[aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC

Matthias Wessendorf matzew at apache.org
Tue Feb 4 12:20:43 EST 2014


On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko at redhat.com> wrote:

> Hey,
>
> I've combined Aerogear UPS and Keycloak cartridges together. You can check
> the
> results at:
>
> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>
>
I think it would be awesome if the keycloak bits would be included into the
UPS bits, to have something OOTB, instead of pointing to a different server
(CORS)


> For keycloak, I have used original cart [1]:
>
> $ rhc app create -g small --no-git keycloak
>
> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
>
> For UPS, I have modified matzew's one stored in my repo [2] and modified
> UPS
> [3]:
>
> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> '
> http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75
> '
>
> There are some gotchas though:
>
> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.


the public-key needs to be, as far as I can see, included inside of the
standalone.xml (keycloak subsystem section).
Which is somewhat a similar issue; I think, if I get it right, that means
as you plan to support more and more 'realms', you keep editing the
standalone xml.


> We
>   still need a way how to pass keycloak.json to UPS cartridge, which is AS7
>   and we can't ask user to modify standalone.xml anyway. However, we could
> make
>   a hook on OpenShift - user will add keycloak.json to git repo and it will
>   automagically put at right location. Could we have a hook in Keycloak to
>   load keycloak.json from external location? Or should we rather do some
> war
>   exploding magic?
> * AS7-3227 I worked this around by doing parameter injection for
>   SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> Keycloak
>   package for AS7? Any better option?
> * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
>   However, as it goes through Keycloak Auth Server, this is considered CORS
>   request. I had to configure Web Origin for UPS application. This is
>   confusing to me, Origin header should be transparent for Keycloak as I'm
>   firing request to the same domain. Note this does not happen in Firefox,
>   which identifies same domain and avoids Origin header. I need some
> insight
>   here from more skilled people.
>

hmmmmm .... sounds 'good' :-)


> * I wasn't able to keep http->https rewriting valve with Keycloak to avoid
> UPS
>   usage via http protocol. I'll go deeper into that.
>

https is enforced on our UPS cartridge


> * Changes to Web Origin in Keycloak admin UI are not reflected to already
> logged
>   users. They need to log out first.
> * Missing logout button in UPS. Related to previous point.
>
> Let me know if you want me to convert some of these points to JIRAs in
> AGPUSH
> or KEYCLOAK projects. Also, let me please now if I should have configured
> something differently.
>
> Thanks,
>
> Karel
>
> [1] https://github.com/stianst/openshift-keycloak-cartridge
> [2]
>
> https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak
> [3]
>
> https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift
>
> More detailed steps:
>
> 1/ Create Keycloak cart
> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS cart
> location
> 4/ Get keycloak.json
> 5/ Enable CORS in keycloak.json, modify password
> 6/ Add keycloak.json to aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> 7/ Package UPS via 'mvn clean package'
> 8/ Put war into
>
> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
> 9/ Push that online
> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not using
> master), enable mysql-5.1 gear as well
> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140204/08ea50fa/attachment.html 


More information about the aerogear-dev mailing list