[keycloak-dev] Aerogear UPS + External Keycloak boostrap
Bill Burke
bburke at redhat.com
Sun Feb 9 11:37:25 EST 2014
More thoughts on this:
Can the Aerogear Openshift cartridge be based on Wildfly?
There's some general issues/problems/road blocks we have:
* Wildfly REST mgmt api requires port mappings on Openshift
* Wildfly Mgmt API requires the setup of an admin user. Not sure how
easily this can be done for Openshift deployments.
* Both of the above are extra steps the user has to do which make the
user experience much more complicated and require a lot of knowledge
about Wildfly, etc.
* Similarly, Keycloak cannot be preconfigured with a distro as it
requires unique keypairs for digital signatures it uses for token signing.
UPS + Keycloak in one bundle:
1. Have Aerogear installed with Keycloak on the same Wildfly instance.
2. The Keycloak adapter will allow for an UNCONFIGURED state. In this
state, the adapter is configured and running for the application, but
will not allow any connections until the underlying wildfly subsystem
for that deployment is set up.
3. Aerogear should have a "Bootstrap Subsystem" that is triggered on
launch. It should check to see if security is UNCONFIGURED for the
aerogear deployment. If it hasn't, locally it creates the necessary
keycloak metadata using keycloak apis to initialize the UPS realm and
initial users and locally updates the wildfly subsystem so the Aerogear
WAR deployment keycloak adapter becomes aware of configuration.
UPS joining an external Keycloak realm:
* The Keycloak Adapter will have an optional switch so that its config
settings can be changed remotely. It will be secured similarly to how
we secure single logout requests.
* The Keycloak admin console will have a "Move Application" option. You
will specify a URL of the external Keycloak Realm you want to move to.
This action will upload application metadata to the remote realm. It
will also communicate with the application deployment (the keycloak
adapter) to update its settings to point to the new realm.
* UPS admin will login to the UPS + Keycloak deployment. He will then
use this "Move Application" feature.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list