[aerogear-dev] Keycloak on AeroGear

Bruno Oliveira bruno at abstractj.org
Wed Jan 29 09:57:53 EST 2014


Sorry I just missed your e-mail during while the syncalipse was happening.

What I meant was something like: admin, developers, regular users and how
to deal with these roles. Maybe this is planned to the next steps, but at
some point we need to test how KeyCloak could protect our endpoints and
deal with multiple roles.


On Sun, Jan 26, 2014 at 10:41 AM, Matthias Wessendorf <matzew at apache.org>wrote:

> Hello Bruno,
>
>
> On Sun, Jan 26, 2014 at 1:20 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>
>> Any specific reason to limit the scope to admin page only? I'm thinking
>> about login for regular users
>
>
> Not sure I follow. What do you mean w/ "regular users"?
>
>
> Before my change very thing was restricted by Keycloak (/*). I did not
> really change there a lot, however I just removed the URLs for
> 'device-registration' and 'sending':
>
> https://github.com/matzew/aerogear-unifiedpush-server/blob/keycloak/src/main/webapp/WEB-INF/web.xml#L42-L50
>
> So, currently the following is protected by Keycloak:
> * Admin UI (not speaking about a specific admin user)
> * REST APIs that are accessed by the Admin UI, like:
> - http://aerogear.org/docs/specs/aerogear-push-rest/PushApplication/
> - http://aerogear.org/docs/specs/aerogear-push-rest/Variants/
>
> Perviously the 'device-registration' and 'sending' URL were protected as
> well. Removing them from the 'keycloak protection' is really the only change
>
> Greetings,
> Matthias
>
>
>
>> --
>> abstractj
>>
>>
>> On Sun, Jan 26, 2014 at 9:11 AM, Matthias Wessendorf <matzew at apache.org>wrote:
>>
>>> Hello!
>>>
>>> I have a  few more updates:
>>>
>>> On my branch (a fork from Bruno's branch), the URLs for the actual
>>> sending and the device-registration (both 'protected' via HTTP-Basic), now
>>> work again. I have 'limited' the scope of the Keycloak 'protection' to the
>>> AdminUI.
>>>
>>> Greetings,
>>> Matthias
>>>
>>>
>>>
>>> On Fri, Jan 24, 2014 at 6:05 PM, Matthias Wessendorf <matzew at apache.org>wrote:
>>>
>>>> I have updated the branch w/ their recent changes from this weeks
>>>> alpha-1 release, and submitted a PR against abstractj's repo:
>>>> https://github.com/abstractj/aerogear-unifiedpush-server/pull/1
>>>>
>>>> More to come
>>>>
>>>> Greetings,
>>>> Matthias
>>>>
>>>>
>>>>
>>>> On Fri, Dec 20, 2013 at 1:11 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>>>>
>>>>> Good morning peeps, yesterday I started to replace AeroGear Security
>>>>> on Unified Push server by Keycloak and you might be asking: "Why?".
>>>>> Keycloak is a SSO with some handy features like TOTP, OAuth2, user
>>>>> management support and I think we have too much to contribute, is the only
>>>>> way to have some success with security, "divide to conquer" (at least for
>>>>> authorization and authentication).
>>>>>
>>>>> So will ag-security be discontinued? No! Keycloak is still on Alpha
>>>>> and we have to test it against our projects before fully replace
>>>>> ag-security, but the only way to upstream our needs, is to using it.
>>>>>
>>>>> This replacement only applies to authentication/authorization
>>>>> features, we still have a ton of projects which Keycloak is not able to
>>>>> replace like: TOTP, crypto and OAuth2 on mobile, our focus.
>>>>>
>>>>> - PoC
>>>>>
>>>>> So let's talk about this replacement, any dependency on ag-security
>>>>> was removed from the push server and replaced by Keycloak:
>>>>> https://github.com/abstractj/aerogear-unifiedpush-server/tree/openshift
>>>>>
>>>>> Based on Keycloak examples, I just did copy & paste from one of the
>>>>> demos (https://github.com/abstractj/auth-server/tree/openshift) to
>>>>> create a server. Keycloak requires Resteasy 3.0.4, for this reason I had to
>>>>> manually replace some modules on JBoss.
>>>>>
>>>>> To test it go to: http://push-abstractj.rhcloud.com/ag-push/ you must
>>>>> be redirected to Keycloak, enter:
>>>>>
>>>>> username: john at doe.com
>>>>> password: password
>>>>>
>>>>> You must be redirected to agpush console, keep in mind that I took
>>>>> some shortcuts to get this demo working, so for example the create will
>>>>> fail because I removed everything related into the ember interface.
>>>>>
>>>>> Is also possible to enable TOTP, user's registration and whatever you
>>>>> want.
>>>>>
>>>>> So what do you think?
>>>>>
>>>>> --
>>>>> abstractj
>>>>>
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>> Matthias Wessendorf
>>>>
>>>> blog: http://matthiaswessendorf.wordpress.com/
>>>> sessions: http://www.slideshare.net/mwessendorf
>>>> twitter: http://twitter.com/mwessendorf
>>>>
>>>
>>>
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 

-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140129/53b3f1f2/attachment.html 


More information about the aerogear-dev mailing list