Re: [keycloak-dev] [aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC
by Matthias Wessendorf
oh, this was a cross-post :-) (adding keycloak)
On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <matzew(a)apache.org>wrote:
>
>
>
> On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko(a)redhat.com> wrote:
>
>> Hey,
>>
>> I've combined Aerogear UPS and Keycloak cartridges together. You can
>> check the
>> results at:
>>
>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>
>>
> I think it would be awesome if the keycloak bits would be included into
> the UPS bits, to have something OOTB, instead of pointing to a different
> server (CORS)
>
>
>> For keycloak, I have used original cart [1]:
>>
>> $ rhc app create -g small --no-git keycloak
>>
>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
>>
>> For UPS, I have modified matzew's one stored in my repo [2] and modified
>> UPS
>> [3]:
>>
>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>> '
>> http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...
>> '
>>
>> There are some gotchas though:
>>
>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>
>
> the public-key needs to be, as far as I can see, included inside of the
> standalone.xml (keycloak subsystem section).
> Which is somewhat a similar issue; I think, if I get it right, that means
> as you plan to support more and more 'realms', you keep editing the
> standalone xml.
>
>
>> We
>> still need a way how to pass keycloak.json to UPS cartridge, which is
>> AS7
>> and we can't ask user to modify standalone.xml anyway. However, we
>> could make
>> a hook on OpenShift - user will add keycloak.json to git repo and it
>> will
>> automagically put at right location. Could we have a hook in Keycloak to
>> load keycloak.json from external location? Or should we rather do some
>> war
>> exploding magic?
>> * AS7-3227 I worked this around by doing parameter injection for
>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>> Keycloak
>> package for AS7? Any better option?
>> * Ember in UPS is firing AJAX request to REST Endpoints on the same
>> domain.
>> However, as it goes through Keycloak Auth Server, this is considered
>> CORS
>> request. I had to configure Web Origin for UPS application. This is
>> confusing to me, Origin header should be transparent for Keycloak as I'm
>> firing request to the same domain. Note this does not happen in Firefox,
>> which identifies same domain and avoids Origin header. I need some
>> insight
>> here from more skilled people.
>>
>
> hmmmmm .... sounds 'good' :-)
>
>
>> * I wasn't able to keep http->https rewriting valve with Keycloak to
>> avoid UPS
>> usage via http protocol. I'll go deeper into that.
>>
>
> https is enforced on our UPS cartridge
>
>
>> * Changes to Web Origin in Keycloak admin UI are not reflected to already
>> logged
>> users. They need to log out first.
>> * Missing logout button in UPS. Related to previous point.
>>
>> Let me know if you want me to convert some of these points to JIRAs in
>> AGPUSH
>> or KEYCLOAK projects. Also, let me please now if I should have configured
>> something differently.
>>
>> Thanks,
>>
>> Karel
>>
>> [1] https://github.com/stianst/openshift-keycloak-cartridge
>> [2]
>>
>> https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/k...
>> [3]
>>
>> https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-opens...
>>
>> More detailed steps:
>>
>> 1/ Create Keycloak cart
>> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
>> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
>> location
>> 4/ Get keycloak.json
>> 5/ Enable CORS in keycloak.json, modify password
>> 6/ Add keycloak.json to
>> aerogear-unifiedpush-server/src/main/webapp/WEB-INF
>> 7/ Package UPS via 'mvn clean package'
>> 8/ Put war into
>>
>> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
>> 9/ Push that online
>> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not
>> using
>> master), enable mysql-5.1 gear as well
>> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
>> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
12 years, 1 month
The "powered" link
by Viliam Rockai
Hi All,
In the log-in form, at bottom right, we got a "powered by KC" link.
What's the purpose of such link? Any objections against removing it?
Viliam
12 years, 1 month
theme thought
by Bill Burke
You'd probably want to support multiple concurrent themes for different
languages (french, spanish, english, etc...). I'm just not sure how the
user-agent's language would be discovered. Some do it by hostname i.e.
www.google.es or by a URL pattern example.com/en-US/...
Just something to think about.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12 years, 1 month
Aerogear UPS + Keycloak cartridge combined together POC
by Karel Piwko
Hey,
I've combined Aerogear UPS and Keycloak cartridges together. You can check the
results at:
https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
https://keycloak-mobileqa.rhcloud.com/ (admin/password)
For keycloak, I have used original cart [1]:
$ rhc app create -g small --no-git keycloak
https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada...
For UPS, I have modified matzew's one stored in my repo [2] and modified UPS
[3]:
$ rhc app create -g small --no-git agpushkeycloak mysql-5.1
'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-o...'
There are some gotchas though:
* keycloak.json - I'm not sure how this will be addressed by WF subsystem. We
still need a way how to pass keycloak.json to UPS cartridge, which is AS7
and we can't ask user to modify standalone.xml anyway. However, we could make
a hook on OpenShift - user will add keycloak.json to git repo and it will
automagically put at right location. Could we have a hook in Keycloak to
load keycloak.json from external location? Or should we rather do some war
exploding magic?
* AS7-3227 I worked this around by doing parameter injection for
SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of Keycloak
package for AS7? Any better option?
* Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
However, as it goes through Keycloak Auth Server, this is considered CORS
request. I had to configure Web Origin for UPS application. This is
confusing to me, Origin header should be transparent for Keycloak as I'm
firing request to the same domain. Note this does not happen in Firefox,
which identifies same domain and avoids Origin header. I need some insight
here from more skilled people.
* I wasn't able to keep http->https rewriting valve with Keycloak to avoid UPS
usage via http protocol. I'll go deeper into that.
* Changes to Web Origin in Keycloak admin UI are not reflected to already logged
users. They need to log out first.
* Missing logout button in UPS. Related to previous point.
Let me know if you want me to convert some of these points to JIRAs in AGPUSH
or KEYCLOAK projects. Also, let me please now if I should have configured
something differently.
Thanks,
Karel
[1] https://github.com/stianst/openshift-keycloak-cartridge
[2]
https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/k...
[3]
https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-opens...
More detailed steps:
1/ Create Keycloak cart
2/ Add AeroGear-UnifiedPush realm with roles admin, user
3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
location
4/ Get keycloak.json
5/ Enable CORS in keycloak.json, modify password
6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
7/ Package UPS via 'mvn clean package'
8/ Put war into
openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
9/ Push that online
10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
master), enable mysql-5.1 gear as well
11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
12 years, 1 month
composite roles in
by Bill Burke
I still need to do a screencast (and eventually do some documentation).
I'm waiting on that as I want to see how our UI might change for the
next release. I had to change a bit in the import realm json
representation to support composites.
I'm going to take a look at Stan's Wildfly subsystem work next and see
if it can be improved at all, or if its ready to go.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12 years, 1 month
postgres and mysql
by Bill Burke
A user was reporting postgres issues. Does anybody want to test out
keycloak with postgres and mysql and write install docs on it? Its on
my todo list, but hoping somebody will take it on. Boring work, but
hey, doing screencasts are even more boring ;)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12 years, 1 month
JIRA
by Stian Thorgersen
I've had a scan through JIRA to clean-up some old issues. There's two issues I think we can close, but I'm not 100% sure:
- https://issues.jboss.org/browse/KEYCLOAK-54
- https://issues.jboss.org/browse/KEYCLOAK-187
Now that we have our first release out and started getting users it would be good to improve our JIRA usage a bit. JIRA issues are helpful to create a road-map, so all bug fixes and new features should have a JIRA issue.
12 years, 1 month
