI (not speaking about a specific admin user)
* REST APIs that are accessed by the Admin UI, like:

Perviously the 'device-registration' and 'sending' URL were protected as well. Removing them from the 'keycloak protection' is really the only change

Greetings,
Matthias

 

abstractj


On Sun, Jan 26, 2014 at 9:11 AM, Matthias Wessendorf <matzew@apache.org> wrote:

Hello!

I have a  few more updates:

On my branch (a fork from Bruno's branch), the URLs for the actual sending and the device-registration (both 'protected' via HTTP-Basic), now work again. I have 'limited' the scope of the Keycloak 'protection' to the AdminUI. 

Greetings,
Matthias



On Fri, Jan 24, 2014 at 6:05 PM, Matthias Wessendorf <matzew@apache.org> wrote:
I have updated the branch w/ their recent changes from this weeks alpha-1 release, and submitted a PR against abstractj's repo:

More to come

Greetings,
Matthias



On Fri, Dec 20, 2013 at 1:11 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
Good morning peeps, yesterday I started to replace AeroGear Security on Unified Push server by Keycloak and you might be asking: “Why?”. Keycloak is a SSO with some handy features like TOTP, OAuth2, user management support and I think we have too much to contribute, is the only way to have some success with security, “divide to conquer" (at least for authorization and authentication).

So will ag-security be discontinued? No! Keycloak is still on Alpha and we have to test it against our projects before fully replace ag-security, but the only way to upstream our needs, is to using it.

This replacement only applies to authentication/authorization features, we still have a ton of projects which Keycloak is not able to replace like: TOTP, crypto and OAuth2 on mobile, our focus.

- PoC

So let’s talk about this replacement, any dependency on ag-security was removed from the push server and replaced by Keycloak: https://github.com/abstractj/aerogear-unifiedpush-server/tree/openshift

Based on Keycloak examples, I just did copy & paste from one of the demos (https://github.com/abstractj/auth-server/tree/openshift) to create a server. Keycloak requires Resteasy 3.0.4, for this reason I had to manually replace some modules on JBoss.

To test it go to: http://push-abstractj.rhcloud.com/ag-push/ you must be redirected to Keycloak, enter: 

username: john@doe.com
password: password

You must be redirected to agpush console, keep in mind that I took some shortcuts to get this demo working, so for example the create will fail because I removed everything related into the ember interface.

Is also possible to enable TOTP, user’s registration and whatever you want.

So what do you think?

--
abstractj

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev






--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--

-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf