12:51 p.m.
On 2/4/2014 12:13 PM, Karel Piwko wrote:
Hey,
I've combined Aerogear UPS and Keycloak cartridges together. You can check the
results at:
https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
https://keycloak-mobileqa.rhcloud.com/ (admin/password)
For keycloak, I have used original cart [1]:
$ rhc app create -g small --no-git keycloak
https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
[3]:
$ rhc app create -g small --no-git agpushkeycloak mysql-5.1
'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
There are some gotchas though:
* keycloak.json - I'm not sure how this will be addressed by WF subsystem. We
still need a way how to pass keycloak.json to UPS cartridge, which is AS7
and we can't ask user to modify standalone.xml anyway. However, we could make
a hook on OpenShift - user will add keycloak.json to git repo and it will
automagically put at right location. Could we have a hook in Keycloak to
load keycloak.json from external location? Or should we rather do some war
exploding magic?
I need to go through Stan's work. I want to be able to configure the
subsystem from the keycloak admin console without having to create a
keycloak.json file. I just don't know yet if the subsystem will work on
AS7.
* AS7-3227 I worked this around by doing parameter injection for
SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak
package for AS7? Any better option?
This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
excludes built in one.
* Ember in UPS is firing AJAX request to REST Endpoints on the same
domain.
However, as it goes through Keycloak Auth Server, this is considered CORS
request. I had to configure Web Origin for UPS application. This is
confusing to me, Origin header should be transparent for Keycloak as I'm
firing request to the same domain. Note this does not happen in Firefox,
which identifies same domain and avoids Origin header. I need some insight
here from more skilled people.
JIRA for this one. I've only tested/experimented with CORS on Firefox.
* I wasn't able to keep http->https rewriting valve with
Keycloak to avoid UPS
usage via http protocol. I'll go deeper into that.
* Changes to Web Origin in Keycloak admin UI are not reflected to already logged
users. They need to log out first.
We can't fix this. But it will be mitigated when we add refresh tokens.
We'll have a short token lifespan that needs to be refreshed. The
refresh will pick up the changes.
More detailed steps:
1/ Create Keycloak cart
2/ Add AeroGear-UnifiedPush realm with roles admin, user
3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
location
Couldn't the cartridge come with a pre-configured keycloak database? We
also have a realm import option, but we haven't documented the json
format yet. Also there's the admin REST interface you could use to
create the realm/application/roles etc.
4/ Get keycloak.json
5/ Enable CORS in keycloak.json, modify password
6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
7/ Package UPS via 'mvn clean package'
8/ Put war into
openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
This may be able to be done from the keycloak console.
9/ Push that online
10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
master), enable mysql-5.1 gear as well
11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
:)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com