From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 25 November, 2014 2:35:58 PM
Subject: Re: [keycloak-dev] Programatic configuration
Double checking to see if my understanding is correct. On UPS realm we
have 2 applications:
"applications": [
{
"name": "unified-push-server",
"enabled": true,
"bearerOnly": true
},
{
"name": "unified-push-server-js",
"enabled": true,
"publicClient": true,
"baseUrl": "/ag-push",
"redirectUris": [
"http://localhost:8080/ag-push/*"
]
}
]
The only resource which requires to be modified dinamically is
unified-push-server-js. So making
use of servlet listeners like Bill did in the past for UPS we have:
AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext)
sce.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
AdapterConfig config = new AdapterConfig();
config.setRealm("aerogear");
//Dinamically replaced
config.setRealmKey("MIGfMA0GCSqGSIb3DQEBAQUAA");
//Dinamically replaced
config.setAuthServerUrl("http://mydomain.com:8081/auth");
config.setResource("unified-push-server-js");
config.setSslRequired("external");
config.setPublicClient(true);
deploymentContext.updateDeployment(config);
Into this way we can remove unified-push-server-js from ups-realm.json,
right? One thing not totally clear is about Keycloak.js. Currently we
have something like:
Keycloak kc = new Keycloak('config/keycloak.json')
With the changed mentioned above, the JSON file is still required? Or
not necessary?
I don't see any point in having all of that, just use the keycloak.json with a system
property for the auth-server url. The realm keys are automatically downloaded so no need
to specify those.
On 2014-11-25, Bill Burke wrote:
>
>
> On 11/25/2014 7:50 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>
> >> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> >> Sent: Tuesday, 25 November, 2014 1:29:24 PM
> >> Subject: Re: [keycloak-dev] Programatic configuration
> >>
> >> On 2014-11-25, Stian Thorgersen wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> >>>> To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> >>>> Sent: Tuesday, 25 November, 2014 12:22:22 PM
> >>>> Subject: [keycloak-dev] Programatic configuration
> >>>>
> >>>> Good morning, we've been discussing the following workflow on
> >>>> AeroGear:
> >>>>
> >>>> First time
> >>>>
> >>>> 1. Developer create an UPS instance on OpenShift
> >>>> 2. Visit
https://myups-abstractj.rhcloud.com/ag-push
> >>>> 3. The application automagically redirect to the configuration
page
> >>>> the
> >>>> with
> >>>> options default or Custom — where default make use of the embbeded
> >>>> Keycloak on UPS and custom our developer would be able to specify
> >>>> another Keycloak instance
(
http://andresgalante.com/configuration/)
> >>>> 4. App changes the keycloak.json/ups-realm.json file based on the
URL
> >>>> provided.
> >>>>
> >>>> Second time
> >>>>
> >>>> 1. Visit
https://myups-abstractj.rhcloud.com/ag-push
> >>>> 2. The application check if some configuration already exists
(default
> >>>> or custom)
> >>>> 3. Redirect users to UPS login page or Keycloak login page. It
pretty
> >>>> much depends.
> >>>>
> >>>> I would like to programatically change (via Java)
`ups-realm.json`,
> >>>> `keycloak.json`
> >>>> and `admin-ui-keycloak.json`. See
> >>>>
https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461f...
> >>>>
> >>>> Possible alternatives off the top of my head:
> >>>>
> >>>> 1. Read/manipulate JSON files from the database and provide
> >>>> `keycloak.json`
> >>>> and
> >>>> `admin-ui-keycloak.json` as a resource like Keycloak team did for
> >>>> JavaScript
> >>>>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
> >>>> 2. Dinamically generate to a shared place on WildFly
`keycloak.json`
> >>>> and
> >>>> `admin-ui-keycloak.json` files.
> >>>>
> >>>> Do you have a better idea?
> >>>
> >>> Is it only the auth-server url you're changing? keycloak.json
supports
> >>> system properties so you can use for example { "auth-server"
:
> >>> "${keycloak.url}" }. If you do that you don't have to
rewrite the file
> >>> at
> >>> all.
> >>
> >> Yes! That's gorgeous! Am I supposed to define it during the bootstrap?
> >> For ups-realm.json file, I'm considering to make use of
> >> AdapterDeploymentContext like we did in the past, because the redirect
> >> url must dinamically change
> >>
https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461f...
> >
> > How would AdapterDeploymentContext work for a remote KC server?
> >
> > In the past I had an idea of adding support for server aliases, so you
> > could for example do "http://${ups}/ag-push" as the redirect-uri in
KC.
> > Then we could provide some easy way to manage server-aliases, even
> > allowing it to resolve to one or more urls.
> >
>
> The idea was that the UPS mgmt console would allow you to specify a
> remote keycloak URL. It would store this URL, then update the
> AdapterDeploymentContext at runtime.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev