CORS and Keycloak
by Bill Burke
Based on our Hangout conversation, I'm trying to figure out what we need
to do for CORS.
First, we absolutely need to allow CORS requests to Keycloak hosted
resources: specifically the token service and the admin REST api.
The question is, do we manage CORS for applications? How does this
information get transmitted? What support do we need to add? Here's my
take:
* Keycloak application adapters (i.e. the Tomcat Valve, or the Undertow
Handler) can be set up to handle CORS requests.
* Allowed origins can be specified within the adapter's config file.
Additionally we could:
* Store allowed origins per application within the Keycloak realm database
* Have a Keycloak REST API to obtain allowed origins for an application
* Optionally store allowed origins in the signed access token.
The Keycloak application adapter then has 3 options to authorize a CORS
invocation:
1) Its config file
2) a REST call to the Keycloak sever
3) From the access token.
#3 could get quite problematic as the access token could get quite large.
#3 does fit in nicely with Keycloak's concept of a Scope though.
Do I understand everything correctly as it pertains to CORS? DId I
cover everything? Does what I'm saying make sense?
CORS could be another nice core feature we support. So our main
marketing would say Keycloak is a
a) A social broker
b) SSO/SLO
c) OAuth
d) CORS
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
admin bootstrapping part II
by Bill Burke
When you first login into the admin console, you will now be forced to
update the admin password.
The Admin UI now uses the token service to login and obtain an access
code, but it does not use the token service to obtain a an access token.
It does the last step itself. Again, this is to avoid having to pass
credentials to the token service and avoid setting the Admin Console
credentials.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
Update password action needs something...
by Bill Burke
I was playing around with seting up a user that required a password.
The login and password update pages are so similar that I didn't realize
I was on the update page and entered in username and password again.
Maybe have some sort of eye catching icon/image to the right of the form
to call attention to the fact you are on a different page? "Action
Required"
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
username instead of full name
by Bill Burke
FYI:
The admin UI main screen, I am changing the account menu on top right
corner to display the username instead of the full name. Keycloak will
be distributed with a pre-configured admin user, which will not have a
actual person's name associated with it.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 6 months
Last changes
by Gabriel Cardoso
Hi,
I've just made a pull request introducing a style for Breadcrumbs and User Roles.
Bill, I started to fix some minor details from my document. Do you want me to keep fixing them? I guess I won't mess up the code and only a few will need your developer skills ;)
Gabriel
--
Gabriel Cardoso
GateIn Portal | User Experience Designer
10 years, 6 months
Roles component
by Gabriel Cardoso
Hi,
I did an implementation for the roles selector: http://ejsclient-cardosogabriel.rhcloud.com/roles.html
Bill, I could not put the project up today due to maven problems, so I'm not sure if it is exactly this what you need. Can you give me some help with the set up tomorrow?
Gabriel
--
Gabriel Cardoso
GateIn Portal | User Experience Designer
10 years, 6 months
Simple way to run Keycloak server during development
by Stian Thorgersen
First build a clean copy of the project
# mvn clean install
Then start the server with:
# mvn -pl testsuite/integration exec:java -Pkeycloak-server
If you're working on the admin console or forms* you can add -Dresources when starting the server, this will serve html, css and images directly from the filesystem so you don't need to rebuild/restart the server to see changes:
# mvn -pl testsuite/integration exec:java -Pkeycloak-server -Dresources
* Note: for forms this will only work for css and images as the templates are loaded from the classpath
10 years, 6 months
Reduce number of DB updates
by Marek Posolda
Hi,
I think that one of easiest way to improve performance could be to
remove anti-pattern of calling model update after invoke of each setter
operation. Basically some objects like RealmAdapter, UserAdapter,
RoleAdapter are always updating model after each setter due to code like
this:
@Override
public void setSocial(boolean social) {
realm.setSocial(social);
updateRealm();
}
On the other hand some others like ApplicationAdapter doesn't use this
and instead it has public method available on model like: public void
updateApplication() .
Can't we use same pattern like ApplicationAdapter also for all other
model objects? Only downgrade is that code would need to be updated and
calls to updateXXX need to be added, but I think that's better approach
than DB update per setter.
If you agree, I can create JIRA and contribute PR?
Marek
10 years, 6 months
