[keycloak-dev] [aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC

Matthias Wessendorf matzew at apache.org
Tue Feb 4 12:38:03 EST 2014


On Tue, Feb 4, 2014 at 6:34 PM, Karel Piwko <kpiwko at redhat.com> wrote:

> On Tue, 4 Feb 2014 18:21:10 +0100
> Matthias Wessendorf <matzew at apache.org> wrote:
>
> > oh, this was a cross-post :-) (adding keycloak)
> >
> >
> > On Tue, Feb 4, 2014 at 6:20 PM, Matthias Wessendorf <matzew at apache.org
> >wrote:
> >
> > >
> > >
> > >
> > > On Tue, Feb 4, 2014 at 6:13 PM, Karel Piwko <kpiwko at redhat.com> wrote:
> > >
> > >> Hey,
> > >>
> > >> I've combined Aerogear UPS and Keycloak cartridges together. You can
> > >> check the
> > >> results at:
> > >>
> > >> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> > >> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> > >>
> > >>
> > > I think it would be awesome if the keycloak bits would be included into
> > > the UPS bits, to have something OOTB, instead of pointing to a
> different
> > > server (CORS)
>
> I've added Keycloak AS7 modules to UPS cart but not admin console. I
> believe
> that Keycloak is SaaS, so usage with two different carts reflect reality
> better.
> Configuring Keycloak cart once and let all other carts use is seems the
> right
> way to me.
>
>
there is IMO pros and cons in both ways



> > >
> > >
> > >> For keycloak, I have used original cart [1]:
> > >>
> > >> $ rhc app create -g small --no-git keycloak
> > >>
> > >>
> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
> > >>
> > >> For UPS, I have modified matzew's one stored in my repo [2] and
> modified
> > >> UPS
> > >> [3]:
> > >>
> > >> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> > >> '
> > >>
> http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75
> > >> '
> > >>
> > >> There are some gotchas though:
> > >>
> > >> * keycloak.json - I'm not sure how this will be addressed by WF
> subsystem.
> > >
> > >
> > > the public-key needs to be, as far as I can see, included inside of the
> > > standalone.xml (keycloak subsystem section).
> > > Which is somewhat a similar issue; I think, if I get it right, that
> means
> > > as you plan to support more and more 'realms', you keep editing the
> > > standalone xml.
>
> That is great improvement w.r.t. current situation but does not handle
> OpenShift
> cart scenarios.
>
> > >
> > >
> > >> We
> > >>   still need a way how to pass keycloak.json to UPS cartridge, which
> is
> > >> AS7
> > >>   and we can't ask user to modify standalone.xml anyway. However, we
> > >> could make
> > >>   a hook on OpenShift - user will add keycloak.json to git repo and it
> > >> will
> > >>   automagically put at right location. Could we have a hook in
> Keycloak to
> > >>   load keycloak.json from external location? Or should we rather do
> some
> > >> war
> > >>   exploding magic?
> > >> * AS7-3227 I worked this around by doing parameter injection for
> > >>   SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> > >> Keycloak
> > >>   package for AS7? Any better option?
> > >> * Ember in UPS is firing AJAX request to REST Endpoints on the same
> > >> domain.
> > >>   However, as it goes through Keycloak Auth Server, this is considered
> > >> CORS
> > >>   request. I had to configure Web Origin for UPS application. This is
> > >>   confusing to me, Origin header should be transparent for Keycloak
> as I'm
> > >>   firing request to the same domain. Note this does not happen in
> Firefox,
> > >>   which identifies same domain and avoids Origin header. I need some
> > >> insight
> > >>   here from more skilled people.
> > >>
> > >
> > > hmmmmm .... sounds 'good' :-)
> :-)
> > >
> > >
> > >> * I wasn't able to keep http->https rewriting valve with Keycloak to
> > >> avoid UPS
> > >>   usage via http protocol. I'll go deeper into that.
> > >>
> > >
> > > https is enforced on our UPS cartridge
> RI had to remove this enforcement. I'm just trying to put it back.
> > >
> > >
> > >> * Changes to Web Origin in Keycloak admin UI are not reflected to
> already
> > >> logged
> > >>   users. They need to log out first.
> > >> * Missing logout button in UPS. Related to previous point.
> > >>
> > >> Let me know if you want me to convert some of these points to JIRAs in
> > >> AGPUSH
> > >> or KEYCLOAK projects. Also, let me please now if I should have
> configured
> > >> something differently.
> > >>
> > >> Thanks,
> > >>
> > >> Karel
> > >>
> > >> [1] https://github.com/stianst/openshift-keycloak-cartridge
> > >> [2]
> > >>
> > >>
> https://github.com/kpiwko/openshift-origin-cartridge-aerogear-push/tree/keycloak
> > >> [3]
> > >>
> > >>
> https://github.com/kpiwko/aerogear-unifiedpush-server/tree/keycloak-openshift
> > >>
> > >> More detailed steps:
> > >>
> > >> 1/ Create Keycloak cart
> > >> 2/ Add AeroGear-UnifiedPush realm with roles admin, user
> > >> 3/ Add ag-push app with scopes admin, user, allow Web Origin for UPS
> cart
> > >> location
> > >> 4/ Get keycloak.json
> > >> 5/ Enable CORS in keycloak.json, modify password
> > >> 6/ Add keycloak.json to
> > >> aerogear-unifiedpush-server/src/main/webapp/WEB-INF
> > >> 7/ Package UPS via 'mvn clean package'
> > >> 8/ Put war into
> > >>
> > >>
> openshift-origin-cartridge-aerogear-push/versions/0.9.0/standalone/deployments
> > >> 9/ Push that online
> > >> 10/ Create UPS cart using reflector cartridge (use commit sha1 if not
> > >> using
> > >> master), enable mysql-5.1 gear as well
> > >> 11/ Create an user with roles admin/user in AeroGear-UnifiedPush realm
> > >> 12/ Enjoy UPS secured by Keycloak. Have a big cup of coffee.
> > >>
> > >>
> > >> _______________________________________________
> > >> aerogear-dev mailing list
> > >> aerogear-dev at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >>
> > >
> > >
> > >
> > > --
> > > Matthias Wessendorf
> > >
> > > blog: http://matthiaswessendorf.wordpress.com/
> > > sessions: http://www.slideshare.net/mwessendorf
> > > twitter: http://twitter.com/mwessendorf
> > >
> >
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140204/854fbd15/attachment.html 


More information about the keycloak-dev mailing list