[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
bburke at redhat.com
Wed Feb 5 09:23:06 EST 2014
On 2/5/2014 8:35 AM, Karel Piwko wrote:
> On Tue, 04 Feb 2014 13:51:37 -0500
> Bill Burke <bburke at redhat.com> wrote:
>> On 2/4/2014 12:13 PM, Karel Piwko wrote:
>>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
>>> the results at:
>>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>> For keycloak, I have used original cart :
>>> $ rhc app create -g small --no-git keycloak
>>> For UPS, I have modified matzew's one stored in my repo  and modified UPS
> Given your comments, I'll modify setup to have (primarily) single cart option.
> Should I keep two carts setup? It at least seems as a good QE test case ;-)
> Note, I will either have to wait for WF8 Final (due to Hibernate bug in CR1) or
> base cart on AS7.
>>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>>> There are some gotchas though:
>>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>>> We still need a way how to pass keycloak.json to UPS cartridge, which is AS7
>>> and we can't ask user to modify standalone.xml anyway. However, we could
>>> make a hook on OpenShift - user will add keycloak.json to git repo and it
>>> will automagically put at right location. Could we have a hook in Keycloak
>>> to load keycloak.json from external location? Or should we rather do some
>>> war exploding magic?
>> I need to go through Stan's work. I want to be able to configure the
>> subsystem from the keycloak admin console without having to create a
>> keycloak.json file. I just don't know yet if the subsystem will work on
> This will work for app and Keycloak being deployed on a single server. It does
> not solve SaaS scenario - keycloak admin console can configure subsystem of
> current WF(AS) only. Keycloak would need to manage subsystem of a remote WF - I
> doubt this would ever be possible with AS7 on OpenShift and I think security
> concerns of such setup are not even allowing this on WF8.
You can make authenticated HTTP requests to the WF/AS7 admin interface.
Maybe Openshift is disallowing this, but its certainly not the case
with WF. My understanding is that the new WF admin console will be a
pure HTML 5 application making CORS requests to the admin REST interface
What I'm saying is, this will work in the SaaS scenario if Openshift has
not turned off the AS7/WF admin interface.
>>> * AS7-3227 I worked this around by doing parameter injection for
>>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
>>> Keycloak package for AS7? Any better option?
>> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
>> excludes built in one.
> Well, it is either keycloak packaging issue or documentation issue (or problem
> here in Brno in between chair and keyboard). I've added
> keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
> cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
> if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
> Keycloak WAR. IIRC this was setup pre alpha-1.
There are two things:
* The keycloak auth-server.war which is the authentication server
* The adapter zip which installs "client" modules and used only for
WF/AS7 instances that want to interact with a Keycloak auth server.
The adapter does not have a dependency on Resteasy, only on Apache HTTP
Client 4.1.x (or higher). The auth-server does have a dependency on
JBoss, a division of Red Hat
More information about the keycloak-dev