[keycloak-dev] Programatic configuration

Marek Posolda mposolda at redhat.com
Tue Nov 25 15:06:17 EST 2014 

How exactly are you creating AdapterConfig? To replace system 
properties, you may need to use SystemPropertiesJsonParserFactory 
similarly like is used here: 
https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L95

Note that replacing system props in adapter config was added in keycloak 
1.1.0.Beta1 (as prerequisite to clustering support), but I guess that 
you guys are still on KC 1.0 ? If it's the case, you can maybe fork the 
SystemPropertiesJsonParserFactory to your env and create ObjectMapper 
with passing it as an argument?

Marek

On 25.11.2014 20:12, Bruno Oliveira wrote:
> I might be missing something, here is my attempt:
>
> [standalone at localhost:9990 /] /system-property=keycloak.url:add(value="http://10.0.1.7/auth")
> {"outcome" => "success"}
>
> or
>
> public class UpsKeycloakApplication extends KeycloakApplication {
>      public UpsKeycloakApplication(@Context ServletContext context, @Context Dispatcher dispatcher) {
>          super(context, dispatcher);
>          System.setProperty("keycloak.url", "http://10.0.1.7/auth");
>      }
> }
>
> JSON files:
>
> - keycloak.json
>
> {
>    "realm" : "aerogear",
>    "auth-server-url" : "${keycloak.url}",
>    "ssl-required" : "external",
>    "resource" : "unified-push-server",
>    "bearer-only" : true,
>    "disable-trust-manager" : true
> }
>
> - admin-ui-keycloak.json
>
>
> {
>      "realm" : "aerogear",
>      "auth-server-url" : "${keycloak.url}",
>      "ssl-required" : "external",
>      "resource" : "unified-push-server-js",
>      "public-client" : true
> }
>
>
> Exception:
>
> 17:07:38,649 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 2) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "ag-push.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./ag-push" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./ag-push: Failed to start service
>      Caused by: java.lang.IllegalArgumentException: Illegal character in path at index 1: ${keycloak.url}
>      Caused by: java.net.URISyntaxException: Illegal character in path at index 1: ${keycloak.url}"}}
>
>
> I also tried to make use of keycloak.auth-sever available here
> https://github.com/keycloak/keycloak/blob/master/integration/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/extension/LocalDescriptions.properties. But got the same exception.
>
>
> On 2014-11-25, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bruno Oliveira" <bruno at abstractj.org>
>>> To: "Bill Burke" <bburke at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 25 November, 2014 2:35:58 PM
>>> Subject: Re: [keycloak-dev] Programatic configuration
>>>
>>> Double checking to see if my understanding is correct. On UPS realm we
>>> have 2 applications:
>>>
>>> "applications": [
>>>          {
>>>              "name": "unified-push-server",
>>>              "enabled": true,
>>>              "bearerOnly": true
>>>          },
>>>          {
>>>              "name": "unified-push-server-js",
>>>              "enabled": true,
>>>              "publicClient": true,
>>>              "baseUrl": "/ag-push",
>>>              "redirectUris": [
>>>                  "http://localhost:8080/ag-push/*"
>>>              ]
>>>          }
>>>      ]
>>>
>>> The only resource which requires to be modified dinamically is
>>> unified-push-server-js. So making
>>> use of servlet listeners like Bill did in the past for UPS we have:
>>>
>>> AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext)
>>> sce.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
>>> AdapterConfig config = new AdapterConfig();
>>> config.setRealm("aerogear");
>>> //Dinamically replaced
>>> config.setRealmKey("MIGfMA0GCSqGSIb3DQEBAQUAA");
>>> //Dinamically replaced
>>> config.setAuthServerUrl("http://mydomain.com:8081/auth");
>>> config.setResource("unified-push-server-js");
>>> config.setSslRequired("external");
>>> config.setPublicClient(true);
>>> deploymentContext.updateDeployment(config);
>>>
>>> Into this way we can remove unified-push-server-js from ups-realm.json,
