OSGi http service is a generic one. Hence servlet filter is the only choice
offered by Keycloak for generic http adapters. We would welcome
contribution of OSGi bundle packaging.
Keycloak contains adapters specific to a particular http servers, like
Undertow, Jetty and others. For these to work, specific adapters have been
implemented but they obviously need access to the underlying
implementation. That's where pax-web comes in - it contains server-specific
parts for undertow, jetty, tomcat, and keycloak can bind to it with its
server-specific adapter implementations. This is not possible with generic
OSGi http service though.
Re contributing Sling adapter to keycloak codebase - that depends on the
complexity of the adapter. If that would be some simple adjustments
leveraging the servlet filetr that would apply to any OSGi adapter (which
may or may not be part of the OSGi bundle packaging above), feel free to
open a PR when you have it ready. For a more complex scenario, this would
need a separate discussion. Let's see when the contribution would be ready.
Thank you for your willingness to contribute!
On Wed, Jun 13, 2018 at 4:35 PM, Grzegorz Grzybek <gr.grzybek(a)gmail.com>
wrote:
Hello
First, let me introduce myself (I've subscribed to keycloak-dev list
just recently). I'm Grzegorz Grzybek and I'm contributing to both
Apache Karaf (and JBoss Fuse) and ops4j PAX-WEB project.
"Keycloak OSGi adapter" (GA = org.keycloak:keycloak-osgi-adapter)
indeed has some Fuse specific features. Or rather pax-web specific
features.
It uses org.ops4j.pax.web.service.WebContainer OSGi service to
register "something more" than what's possible to register using plain
org.osgi.service.http.HttpService.
In fact, org.ops4j.pax.web.service.WebContainer simply extends
org.osgi.service.http.HttpService adding methods to register filters,
listeners, login configurations security constraints, etc.
So org.ops4j.pax.web.service.WebContainer allows you to directly
register what's possible with WEB-INF/web.xml elements.
I never used Felix' http service (because Karaf uses pax-web), so I'm
not sure how keycloak works with plain OSGi http service.
I think, for sling integration you should not use
org.keycloak:keycloak-osgi-adapter, but
org.keycloak:keycloak-servlet-filter-adapter.
best regards
Grzegorz Grzybek
2018-06-12 21:59 GMT+02:00 Dmitry Telegin <dt(a)acutus.pro>:
>
> Hi,
>
> Together with Ioan Eugen Stan (in CC) we'll be doing a talk at
> adaptTo()'2018 conference [1] that will take place 12-13 September in
> Potsdam, Germany. It's an event dedicated to Apache Sling and
> everything around it. The talk will be titled "Modern authentication in
> Sling with OpenID Connect and Keycloak".
>
> As you might guess, we're going to present Sling + Keycloak integration
> which I hope we'll manage to implement by the time of the conference :)
> that said, we welcome any thoughts that might help us with that.
>
> Now for technical details, Sling is an OSGi-based content-oriented web
> framework that runs on top of Apache Felix and uses Felix HTTP Service.
> I've examined Keycloak OSGi adapter and found its name a bit confusing;
> seems like it's only suitable for JBoss Fuse, depending on Pax Web
> (correct me if I'm wrong).
>
> Right now I see two scenarios, the first is to take current OSGi
> adapter and adapt it (sorry for tautology) to Felix HTTP Service; the
> second is to use the existing servlet filter adapter. I'd say I would
> prefer the second variant, as it's more straightforward. Felix and
> Sling have a proven and well-documented support for servlet filters,
> however, we'll have to solve the problems of packaging for OSGi, filter
> registration, configuration and more deep integration with Sling's
> security framework.
>
> Also please let us know if you consider our (future) code worth being
> contributed to Keycloak codebase. Most likely, the deliverables will
> include 1) servlet filter adapter packaged as OSGi bundle, 2) the Sling
> adapter proper.
>
> Cheers and hope to hear from you,
> Dmitry
>
> [1]
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-wi
> th-openid-connect-and-keycloak.html
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev