[aerogear-dev] Keycloak integration ideas

Stian Thorgersen stian at redhat.com
Wed Jan 22 09:14:14 EST 2014



----- Original Message -----
> From: "Lucas Holmquist" <lholmqui at redhat.com>
> To: "AeroGear Developer Mailing List" <aerogear-dev at lists.jboss.org>
> Sent: Wednesday, 22 January, 2014 1:38:30 PM
> Subject: Re: [aerogear-dev] Keycloak integration ideas
> 
> 
> On Jan 22, 2014, at 6:53 AM, Matthias Wessendorf < matzew at apache.org > wrote:
> 
> 
> 
> 
> Hello Stian,
> 
> 
> On Wed, Jan 22, 2014 at 12:40 PM, Stian Thorgersen < stian at redhat.com >
> wrote:
> 
> 
> It's great to see interest in the Keycloak project :)
> 
> We've been quite busy with getting the alpha out the door (hopefully it'll be
> released tomorrow) hence the lack of response. Also, I don't think Bill
> follows aerogear-dev.
> 
> Would be good to start discussions on these items, maybe as separate posts to
> keycloak-dev?
> 
> sure, that would work for me
> 
> 
> 
> A few thoughts from me:
> 
> * We've got a quick and dirty OpenShift cartridge (
> https://github.com/keycloak/openshift-keycloak-cartridge ) - it's based on
> the WildFly cartridge by Corey Daley. Seems to work pretty well and took me
> about an hour to do the mods. I was considering if it was possible to do the
> Keycloak and UPS cartridges as add-ons to the WildFly cartridge (same as
> postgresql and mysql cartridges). That way you can mix and match whatever
> combo you want. A specific cartridge may provide a better integrated
> experience though. Maybe we can ping someone in the OpenShift team to find
> out the correct approach?
> 
> sounds reasonable. Farah was kindly helping us w/ our Push Cartridge
> (containing Unified- and SimplePush Servers + MySQL).
> There are thoughts on integrating the UPS (e.g. the user management) w/
> Keycloak. Something like that makes a perfect 'mix' for adding the Keycloak
> bits into our cartridge. Sure we could 're-lable' it. Is that something that
> sounds good ?
> 
> 
> 
> * Mobile SDKs - There's not much effort yet on supporting mobiles. Maybe you
> could help us with creating Keycloak SDKs, with most of the code reusable in
> AeroGear and LiveOak?
> 
> Absolutely, for that I think it would be good to start a thread on
> keycloak-dev regarding 'requirements' / desired functionality. Ideally these
> SDKs are leveraging AeroGear's mobile client SDKs.
> 
> 
> * JS - None in Keycloak, but I've started one in LiveOak. Again, could we do
> a Keycloak JS lib that could be reused by AeroGear and LiveOak?
> 
> +1 and that would be needed pretty much once the UnifiedPushServer is
> integrating w/ Keycloak :-)
> 
> what is the target for having the "implicit" auth flow, since this is needed
> for JS clients.
> 
> I have a OAuth2 client in aerogear.js, currently tested against googles
> OAuth2 stuff, but it is written to spec

JS clients can use authorization code flow as well. Currently Keycloak requires a client id and secret to exchange the code for a token, but I think for public clients it should allow these to not have a password. As it's pointless having a password in a public client. To my understanding the authorization code flow is safer even without a confidential password.

I think a JS client should support both flows, and Keycloak should probably also support both flows.

I have loads of unanswered questions with regards how to best support JS clients. At the moment there's no JS lib for Keycloak, but I've done one for LiveOak (https://github.com/liveoak-io/liveoak/blob/master/clients/javascript/src/main/javascript/auth/client.js), the plan was to re-spin that for Keycloak for the next release.

> 
> 
> 
> 
> 
> 
> 
> If you have any issues/questions at all post to keycloak-dev and I'm sure me
> and Bill will fight to see how gets to answer first ;)
> 
> yay!
> 
> Cheers!
> Matthias
> 
> 
> 
> 
> ----- Original Message -----
> > From: "Matthias Wessendorf" < matzew at apache.org >
> > To: "AeroGear Developer Mailing List" < aerogear-dev at lists.jboss.org >
> > Sent: Wednesday, 22 January, 2014 7:41:10 AM
> > Subject: Re: [aerogear-dev] Keycloak integration ideas
> > 
> > 
> > 
> > 
> > On Tue, Jan 21, 2014 at 11:10 PM, Jay Balunas < jbalunas at redhat.com >
> > wrote:
> > 
> > 
> > 
> > 
> > On Jan 19, 2014, at 10:18 AM, Matthias Wessendorf < matzew at apache.org >
> > wrote:
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Fri, Jan 17, 2014 at 10:04 PM, Jay Balunas < jbalunas at redhat.com >
> > wrote:
> > 
> > 
> > 
> > Hi All,
> > 
> > Sorry all - book mode ;-)
> > 
> > We've had a couple of threads around keycloak integration (thanks
> > Abstractj)
> > and working together with them (both in our dev list and theirs). I had a
> > meeting (dinner really) with Bill and talked about some possibilities and
> > we're both excited to see what can happen.
> > 
> > I wanted to capture some of those thoughts here (as well as some that
> > already
> > started before), have some discussions, and more importantly talk about
> > next
> > steps (jira's) to get some of this in the pipeline. I'm sure this is not
> > exhaustive either, so please add your own thoughts, brainstorming etc...
> > (for example Cordova plugin perhaps?)
> > 
> > *In no particular order
> > 
> > A) AeroGear security integration
> > ** Abstractj already posted and implemented some of these changes
> > **
> > http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Keycloak-on-AeroGear-td5663.html
> > ** What's left here? Is it plug-able? Does it need to be?
> > 
> > The work started by Bruno looks promising. I like that for the login to the
> > UPS Admin UI is being forwarded to the Keycloak server.
> > As mentioned on the referenced thread, there is a bit of more work needed
> > for
> > the "protection" of the SEND (and likely device registration) URLs.
> > 
> > 
> > 
> > 
> > 
> > B) Crypto key management
> > ** Server-side encryption key management for client crypto
> > ** Abstractj had some discussions here
> > *** http://lists.jboss.org/pipermail/keycloak-dev/2013-December/000915.html
> > *** Where does that stand?
> > ** Do we need our own impl as well?
> > 
> > C) UnifiedPush server integration
> > ** User management, Auth*
> > ** Do we have our own basic impl for quickstart experience?
> > ** See below for possible combined cartridge options
> > 
> > yep, the UPS come in mind and as mentioned in A) Bruno was already actively
> > starting this shortly before XMAS.
> > 
> > 
> > 
> > 
> > 
> > D) Cross-project examples, tutorials, docs, etc...
> > ** TBD
> > 
> > Sure, combined docs/tutorials/examples are a good item once we do have a
> > bit
> > more :-) Not sure it makes much sense now, but I can be wrong
> > 
> > Completely agree now is not the time. Just wanted to bring it up for
> > discussion.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > KeyCloak has some things they need as well, that we could work together on.
> > I'm sure the KeyCloak team could add more here :-)
> > 
> > Z) Device support
> > ** We need it, they need, and others need it
> > ** Bill would like us to help them (and us at the same time) with this.
> > 
> > yeah - that would be an extremely good fit for our Push efforts.
> > 
> > We'll need someone to setup a mtg, or discuss on the topic. Any takers?
> > 
> > I can reach out to them, via mailing list, to see what they are up to,
> > regarding "Device support". Not 100% sure which email list is the 'right'
> > choice (cross-postings are IMO a PITA :))
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Y) OpenShift Cartridge for KeyCloak
> > ** I know this is already on their roadmap
> > ** The work Farah and others has already done, could be very helpful to
> > them
> > ** We should also discuss the possibility of a joint cartridge
> > *** Could be really compelling, especially if you add in device, client
> > key,
> > and push support with native SDKs & examples
> > *** Would also want separate cartridges as well imo
> > 
> > yeah, I see various options here:
> > * 'standalone' Keycloak cartridge (on their roadmap already); Would be nice
> > to get Farah involved here as well
> > * combined cartridge (E.g. Push + Keycloak). If we do actually fully
> > integrate Keycloak into the Push work, IMO this is a required option, to
> > simply include the Keycloak offerings into our Push Cartridge
> > 
> > Agreed, and I'd like to hear from the keycloak team on this as well. If
> > they
> > have plans for pairing their cartridge with others.
> > 
> > On their list they are currently talking about standalone ones, but later,
> > we
> > might be able to integrate w/ their server piece.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > X) Client SDK support
> > ** We have client SDKs & could help with their dev (either as part of
> > AeroGear or KeyCloak perhaps)
> > ** Primarily for iOS & Android, but would also want see where JS & Cordova
> > fit.
> > 
> > Yes, another good integration item, would be interesting to know their
> > 'requirements'. I think our OAuth2 related work, would be something that's
> > interesting for them as well
> > 
> > +1
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > You start putting all of this together and there is a great set of
> > functionality that really compliments each other well. After we discuss for
> > a while, I'd like to find owners for the various items to help make
> > progress
> > on these. Abstractj is awesome, but not sure he can do it all ;-)
> > 
> > yes, great work by Bruno w/ getting actively started on this
> > 
> > +1
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -Jay
> > 
> > PS: I'll post an email to the keycloak-dev list as well pointing to this
> > thread on our list.
> > 
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > 
> > 
> > 
> > --
> > Matthias Wessendorf
> > 
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > 
> > 
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > 
> > 
> > 
> > --
> > Matthias Wessendorf
> > 
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> > 
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> 
> 
> --
> Matthias Wessendorf
> 
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


More information about the aerogear-dev mailing list