8:42 a.m.
This is something that we need to figure out and find a proper solution for. It should be
very easy for any JBoss project/product to both embed Keycloak and to use a centralized
Keycloak for SSO.
There are quite a few issues that needs resolving to achieve this properly:
* Do we support embedding Keycloak in other containers than WildFly/EAP?
* Do we provide a slimmed down version of Keycloak for embedding? An embedded Keycloak
should be for securing the projects console in a simple deployment, not for a SSO
solution.
* How do we handle bootstrapping? Applications needs to configure themselves, including
realm keys and application secrets. What happens if realm keys, application urls, etc
change.
* How do we provide a simple mechanism to link to a centralized Keycloak server
* How do we make sure multiple projects can share the same Keycloak realm? Roles for
example is a problem here if multiple projects use realm level roles (Keycloak itself
does!)
* How to enable SSL for a project? Keycloak is not secure without SSL! That's one of
the downsides to bearer auth.
Those issues (and probably a whole bunch more) should all be solved consistently for all
JBoss projects.
----- Original Message -----
From: "Juraci Paixão Kröhling" <juraci(a)kroehling.de>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 2 February, 2015 1:26:43 PM
Subject: [keycloak-user] Best practices for building appliances
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
In our project, we plan to have a distribution where we ship our
application with a Wildfly bundled, a la Keycloak Appliance.
My main concern is shipping our distribution with a default pair of
realm keys or with a pre-filled database. I know it's possible to
import a realm on the first boot and KC will generate the required
keys if they are missing from the imported JSON template, but as we
are shipping our own WAR, we would need to get the public key into our
application's keycloak.json (or subsystem) before it gets deployed.
I wonder if this is a common situation and what would be the best
practices for such case. I think Stian mentioned before that a future
version of KC would allow auto registration of applications, but until
that is available, I'd be interested in hearing your experiences about it.
Another situation is for a contributor of the project or for users who
would want to build from the source: what would be the best practice
for generating new keys at each build? If there's no easy solution for
that now, I'd be interested in building a "keycloak-cli" utility that
would generate realm and application JSON files, possibly with a Maven
plugin wrapper to make it easier to consume from maven projects. Would
something like that be interesting for the project?
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a
DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX
csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL
YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee
gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu
O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo=
=wYHW
-----END PGP SIGNATURE-----
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user