[keycloak-dev] subsystem integration phase 1
ssilvert at redhat.com
ssilvert at redhat.com
Thu Feb 6 10:12:03 EST 2014
On 2/6/2014 9:45 AM, Bill Burke wrote:
> On 2/6/2014 8:01 AM, ssilvert at redhat.com wrote:
>> The problem with this is that because disabled is not the default, the
>> application is likely to be deployed in an unsecure state for some
>> period of time.
> This isn't a big deal if you have enabled login-config. I'm pretty sure
> it defaults to "other" which defaults to the application*.properties
> files (which are empty by default). So you wouldn't be able to use the
> application anyways.
That's the thing. You shouldn't need a login-config if you are using
the Keycloak subsystem.
>> Ideally, you could deploy the application from Keycloak admin. It would
>> automatically deploy in a disabled state and then enable the application
>> when security setup is complete. IMO, deployment from Keycloak should
>> become the preferred deployment method in production systems. It would
>> be a lot cleaner than what admins are faced with today.
> Not sure I like the idea of deploying apps through Keycloak, although it
> would probably be really easy to implement it. I think we need to
> define the preferred ways we want this to work.
Yes, it's easy to implement. I've already done it twice for web console
and CLI GUI. I still think it's a cleaner, safer way to do it. But
it's also something we don't need right away. We need to support your
two scenarios anyway.
> It might be like this:
> Scenario 1: There is no existing keycloak app
> 1. Deploy the app to wildfly instance
> 2. Go to Keycloak Realm
> 3. Click a "Import Application" button on Application page
> 4. specify URL of wildfly instance and deployment name (and credentials)
> 5. Suck up role definitions from Wildfly instance
> 6. push back to instance a client id and secret, realm information, etc.
> Scenario 2: There is an existing app
> 1. Go to Keycloak Realm
> 2. Go to Application page
> 3. Go to Installation page
> 4. Specify URL of wildfly instance and deployment name (and creds)
> 5. Push to the client id and secret and realm info to the wildfly instance.
> What sucks implementation wise is that we have to have a Wildfly plugin
> on the Keycloak server. Would be cool if we could define a common REST
> API for this.
Do you mean a plugin for the Keycloak Admin? You are saying that it
would be nice if we could do the equivalent of a subsystem on other app
servers and have a common API to talk to it?
More information about the keycloak-dev