Hey, I am looking into implementing keycloak integration with our application. The application: * java-based providing a rest interface using RestEasy * deployed to wildfly as a war archive * contains a web.xml detailing the security constraints, eg. runs over https only * has used BASIC authentication * has provided the swagger-ui interface for documentation and debugging of the REST operations Switching to keycloak has meant: * adding configuration to the keycloak xml element in wildfly's standalone.xml file * separation of the main application and its swagger documentation into 2 separate wars. This was to ensure ** the main application uses a bearer-only client implementation (no login page) ** the swagger page uses a public client implementation (login page displays and redirects back to the swagger api) Since the application is going to be released and distributed, the keycloak server-auth-url cannot be assumed anywhere in the configuration. The use of the wildfly xml configuration has meant that instructions can be provided to end-users to configure their own keycloak installations and specify the correct auth url appropriately. However, I am now faced with a problem. The swagger webpage redirects correctly to the keycloak login page, authenticates correctly and displays accordingly. However, its internal urls, eg. swagger.json, cannot be loaded from wildfly since these urls are not provided with the page's token. How do I provide the token from the main page to the swagger.json (so as to load the REST API documentation) and to each REST API operation when I want to "try it out"? As the swagger page is javascript, the keycloak adapter is available for use and I have prototyped using this. Yet the Keycloak object constructor requires a minimum of config, either directly or from a keycloak.json file. This config mandates the specifying of a keycloak server-auth-url, which is not appropriate to our situation. Therefore, is it possible to extract the token used to successfully login from the keycloak login page from the metadata available in the loaded swagger page? I have found that 'state' and 'code' are being passed as parameters to the logged-in swagger page. However, it seems this page is refreshed and the request that includes these parameters is replaced with the original url so impossible to glean them from the window.location. In summary: * Can the token or auth url be passed from the login page provided either to the javascript adapter or made available directly as a global variable? * Can the javascript adapter keycloak instance be initialised without needing to specify a server-auth-url with the expectation that the init method would simple call 'check-sso' and extract a token? * Is there even a way to serve a keycloak.json file, free-standing, in a wildfly instance that could at least be configured by end-users on installation of our application? If someone is able to shed light on any part of this rather protracted problem, I would be most grateful. Thanks and regards Paul -- Paul Richardson * p.g.richardson(a)phantomjinx.co.uk * p.g.richardson(a)redhat.com * pgrichardson(a)linux.com