4:41 p.m.
Hey,
I am looking into implementing keycloak integration with our application.
The application:
* java-based providing a rest interface using RestEasy
* deployed to wildfly as a war archive
* contains a web.xml detailing the security constraints, eg. runs over https only
* has used BASIC authentication
* has provided the swagger-ui interface for documentation and debugging of the REST
operations
Switching to keycloak has meant:
* adding configuration to the keycloak xml element in wildfly's standalone.xml file
* separation of the main application and its swagger documentation into 2 separate wars.
This was to
ensure
** the main application uses a bearer-only client implementation (no login page)
** the swagger page uses a public client implementation (login page displays and
redirects back to
the swagger api)
Since the application is going to be released and distributed, the keycloak
server-auth-url cannot
be assumed anywhere in the configuration. The use of the wildfly xml configuration has
meant that
instructions can be provided to end-users to configure their own keycloak installations
and specify
the correct auth url appropriately. However, I am now faced with a problem.
The swagger webpage redirects correctly to the keycloak login page, authenticates
correctly and
displays accordingly. However, its internal urls, eg. swagger.json, cannot be loaded from
wildfly
since these urls are not provided with the page's token. How do I provide the token
from the main
page to the swagger.json (so as to load the REST API documentation) and to each REST API
operation
when I want to "try it out"?
As the swagger page is javascript, the keycloak adapter is available for use and I have
prototyped
using this. Yet the Keycloak object constructor requires a minimum of config, either
directly or
from a keycloak.json file. This config mandates the specifying of a keycloak
server-auth-url, which
is not appropriate to our situation. Therefore, is it possible to extract the token used
to
successfully login from the keycloak login page from the metadata available in the loaded
swagger page?
I have found that 'state' and 'code' are being passed as parameters to the
logged-in swagger page.
However, it seems this page is refreshed and the request that includes these parameters is
replaced
with the original url so impossible to glean them from the window.location.
In summary:
* Can the token or auth url be passed from the login page provided either to the
javascript adapter
or made available directly as a global variable?
* Can the javascript adapter keycloak instance be initialised without needing to specify
a
server-auth-url with the expectation that the init method would simple call
'check-sso' and extract
a token?
* Is there even a way to serve a keycloak.json file, free-standing, in a wildfly instance
that could
at least be configured by end-users on installation of our application?
If someone is able to shed light on any part of this rather protracted problem, I would be
most
grateful.
Thanks and regards
Paul
--
Paul Richardson
* p.g.richardson(a)phantomjinx.co.uk
* p.g.richardson(a)redhat.com
* pgrichardson(a)linux.com