Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
by Stan Silvert
I've sent a PR for this:
https://github.com/keycloak/keycloak/pull/811
It's a pretty big change in the way the Auth Server is started when the
KeyCloak subsystem is used. The WAR is no longer dropped into the
standalone/deployments directory. This is especially helpful for
domain deployments, but it makes standalone cleaner as well. It will
also be important for Feature Pack installation.
The main difference you will see right away with this PR is that the
appliance dist now uses the subsystem to launch the Auth Server.
Here are some notes about how everything turned out. Next, I'll update
the documentation if there is no major rework that needs to be done
after the PR is reviewed.
* The WAR for the auth server now lives in
modules/.../keycloak-wildfly-subsystem/main/auth-server. By
default, it is unexploded. If you want it to be exploded you can
unzip it into that same directory and set the "auth-server-exploded"
property in module.xml.
* A new Auth Server is declared in standalone.xml/domain.xml. You can
have more than one Auth Server in the same WildFly instance.
* <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
<auth-server name="main-auth-server">
<enabled>true</enabled>
<web-context>auth</web-context>
</auth-server>
* The "enabled" attribute can be toggled at runtime to make the auth
server undeploy/redeploy.
* If you have more than one auth-server, the web-context must be unique.
* In a domain environment, all specified Auth Server deployments are
propagated to all servers using that profile. The same is true for
overlays uploaded through the new CLI operations.
* There are two new CLI operations that act on an auth-server. They
are "add-provider" and "update-server-config". Currently, you can
only execute these operations in the latest version of CLI GUI. We
should discuss if we need to add support in plain CLI. The long
term goal would be to add this functionality to the Keycloak Admin
Console.
* "add-provider" adds a provider jar to an auth-server
* "update-server-config" overlays the keycloak-server.json for an
auth-server.
* If a keycloak-server.json file is found in standalone/configuration
directory, all auth-server instances will still use it regardless of
any update-server-config operations.
* EAP6 does not yet support all this. We should discuss whether or
not this functionality should be backported.
9 years, 5 months
Keycloak integration with Red Hat Directory server
by Snhp
Hi Team,
I tired connecting to red hat directory server from key cloak admin console users>federations and when I click test connection , connection was successful
ldap://xx:xx:xx:xx/
But I tried the same configuration to connect to red hat idm server through Picketlink API identityconfigurationmanagement class .. It doesn't work ...
Can someone share some examples
Sent from my iPhone
9 years, 5 months
Support both Jackson and Jackson 2
by Stian Thorgersen
Currently we only support Jackson, while WildFly now uses Jackson 2. This is OK for our the auth-server itself, but could be more problematic for applications (see https://issues.jboss.org/browse/KEYCLOAK-811).
The main reason we can't use Jackson 2 is that they have changed the package for annotations (@JsonProperty). I propose we get rid of all @JsonProperty and instead make sure all fields are named correct and that we set the LowerCaseWithUnderscoresStrategy on the ObjectMapper. This should also make it possible to use the Java classes with other JSON libraries.
For example:
@JsonProperty("access_token")
protected String token;
@JsonProperty("jti")
protected String id;
Becomes:
protected String accessToken;
protected String jti;
9 years, 5 months
Next steps
by Stian Thorgersen
Just to clarify next steps is BRMS and Fuse adapters. I assume we're aiming at securing the management consoles, services as well as end-user applications.
For Fuse this would include:
* Hawtio console
* Fuse CLI
* Camel?
* ActiveMQ?
Once Fuse is completed we could also look at securing Fabric8.
I've made some notes here https://docs.google.com/document/d/1rnoM7ityp7u_QVcVb4amY1o-9xojGQsS3wkTs...
As I'm away on PTO Friday and the following week Marek will look at Fuse adapter, while I'll help out if it makes sense.
9 years, 5 months
Need your help community
by Bill Burke
If you're using Keycloak and you like it, help us out by writing a blog
about it. Anything would be great. A few sentences saying that you're
uing keycloak and like it. Or, if you're ambitious, give us something
more detailed on how you are deploying keycloak in your company. I
would love to read some user stories just to get insight on how people
are using us! Let me know if anybody does this and I'll link you from
my blog.
Thanks,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 5 months
AS 7.1.1 still not working
by Marek Posolda
Right now, to have KC working on AS 7.1.1 we need to:
1) Comment "exclude-subsystems" element from
standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml
2) Comment "webservices" subsystem and extension in
standalone/configuration/standalone.xml
Should we just document this workaround or can we do something better?
Marek
9 years, 5 months
Re: [keycloak-dev] Keycloak Intergration
by Corinne Krych
Hello
We don’t currently offer integration with well known http libs. We'll be interesting in providing adapter for Alamofire or (a Swift version of AFNetworking, very much in progress). Here’s a ticket to track it [1].
Actually to integrate with http layer you need to have a AuthzModule protocol [2] and to provide a seamless integration of Oauth2 within your http layer you should do something like [3] using extension request.
Do not hesitate to share with us if you decide to do other adapters.
++
Corinne
—————
iOS AeroGear dev
[1] https://issues.jboss.org/browse/AGIOS-300
[2] https://github.com/aerogear/aerogear-ios-http/blob/master/AeroGearHttp/Ht...
[3] https://github.com/Alamofire/Alamofire/blob/master/Source/Alamofire.swift...
On 30 Oct 2014, at 11:50, Kaustubh Kabra <kaustubh.kabra(a)xtremumsolutions.com> wrote:
> Hi there,
>
> I went through libraries provided by Corinne in previous mail but have few questions for implementation on android and iOS -
>
> 1. Support for existing third party libraries ?
> As of now, we are using ASIHTTPS (https://github.com/pokeb/asi-http-request) or AFNetworking (https://github.com/AFNetworking/AFNetworking) for iOS and Volley for android. Rather than replacing them with Aerogear libraries considering overall stability of HTTP requests, can we augment those libraries to support key cloak OAUTH2 ?
>
> 2. OAUTH implementation possibilites -
> http://stackoverflow.com/questions/17400398/token-authentication-with-volley
> https://github.com/keybuk/asi-http-request-oauth
> Can we use/tweak approach mentioned in above answers/library to work with KeyCloak implementation ?
>
> Thanks in advance !
>
> On Fri, Sep 26, 2014 at 11:43 AM, Sagar Zond <sagar.zond(a)xtremumsolutions.com> wrote:
> +Please go through following libs, We can use this to integrate with Oauth server.
>
> regards
> Sagar Zond
>
> ---------- Forwarded message ----------
> From: Corinne Krych <corinnekrych(a)gmail.com>
> Date: Thu, Sep 25, 2014 at 9:06 PM
> Subject: Re: [keycloak-dev] Keycloak Intergration
> To: "keycloak-user(a)lists.jboss.org" <keycloak-dev(a)lists.jboss.org>
> Cc: Sagar Zond <sagar.zond(a)xtremumsolutions.com>, Shashank Singh <shashank.singh(a)xtremumsolutions.com>, Bill Burke <bburke(a)redhat.com>
>
>
> Hello Sagar,
>
> For Keycloak OAuth2, AeroGear provides a sdk, we have both Obj-C and Swift. Although lastest features goes in Swift version.
>
> 1. AeroGear-iOS 1.6 targets obj-c code [1] with its associated test repo [2], [2bis]
>
> 2. AeroGear 2.0 is modularized and based on Swift:
> aerogear-ios-http [3]
> aerogear-ios-oauth2 [4]
> Here you can find interesting access/refresh/revoke simple example:
> aerogear-ios-cookbook [5]
> aerogear-backend-cookbook [6]
> Note that 2.0 is on its way and should be release early October.
> http module (aerogear-ios-http coupled with aerogear-ios-oauth2) is taking care of refreshing implictly tokens for you.
>
> Some blog posts [7]. I’m actually going to write an update blog post for Swift version.
> Some links to go through.. Feedback welcome.
>
> ++
> Corinne
> iOS AeroGear
> [1] https://github.com/aerogear/aerogear-ios
> [2] https://github.com/aerogear/aerogear-ios-cookbook/tree/master/ProductInve...
> [2bis] https://github.com/aerogear/aerogear-integration-tests-server#oauth2-with...
> [3] https://github.com/aerogear/aerogear-ios-http
> [4] https://github.com/aerogear/aerogear-ios-oauth2
> [5] https://github.com/aerogear/aerogear-ios-cookbook/tree/swift/ProductInven...
> [6] https://github.com/corinnekrych/aerogear-backend-cookbook/tree/master/Pro...
> [7] http://corinnekrych.blogspot.fr/search/label/OAuth2
>
> On 25 Sep 2014, at 15:32, Bill Burke <bburke(a)redhat.com> wrote:
>
> > Sagar, I'm moving this to keycloak-dev list. See comments inline
> >
> > On 9/25/2014 6:53 AM, Sagar Zond wrote:
> >> Hi,
> >>
> >> We are planning to use KeyClock for OAuth authorization server for our
> >> API platform. Our understanding to KeyClock and OAuth is not very clear
> >> so need your help to properly utilize KeyClock features.
> >>
> >> Just to introduce our self, we are a start-up firm and creating products
> >> for Health care domain. In our architecture we will have multiple Rest
> >> API servers and multiple types of client like mobile, web and publicly
> >> expose API. KeyCloak can be used as authentication and authorization
> >> server. We have already gone through most of KeyCloak tutorials.
> >>
> >> Here are few points of which we need answer -
> >>
> >> 1. API platform will be registered as application server on KeyClock and
> >> clients (mobile app, web app or other app) will be authorized by
> >> keyclock as per defined role. Is this a proper use case of KeyClock ?
> >>
> >
> > You'll have to elaborate. I don't know exactly what you are saying.
> > Your REST API server would be registered as a Keycloak "Application".
> > You can define roles per "Application" or at the Realm level (global roles).
> >
> >> 2. How do we integrate OAuth into mobile app ? Where can we write token
> >> refresh logic?
> >>
> >
> > You can start off by defining an public "OAuth Client" per mobile app.
> > You can use the direct grant REST API to obtain a token, or, use mobile
> > redirects to login through the mobile's browser. I believe the Aerogear
> > project is doing some work around Keycloak IOS and Android clients, but
> > you'd have to ping them.
> >
> >> 3. How we can add more fields in session? e.g. if we want to add more
> >> token in header which may contain some extra application specific
> >> encrypted data.
> >>
> >
> > Not sure what you mean. We don't have a nice way of adding claims to
> > the token at the moment.
> >
> >> 4. We are currently using OpenDS Ldap for authentication and we already
> >> have number of registered users which currently using API. So we need
> >> Keyclock to be configured for OpenDS, so please suggested how to
> >> integrate OpenDS with KeyClock.
> >>
> >
> > We have LDAP integration:
> >
> > http://docs.jboss.org/keycloak/docs/1.0.1.Final/userguide/html/user_feder...
> >
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> --
> Regards,
> Sagar Zond
>
9 years, 5 months
KC Auth Server Subsystem questions
by Bill Burke
* What are the benefits of it. Specifically. I'll need to state this
in the release blog.
* Where is the documentation for it? Benefits, how to configure,
manage? How to add new providers? Modify keycloak-server.json, etc...
This can't be released or brought into the appliance until it is
documented thoroughly.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years, 5 months