[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
kpiwko at redhat.com
Wed Feb 5 10:08:29 EST 2014
On Wed, 05 Feb 2014 09:23:06 -0500
Bill Burke <bburke at redhat.com> wrote:
> On 2/5/2014 8:35 AM, Karel Piwko wrote:
> > On Tue, 04 Feb 2014 13:51:37 -0500
> > Bill Burke <bburke at redhat.com> wrote:
> >> On 2/4/2014 12:13 PM, Karel Piwko wrote:
> >>> Hey,
> >>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
> >>> the results at:
> >>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
> >>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
> >>> For keycloak, I have used original cart :
> >>> $ rhc app create -g small --no-git keycloak
> >>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
> >>> For UPS, I have modified matzew's one stored in my repo  and modified
> >>> UPS :
> > Given your comments, I'll modify setup to have (primarily) single cart
> > option. Should I keep two carts setup? It at least seems as a good QE test
> > case ;-)
> > Note, I will either have to wait for WF8 Final (due to Hibernate bug in
> > CR1) or base cart on AS7.
> >>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
> >>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
> >>> There are some gotchas though:
> >>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
> >>> We still need a way how to pass keycloak.json to UPS cartridge, which is
> >>> AS7 and we can't ask user to modify standalone.xml anyway. However, we
> >>> could make a hook on OpenShift - user will add keycloak.json to git repo
> >>> and it will automagically put at right location. Could we have a hook in
> >>> Keycloak to load keycloak.json from external location? Or should we
> >>> rather do some war exploding magic?
> >> I need to go through Stan's work. I want to be able to configure the
> >> subsystem from the keycloak admin console without having to create a
> >> keycloak.json file. I just don't know yet if the subsystem will work on
> >> AS7.
> > This will work for app and Keycloak being deployed on a single server. It
> > does not solve SaaS scenario - keycloak admin console can configure
> > subsystem of current WF(AS) only. Keycloak would need to manage subsystem
> > of a remote WF - I doubt this would ever be possible with AS7 on OpenShift
> > and I think security concerns of such setup are not even allowing this on
> > WF8.
> You can make authenticated HTTP requests to the WF/AS7 admin interface.
> Maybe Openshift is disallowing this, but its certainly not the case
> with WF. My understanding is that the new WF admin console will be a
> pure HTML 5 application making CORS requests to the admin REST interface
> of WF.
> What I'm saying is, this will work in the SaaS scenario if Openshift has
> not turned off the AS7/WF admin interface.
OpenShift disabled most of the ports but 8080, admin interface port being on
of disabled. WF provides port multiplexing, I have no idea whether they
allowed management port there. Ports can be reached using port forwarding 
though but this will add much to complexity of cart setup steps.
I'll need to go through Stan's work and get more info.
> >>> * AS7-3227 I worked this around by doing parameter injection for
> >>> SecurityContext in UPS. Nasty. Can we make newer RESTEasy part of
> >>> Keycloak package for AS7? Any better option?
> >> This is an UPS issue right? Keycloak WAR bundles is own Resteasy and
> >> excludes built in one.
> > Well, it is either keycloak packaging issue or documentation issue (or
> > problem here in Brno in between chair and keyboard). I've added
> > keycloak-as7-adapter-dist to AS7. Keycloak WAR was added to different
> > cartridge. So, AS7 (UPS) is still using old RESTEasy 2.x. This will be fixed
> > if newer RESTEasy is packaged inside of keycloak-as7-adapter-dist instead of
> > Keycloak WAR. IIRC this was setup pre alpha-1.
> There are two things:
> * The keycloak auth-server.war which is the authentication server
> * The adapter zip which installs "client" modules and used only for
> WF/AS7 instances that want to interact with a Keycloak auth server.
> The adapter does not have a dependency on Resteasy, only on Apache HTTP
> Client 4.1.x (or higher). The auth-server does have a dependency on
So the point is, if UPS does injection via @javax.ws.rs.core.Context, it should
bundle newer RESTEasy in WAR instead of relying on 2.3.2.Final in AS7, right?
More information about the keycloak-dev