Re: [keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC

On 2/5/2014 8:35 AM, Karel Piwko wrote: > On Tue, 04 Feb 2014 13:51:37 -0500 > Bill Burke <bburke(a)redhat.com&gt; wrote: > >> >> >> On 2/4/2014 12:13 PM, Karel Piwko wrote: >>> Hey, >>> >>> I've combined Aerogear UPS and Keycloak cartridges together. You can check >>> the results at: >>> >>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password) >>> https://keycloak-mobileqa.rhcloud.com/ (admin/password) >>> >>> For keycloak, I have used original cart [1]: >>> >>> $ rhc app create -g small --no-git keycloak >>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metada... >>> >>> For UPS, I have modified matzew's one stored in my repo [2] and modified >>> UPS [3]: > > Given your comments, I'll modify setup to have (primarily) single cart > option. Should I keep two carts setup? It at least seems as a good QE test > case ;-) > > Note, I will either have to wait for WF8 Final (due to Hibernate bug in > CR1) or base cart on AS7. > >>> >>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1 >>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75' >>> >>> There are some gotchas though: >>> >>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem. >>> We still need a way how to pass keycloak.json to UPS cartridge, which is >>> AS7 and we can't ask user to modify standalone.xml anyway. However, we >>> could make a hook on OpenShift - user will add keycloak.json to git repo >>> and it will automagically put at right location. Could we have a hook in >>> Keycloak to load keycloak.json from external location? Or should we >>> rather do some war exploding magic? >> >> I need to go through Stan's work. I want to be able to configure the >> subsystem from the keycloak admin console without having to create a >> keycloak.json file. I just don't know yet if the subsystem will work on >> AS7. > > > This will work for app and Keycloak being deployed on a single server. It > does not solve SaaS scenario - keycloak admin console can configure > subsystem of current WF(AS) only. Keycloak would need to manage subsystem > of a remote WF - I doubt this would ever be possible with AS7 on OpenShift > and I think security concerns of such setup are not even allowing this on > WF8. > You can make authenticated HTTP requests to the WF/AS7 admin interface. Maybe Openshift is disallowing this, but its certainly not the case with WF. My understanding is that the new WF admin console will be a pure HTML 5 application making CORS requests to the admin REST interface of WF. What I'm saying is, this will work in the SaaS scenario if Openshift has not turned off the AS7/WF admin interface.

>> >> >>> * AS7-3227 I worked this around by doing parameter injection for >>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of >>> Keycloak package for AS7? Any better option? >> >> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and >> excludes built in one. > > Well, it is either keycloak packaging issue or documentation issue (or > problem here in Brno in between chair and keyboard). I've added > keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different > cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed > if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of > Keycloak WAR. IIRC this was setup pre alpha-1. There are two things: * The keycloak auth-server.war which is the authentication server * The adapter zip which installs "client" modules and used only for WF/AS7 instances that want to interact with a Keycloak auth server. The adapter does not have a dependency on Resteasy, only on Apache HTTP Client 4.1.x (or higher). The auth-server does have a dependency on Resteasy.