[aerogear-dev] Keycloak on AeroGear

Matthias Wessendorf matzew at apache.org
Thu Jan 30 08:31:13 EST 2014


Follow up thread, on better integration:

http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001164.html

Looks like we have several options...



On Wed, Jan 29, 2014 at 4:02 PM, Matthias Wessendorf <matzew at apache.org>wrote:

>
>
>
> On Wed, Jan 29, 2014 at 3:57 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>
>> Sorry I just missed your e-mail during while the syncalipse was happening.
>>
>> What I meant was something like: admin, developers, regular users and how
>> to deal with these roles. Maybe this is planned to the next steps, but at
>> some point we need to test how KeyCloak could protect our endpoints and
>> deal with multiple roles.
>>
>
> yes, the 'ui part' (and the underlying endpoints) being protected by
> keycloak;
> On the next steps is also looking at different roles for this. I was never
> speaking about a specific user/role - more generically protecting the
> "Admin UI", which can be consumed by users w/ different roles
>
> -Matthias
>
>
>>
>>
>> On Sun, Jan 26, 2014 at 10:41 AM, Matthias Wessendorf <matzew at apache.org>wrote:
>>
>>> Hello Bruno,
>>>
>>>
>>> On Sun, Jan 26, 2014 at 1:20 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>>>
>>>> Any specific reason to limit the scope to admin page only? I'm thinking
>>>> about login for regular users
>>>
>>>
>>> Not sure I follow. What do you mean w/ "regular users"?
>>>
>>>
>>> Before my change very thing was restricted by Keycloak (/*). I did not
>>> really change there a lot, however I just removed the URLs for
>>> 'device-registration' and 'sending':
>>>
>>> https://github.com/matzew/aerogear-unifiedpush-server/blob/keycloak/src/main/webapp/WEB-INF/web.xml#L42-L50
>>>
>>> So, currently the following is protected by Keycloak:
>>> * Admin UI (not speaking about a specific admin user)
>>> * REST APIs that are accessed by the Admin UI, like:
>>> - http://aerogear.org/docs/specs/aerogear-push-rest/PushApplication/
>>> - http://aerogear.org/docs/specs/aerogear-push-rest/Variants/
>>>
>>> Perviously the 'device-registration' and 'sending' URL were protected as
>>> well. Removing them from the 'keycloak protection' is really the only change
>>>
>>> Greetings,
>>> Matthias
>>>
>>>
>>>
>>>> --
>>>> abstractj
>>>>
>>>>
>>>> On Sun, Jan 26, 2014 at 9:11 AM, Matthias Wessendorf <matzew at apache.org
>>>> > wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> I have a  few more updates:
>>>>>
>>>>> On my branch (a fork from Bruno's branch), the URLs for the actual
>>>>> sending and the device-registration (both 'protected' via HTTP-Basic), now
>>>>> work again. I have 'limited' the scope of the Keycloak 'protection' to the
>>>>> AdminUI.
>>>>>
>>>>> Greetings,
>>>>> Matthias
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 24, 2014 at 6:05 PM, Matthias Wessendorf <
>>>>> matzew at apache.org> wrote:
>>>>>
>>>>>> I have updated the branch w/ their recent changes from this weeks
>>>>>> alpha-1 release, and submitted a PR against abstractj's repo:
>>>>>> https://github.com/abstractj/aerogear-unifiedpush-server/pull/1
>>>>>>
>>>>>> More to come
>>>>>>
>>>>>> Greetings,
>>>>>> Matthias
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Dec 20, 2013 at 1:11 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>>>>>>
>>>>>>> Good morning peeps, yesterday I started to replace AeroGear Security
>>>>>>> on Unified Push server by Keycloak and you might be asking: "Why?".
>>>>>>> Keycloak is a SSO with some handy features like TOTP, OAuth2, user
>>>>>>> management support and I think we have too much to contribute, is the only
>>>>>>> way to have some success with security, "divide to conquer" (at least for
>>>>>>> authorization and authentication).
>>>>>>>
>>>>>>> So will ag-security be discontinued? No! Keycloak is still on Alpha
>>>>>>> and we have to test it against our projects before fully replace
>>>>>>> ag-security, but the only way to upstream our needs, is to using it.
>>>>>>>
>>>>>>> This replacement only applies to authentication/authorization
>>>>>>> features, we still have a ton of projects which Keycloak is not able to
>>>>>>> replace like: TOTP, crypto and OAuth2 on mobile, our focus.
>>>>>>>
>>>>>>> - PoC
>>>>>>>
>>>>>>> So let's talk about this replacement, any dependency on ag-security
>>>>>>> was removed from the push server and replaced by Keycloak:
>>>>>>> https://github.com/abstractj/aerogear-unifiedpush-server/tree/openshift
>>>>>>>
>>>>>>> Based on Keycloak examples, I just did copy & paste from one of the
>>>>>>> demos (https://github.com/abstractj/auth-server/tree/openshift) to
>>>>>>> create a server. Keycloak requires Resteasy 3.0.4, for this reason I had to
>>>>>>> manually replace some modules on JBoss.
>>>>>>>
>>>>>>> To test it go to: http://push-abstractj.rhcloud.com/ag-push/ you
>>>>>>> must be redirected to Keycloak, enter:
>>>>>>>
>>>>>>> username: john at doe.com
>>>>>>> password: password
>>>>>>>
>>>>>>> You must be redirected to agpush console, keep in mind that I took
>>>>>>> some shortcuts to get this demo working, so for example the create will
>>>>>>> fail because I removed everything related into the ember interface.
>>>>>>>
>>>>>>> Is also possible to enable TOTP, user's registration and whatever
>>>>>>> you want.
>>>>>>>
>>>>>>> So what do you think?
>>>>>>>
>>>>>>> --
>>>>>>> abstractj
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> aerogear-dev mailing list
>>>>>>> aerogear-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>>> Matthias Wessendorf
>>>>>>
>>>>>> blog: http://matthiaswessendorf.wordpress.com/
>>>>>> sessions: http://www.slideshare.net/mwessendorf
>>>>>> twitter: http://twitter.com/mwessendorf
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Matthias Wessendorf
>>>>>
>>>>> blog: http://matthiaswessendorf.wordpress.com/
>>>>> sessions: http://www.slideshare.net/mwessendorf
>>>>> twitter: http://twitter.com/mwessendorf
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>>
>> --
>> "The measure of a man is what he does with power" - Plato
>> -
>> @abstractj
>> -
>> Volenti Nihil Difficile
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140130/8aca576b/attachment.html 


More information about the aerogear-dev mailing list