[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC

Bill Burke bburke at redhat.com
Wed Feb 5 10:20:30 EST 2014

On 2/5/2014 10:08 AM, Karel Piwko wrote:
> On Wed, 05 Feb 2014 09:23:06 -0500
> Bill Burke <bburke at redhat.com> wrote:
>> On 2/5/2014 8:35 AM, Karel Piwko wrote:
>>> On Tue, 04 Feb 2014 13:51:37 -0500
>>> Bill Burke <bburke at redhat.com> wrote:
>>>> On 2/4/2014 12:13 PM, Karel Piwko wrote:
>>>>> Hey,
>>>>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
>>>>> the results at:
>>>>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>>>>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>>>> For keycloak, I have used original cart [1]:
>>>>> $ rhc app create -g small --no-git keycloak
>>>>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
>>>>> For UPS, I have modified matzew's one stored in my repo [2] and modified
>>>>> UPS [3]:
>>> Given your comments, I'll modify setup to have (primarily) single cart
>>> option. Should I keep two carts setup? It at least seems as a good QE test
>>> case ;-)
>>> Note, I will either have to wait for WF8 Final (due to Hibernate bug in
>>> CR1) or base cart on AS7.
>>>>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>>>>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
>>>>> There are some gotchas though:
>>>>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>>>>> We still need a way how to pass keycloak.json to UPS cartridge, which is
>>>>> AS7 and we can't ask user to modify standalone.xml anyway. However, we
>>>>> could make a hook on OpenShift - user will add keycloak.json to git repo
>>>>> and it will automagically put at right location. Could we have a hook in
>>>>> Keycloak to load keycloak.json from external location? Or should we
>>>>> rather do some war exploding magic?
>>>> I need to go through Stan's work.  I want to be able to configure the
>>>> subsystem from the keycloak admin console without having to create a
>>>> keycloak.json file.  I just don't know yet if the subsystem will work on
>>>> AS7.
>>> This will work for app and Keycloak being deployed on a single server. It
>>> does not solve SaaS scenario - keycloak admin console can configure
>>> subsystem of current WF(AS) only. Keycloak would need to manage subsystem
>>> of a remote WF - I doubt this would ever be possible with AS7 on OpenShift
>>> and I think security concerns of such setup are not even allowing this on
>>> WF8.
>> You can make authenticated HTTP requests to the WF/AS7 admin interface.
>>    Maybe Openshift is disallowing this, but its certainly not the case
>> with WF.  My understanding is that the new WF admin console will be a
>> pure HTML 5 application making CORS requests to the admin REST interface
>> of WF.
>> What I'm saying is, this will work in the SaaS scenario if Openshift has
>> not turned off the AS7/WF admin interface.
> OpenShift disabled most of the ports but 8080, admin interface port being on
> of disabled. WF provides port multiplexing, I have no idea whether they
> allowed management port there. Ports can be reached using port forwarding [1]
> though but this will add much to complexity of cart setup steps.
> I'll need to go through Stan's work and get more info.

Ugh, I guess we're up shit creek [1].  Maybe the adapter could be 
modified so that it could initiate joining the realm instead of the 
other way around.

[1] http://www.youtube.com/watch?v=2GqNstUJ3uY

> [1] https://www.openshift.com/forums/openshift/jboss-as7-management-in-openshift
>> The adapter does not have a dependency on Resteasy, only on Apache HTTP
>> Client 4.1.x (or higher).  The auth-server does have a dependency on
>> Resteasy.
> So the point is, if UPS does injection via @javax.ws.rs.core.Context, it should
> bundle newer RESTEasy in WAR instead of relying on 2.3.2.Final in AS7, right?

@Context should work in 2.3.2, but maybe the context you're using 
@Context in doesn't work ;)

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list