[Hawkular-dev] Should Keycloak integration be optional?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I mentioned on the previous email, one of the questions during the demo was if it would be possible to have the Keycloak integration as an optional part. In the backend part, it's not hard to disable Keycloak as the authentication mechanism, as it's just JAAS. That would require, though, a second JAAS implementation to replace it. In the frontend part, however, it's a bit more complicated. The setup right now is that the web console is treated as an HTML5 single-page app. This means that the web console is one application and the backend is a different one, and they propagate the authentication by using the tokens: the web console gets a token from the Keycloak JavaScript adapter once the user logs in and sends it along with each request to the backend. The backend (Keycloak Wildfly Adapter) reads this token and retrieves the user data from the Keycloak server, allowing the request to execute or not. This means that either: 1) web console and REST API (and possibly other wars) become one, so that the HTML5 single-page app can be served only after the user logs in (classic Java EE application) 2) the backend JAAS adapter would need to support also some sort of token exchange, with the frontend abstracting the Keycloak adapter to work with one auth mechanism or another, possibly auto identifying what is the backend's auth mechanism. 3) ?? I don't think that the first option is a real one. Having small wars, each taking care of one concern, is a goal on the project. So, would an effort in making Keycloak an optional part be worth it? Should I pursue it? - - Juca.