[keycloak-dev] Aerogear UPS + External Keycloak boostrap

Bill Burke bburke at redhat.com
Sun Feb 9 11:37:25 EST 2014

More thoughts on this:

Can the Aerogear Openshift cartridge be based on Wildfly?

There's some general issues/problems/road blocks we have:
* Wildfly REST mgmt api requires port mappings on Openshift
* Wildfly Mgmt API requires the setup of an admin user.  Not sure how 
easily this can be done for Openshift deployments.
* Both of the above are extra steps the user has to do which make the 
user experience much more complicated and require a lot of knowledge 
about Wildfly, etc.
* Similarly, Keycloak cannot be preconfigured with a distro as it 
requires unique keypairs for digital signatures it uses for token signing.

UPS + Keycloak in one bundle:

1. Have Aerogear installed with Keycloak on the same Wildfly instance.
2. The Keycloak adapter will allow for an UNCONFIGURED state.  In this 
state, the adapter is configured and running for the application, but 
will not allow any connections until the underlying wildfly subsystem 
for that deployment is set up.
3. Aerogear should have a "Bootstrap Subsystem" that is triggered on 
launch.  It should check to see if security is UNCONFIGURED for the 
aerogear deployment.  If it hasn't, locally it creates the necessary 
keycloak metadata using keycloak apis to initialize the UPS realm and 
initial users and locally updates the wildfly subsystem so the Aerogear 
WAR deployment keycloak adapter becomes aware of configuration.

UPS joining an external Keycloak realm:
* The Keycloak Adapter will have an optional switch so that its config 
settings can be changed remotely.  It will be secured similarly to how 
we secure single logout requests.
* The Keycloak admin console will have a "Move Application" option.  You 
will specify a URL of the external Keycloak Realm you want to move to. 
This action will upload application metadata to the remote realm.  It 
will also communicate with the application deployment (the keycloak 
adapter) to update its settings to point to the new realm.
* UPS admin will login to the UPS + Keycloak deployment.  He will then 
use this "Move Application" feature.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list