[keycloak-dev] Aerogear UPS + Keycloak cartridge combined together POC
Bill Burke
bburke at redhat.com
Wed Feb 5 10:20:30 EST 2014
On 2/5/2014 10:08 AM, Karel Piwko wrote:
> On Wed, 05 Feb 2014 09:23:06 -0500
> Bill Burke <bburke at redhat.com> wrote:
>
>>
>>
>> On 2/5/2014 8:35 AM, Karel Piwko wrote:
>>> On Tue, 04 Feb 2014 13:51:37 -0500
>>> Bill Burke <bburke at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On 2/4/2014 12:13 PM, Karel Piwko wrote:
>>>>> Hey,
>>>>>
>>>>> I've combined Aerogear UPS and Keycloak cartridges together. You can check
>>>>> the results at:
>>>>>
>>>>> https://agpushkeycloak-mobileqa.rhcloud.com/ (admin/password)
>>>>> https://keycloak-mobileqa.rhcloud.com/ (admin/password)
>>>>>
>>>>> For keycloak, I have used original cart [1]:
>>>>>
>>>>> $ rhc app create -g small --no-git keycloak
>>>>> https://raw.github.com/stianst/openshift-keycloak-cartridge/master/metadata/manifest.yml
>>>>>
>>>>> For UPS, I have modified matzew's one stored in my repo [2] and modified
>>>>> UPS [3]:
>>>
>>> Given your comments, I'll modify setup to have (primarily) single cart
>>> option. Should I keep two carts setup? It at least seems as a good QE test
>>> case ;-)
>>>
>>> Note, I will either have to wait for WF8 Final (due to Hibernate bug in
>>> CR1) or base cart on AS7.
>>>
>>>>>
>>>>> $ rhc app create -g small --no-git agpushkeycloak mysql-5.1
>>>>> 'http://cartreflect-claytondev.cloud.com/reflect?github=kpiwko/openshift-origin-cartridge-aerogear-push&commit=a45f93afaa275de082f9da749bce13fb33acdb75'
>>>>>
>>>>> There are some gotchas though:
>>>>>
>>>>> * keycloak.json - I'm not sure how this will be addressed by WF subsystem.
>>>>> We still need a way how to pass keycloak.json to UPS cartridge, which is
>>>>> AS7 and we can't ask user to modify standalone.xml anyway. However, we
>>>>> could make a hook on OpenShift - user will add keycloak.json to git repo
>>>>> and it will automagically put at right location. Could we have a hook in
>>>>> Keycloak to load keycloak.json from external location? Or should we
>>>>> rather do some war exploding magic?
>>>>
>>>> I need to go through Stan's work. I want to be able to configure the
>>>> subsystem from the keycloak admin console without having to create a
>>>> keycloak.json file. I just don't know yet if the subsystem will work on
>>>> AS7.
>>>
>>>
>>> This will work for app and Keycloak being deployed on a single server. It
>>> does not solve SaaS scenario - keycloak admin console can configure
>>> subsystem of current WF(AS) only. Keycloak would need to manage subsystem
>>> of a remote WF - I doubt this would ever be possible with AS7 on OpenShift
>>> and I think security concerns of such setup are not even allowing this on
>>> WF8.
>>>
>>
>> You can make authenticated HTTP requests to the WF/AS7 admin interface.
>> Maybe Openshift is disallowing this, but its certainly not the case
>> with WF. My understanding is that the new WF admin console will be a
>> pure HTML 5 application making CORS requests to the admin REST interface
>> of WF.
>>
>> What I'm saying is, this will work in the SaaS scenario if Openshift has
>> not turned off the AS7/WF admin interface.
>>
>
> OpenShift disabled most of the ports but 8080, admin interface port being on
> of disabled. WF provides port multiplexing, I have no idea whether they
> allowed management port there. Ports can be reached using port forwarding [1]
> though but this will add much to complexity of cart setup steps.
>
> I'll need to go through Stan's work and get more info.
>
Ugh, I guess we're up shit creek [1]. Maybe the adapter could be
modified so that it could initiate joining the realm instead of the
other way around.
[1] http://www.youtube.com/watch?v=2GqNstUJ3uY
> [1] https://www.openshift.com/forums/openshift/jboss-as7-management-in-openshift
>> The adapter does not have a dependency on Resteasy, only on Apache HTTP
>> Client 4.1.x (or higher). The auth-server does have a dependency on
>> Resteasy.
>>
>
> So the point is, if UPS does injection via @javax.ws.rs.core.Context, it should
> bundle newer RESTEasy in WAR instead of relying on 2.3.2.Final in AS7, right?
>
@Context should work in 2.3.2, but maybe the context you're using
@Context in doesn't work ;)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list