6:33 a.m.
Hello,
I'm securing a REST bearer-only application using keycloak.
Is there any way to change keycloak.json adapter config file on the fly so
that it can take effect without restarting the container?
Will just editing keycloak.json work? I guess not.
What i want to do is complete an administrative task that will provide the
information needed for keycloak.json such as 'resource', edit keycloak.json
and then make this configuration effective for the REST api.
Best regards
Orestis
7:59 a.m.
If your client is JBoss/Wildfly, then you can call the JBoss CLI and
edit the config.
http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918
Otherwise, you'll have to implement this yourself using a config
resolver. I think you can adapt the multitenancy support:
http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy
On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
Hello,
I'm securing a REST bearer-only application using keycloak.
Is there any way to change keycloak.json adapter config file on the fly
so that it can take effect without restarting the container?
Will just editing keycloak.json work? I guess not.
What i want to do is complete an administrative task that will provide
the information needed for keycloak.json such as 'resource', edit
keycloak.json and then make this configuration effective for the REST api.
Best regards
Orestis
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:09 a.m.
On 7/6/2015 8:59 AM, Bill Burke wrote:
If your client is JBoss/Wildfly, then you can call the JBoss CLI and
edit the config.
http://keycloak.github.io/docs/userguide/html/ch08.html#d4e918
For this solution
you will also need to redeploy the application. So
after you make changes to the secure-deployment you use CLI to redeploy:
/deployment=myapp.war/:redeploy
You don't have to restart the whole container though.
Otherwise, you'll have to implement this yourself using a config
resolver. I think you can adapt the multitenancy support:
http://keycloak.github.io/docs/userguide/html/ch08.html#multi_tenancy
On 7/6/2015 7:33 AM, Orestis Tsakiridis wrote:
> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly
> so that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide
> the information needed for keycloak.json such as 'resource', edit
> keycloak.json and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:52 a.m.
Well, the keycloak.json config is just a means to configure
a KeycloakDeployment from an AdapterConfig object. Specifically for the the
Spring adapter, the AdapterDeploymentContextBean would have to be aware
that the deployment changed. There would be a minimal amount of code needed
to support that and we can modify AdapterDeploymentContextBean to be more
flexible.
Just so I understand what you're asking for: you want to be able to update
a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
keycloak.json can be configured at startup via either environment variables
on command like properties, correct? You have to change at runtime?
I think the AdapterDeploymentContextBean should be as flexible as possible,
however I have a small concern about the security of allowing certain
properties to be swapped at runtime (e.g. the realm-public-key and
the auth-server-url).
Best,
Scott
On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
orestis.tsakiridis(a)telestax.com> wrote:
Hello,
I'm securing a REST bearer-only application using keycloak.
Is there any way to change keycloak.json adapter config file on the fly so
that it can take effect without restarting the container?
Will just editing keycloak.json work? I guess not.
What i want to do is complete an administrative task that will provide the
information needed for keycloak.json such as 'resource', edit keycloak.json
and then make this configuration effective for the REST api.
Best regards
Orestis
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:54 a.m.
Sorry, just re-read the whole thread. Which adapter are you using?
On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo <srossillo(a)smartling.com>
wrote:
Well, the keycloak.json config is just a means to configure
a KeycloakDeployment from an AdapterConfig object. Specifically for the the
Spring adapter, the AdapterDeploymentContextBean would have to be aware
that the deployment changed. There would be a minimal amount of code needed
to support that and we can modify AdapterDeploymentContextBean to be more
flexible.
Just so I understand what you're asking for: you want to be able to update
a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
keycloak.json can be configured at startup via either environment variables
on command like properties, correct? You have to change at runtime?
I think the AdapterDeploymentContextBean should be as flexible as
possible, however I have a small concern about the security of allowing
certain properties to be swapped at runtime (e.g. the realm-public-key and
the auth-server-url).
Best,
Scott
On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
orestis.tsakiridis(a)telestax.com> wrote:
> Hello,
>
> I'm securing a REST bearer-only application using keycloak.
>
> Is there any way to change keycloak.json adapter config file on the fly
> so that it can take effect without restarting the container?
>
> Will just editing keycloak.json work? I guess not.
>
> What i want to do is complete an administrative task that will provide
> the information needed for keycloak.json such as 'resource', edit
> keycloak.json and then make this configuration effective for the REST api.
>
>
> Best regards
>
> Orestis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:41 a.m.
Thanks all for your responses!
I'm using the JBoss/Wildfly adapter.
So, my case can be reduced to the following:
I have a java REST bearer-only web application (no Spring context here)
that is protected using keycloak1.json
I need to switch on the fly (at runtime, without container restart or
re-deploying) to another keycloak2.json adapter config.
It seems that the multitenancy solution suggested by Bill should work.
Best regards
Orestis
On Mon, Jul 6, 2015 at 4:54 PM, Scott Rossillo <srossillo(a)smartling.com>
wrote:
Sorry, just re-read the whole thread. Which adapter are you using?
On Mon, Jul 6, 2015 at 9:52 AM, Scott Rossillo <srossillo(a)smartling.com>
wrote:
> Well, the keycloak.json config is just a means to configure
> a KeycloakDeployment from an AdapterConfig object. Specifically for the the
> Spring adapter, the AdapterDeploymentContextBean would have to be aware
> that the deployment changed. There would be a minimal amount of code needed
> to support that and we can modify AdapterDeploymentContextBean to be more
> flexible.
>
> Just so I understand what you're asking for: you want to be able to
> update a KeycloakDeployment on-the-fly, correct? Also, you're aware that a
> keycloak.json can be configured at startup via either environment variables
> on command like properties, correct? You have to change at runtime?
>
> I think the AdapterDeploymentContextBean should be as flexible as
> possible, however I have a small concern about the security of allowing
> certain properties to be swapped at runtime (e.g. the realm-public-key and
> the auth-server-url).
>
> Best,
> Scott
>
>
> On Mon, Jul 6, 2015 at 7:33 AM, Orestis Tsakiridis <
> orestis.tsakiridis(a)telestax.com> wrote:
>
>> Hello,
>>
>> I'm securing a REST bearer-only application using keycloak.
>>
>> Is there any way to change keycloak.json adapter config file on the fly
>> so that it can take effect without restarting the container?
>>
>> Will just editing keycloak.json work? I guess not.
>>
>> What i want to do is complete an administrative task that will provide
>> the information needed for keycloak.json such as 'resource', edit
>> keycloak.json and then make this configuration effective for the REST api.
>>
>>
>> Best regards
>>
>> Orestis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
3447
days inactive
3447
days old
5 comments
4 participants
participants (4)
-
Bill Burke -
Orestis Tsakiridis -
Scott Rossillo -
Stan Silvert