>>> right? One thing not totally clear is about Keycloak.js. Currently we
>>> have something like:
>>>
>>> Keycloak kc = new Keycloak('config/keycloak.json')
>>>
>>> With the changed mentioned above, the JSON file is still required? Or
>>> not necessary?
>> I don't see any point in having all of that, just use the keycloak.json with a system property for the auth-server url. The realm keys are automatically downloaded so no need to specify those.
>>
>>>
>>> On 2014-11-25, Bill Burke wrote:
>>>>
>>>> On 11/25/2014 7:50 AM, Stian Thorgersen wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bruno Oliveira" <bruno at abstractj.org>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>>> Sent: Tuesday, 25 November, 2014 1:29:24 PM
>>>>>> Subject: Re: [keycloak-dev] Programatic configuration
>>>>>>
>>>>>> On 2014-11-25, Stian Thorgersen wrote:
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Bruno Oliveira" <bruno at abstractj.org>
>>>>>>>> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>>>>> Sent: Tuesday, 25 November, 2014 12:22:22 PM
>>>>>>>> Subject: [keycloak-dev] Programatic configuration
>>>>>>>>
>>>>>>>> Good morning, we've been discussing the following workflow on
>>>>>>>> AeroGear:
>>>>>>>>
>>>>>>>> First time
>>>>>>>>
>>>>>>>> 1. Developer create an UPS instance on OpenShift
>>>>>>>> 2. Visit https://myups-abstractj.rhcloud.com/ag-push
>>>>>>>> 3. The application automagically redirect to the configuration page
>>>>>>>> the
>>>>>>>> with
>>>>>>>> options default or Custom — where default make use of the embbeded
>>>>>>>> Keycloak on UPS and custom our developer would be able to specify
>>>>>>>> another Keycloak instance (http://andresgalante.com/configuration/)
>>>>>>>> 4. App changes the keycloak.json/ups-realm.json file based on the URL
>>>>>>>> provided.
>>>>>>>>
>>>>>>>> Second time
>>>>>>>>
>>>>>>>> 1. Visit https://myups-abstractj.rhcloud.com/ag-push
>>>>>>>> 2. The application check if some configuration already exists (default
>>>>>>>> or custom)
>>>>>>>> 3. Redirect users to UPS login page or Keycloak login page. It pretty
>>>>>>>> much depends.
>>>>>>>>
>>>>>>>> I would like to programatically change (via Java) `ups-realm.json`,
>>>>>>>> `keycloak.json`
>>>>>>>> and `admin-ui-keycloak.json`. See
>>>>>>>> https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-356b0e49e775810162fd2be9110bb5f4R3
>>>>>>>>
>>>>>>>> Possible alternatives off the top of my head:
>>>>>>>>
>>>>>>>> 1. Read/manipulate JSON files from the database and provide
>>>>>>>> `keycloak.json`
>>>>>>>> and
>>>>>>>> `admin-ui-keycloak.json` as a resource like Keycloak team did for
>>>>>>>> JavaScript
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/JsResource.java
>>>>>>>> 2. Dinamically generate to a shared place on WildFly `keycloak.json`
>>>>>>>> and
>>>>>>>> `admin-ui-keycloak.json` files.
>>>>>>>>
>>>>>>>> Do you have a better idea?
>>>>>>> Is it only the auth-server url you're changing? keycloak.json supports
>>>>>>> system properties so you can use for example { "auth-server" :
>>>>>>> "${keycloak.url}" }. If you do that you don't have to rewrite the file
>>>>>>> at
>>>>>>> all.
>>>>>> Yes! That's gorgeous! Am I supposed to define it during the bootstrap?
>>>>>> For ups-realm.json file, I'm considering to make use of
>>>>>> AdapterDeploymentContext like we did in the past, because the redirect
>>>>>> url must dinamically change
>>>>>> https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-b8df82f22499b0118c37e0e363c4342aR80
>>>>> How would AdapterDeploymentContext work for a remote KC server?
>>>>>
>>>>> In the past I had an idea of adding support for server aliases, so you
>>>>> could for example do "http://${ups}/ag-push" as the redirect-uri in KC.
>>>>> Then we could provide some easy way to manage server-aliases, even
>>>>> allowing it to resolve to one or more urls.
>>>>>
>>>> The idea was that the UPS mgmt console would allow you to specify a
>>>> remote keycloak URL.  It would store this URL, then update the
>>>> AdapterDeploymentContext at runtime.
>>>>
>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list