On Jan 23, 2015, at 12:54 PM, Juraci Paixão Kröhling
<jpkroehling(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I mentioned on the previous email, one of the questions during the
demo was if it would be possible to have the Keycloak integration as
an optional part.
In the backend part, it's not hard to disable Keycloak as the
authentication mechanism, as it's just JAAS. That would require,
though, a second JAAS implementation to replace it.
In the frontend part, however, it's a bit more complicated. The setup
right now is that the web console is treated as an HTML5 single-page
app. This means that the web console is one application and the
backend is a different one, and they propagate the authentication by
using the tokens: the web console gets a token from the Keycloak
JavaScript adapter once the user logs in and sends it along with each
request to the backend. The backend (Keycloak Wildfly Adapter) reads
this token and retrieves the user data from the Keycloak server,
allowing the request to execute or not.
This means that either:
1) web console and REST API (and possibly other wars) become one, so
that the HTML5 single-page app can be served only after the user logs
in (classic Java EE application)
2) the backend JAAS adapter would need to support also some sort of
token exchange, with the frontend abstracting the Keycloak adapter to
work with one auth mechanism or another, possibly auto identifying
what is the backend's auth mechanism.
3) ??
I don't think that the first option is a real one. Having small wars,
each taking care of one concern, is a goal on the project.
So, would an effort in making Keycloak an optional part be worth it?
Should I pursue it?
I am not sure about for production use, but for development I like the idea of being able
to flip a switch to turn it on/off. I also agree that option 1 is undesirable.