[keycloak-dev] Programatic configuration

Bruno Oliveira bruno at abstractj.org
Wed Nov 26 00:59:31 EST 2014


Good morning Marek, I was using it like mentioned before
https://gist.github.com/abstractj/bc238623e79d030d37a6. But removed
that later. Currently I'm running KC beta1 and I'm fine on forking/make
use of it, just not sure if its the recommended way.

Thanks in advance.

On 2014-11-25, Marek Posolda wrote:
> How exactly are you creating AdapterConfig? To replace system properties,
> you may need to use SystemPropertiesJsonParserFactory similarly like is used
> here: https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L95
>
> Note that replacing system props in adapter config was added in keycloak
> 1.1.0.Beta1 (as prerequisite to clustering support), but I guess that you
> guys are still on KC 1.0 ? If it's the case, you can maybe fork the
> SystemPropertiesJsonParserFactory to your env and create ObjectMapper with
> passing it as an argument?
>
> Marek
>
> On 25.11.2014 20:12, Bruno Oliveira wrote:
> >I might be missing something, here is my attempt:
> >
> >[standalone at localhost:9990 /] /system-property=keycloak.url:add(value="http://10.0.1.7/auth")
> >{"outcome" => "success"}
> >
> >or
> >
> >public class UpsKeycloakApplication extends KeycloakApplication {
> >     public UpsKeycloakApplication(@Context ServletContext context, @Context Dispatcher dispatcher) {
> >         super(context, dispatcher);
> >         System.setProperty("keycloak.url", "http://10.0.1.7/auth");
> >     }
> >}
> >
> >JSON files:
> >
> >- keycloak.json
> >
> >{
> >   "realm" : "aerogear",
> >   "auth-server-url" : "${keycloak.url}",
> >   "ssl-required" : "external",
> >   "resource" : "unified-push-server",
> >   "bearer-only" : true,
> >   "disable-trust-manager" : true
> >}
> >
> >- admin-ui-keycloak.json
> >
> >
> >{
> >     "realm" : "aerogear",
> >     "auth-server-url" : "${keycloak.url}",
> >     "ssl-required" : "external",
> >     "resource" : "unified-push-server-js",
> >     "public-client" : true
> >}
> >
> >
> >Exception:
> >
> >17:07:38,649 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 2) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "ag-push.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./ag-push" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./ag-push: Failed to start service
> >     Caused by: java.lang.IllegalArgumentException: Illegal character in path at index 1: ${keycloak.url}
> >     Caused by: java.net.URISyntaxException: Illegal character in path at index 1: ${keycloak.url}"}}
> >
> >
> >I also tried to make use of keycloak.auth-sever available here
> >https://github.com/keycloak/keycloak/blob/master/integration/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/extension/LocalDescriptions.properties. But got the same exception.
> >
> >
> >On 2014-11-25, Stian Thorgersen wrote:
> >>
> >>----- Original Message -----
> >>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>To: "Bill Burke" <bburke at redhat.com>
> >>>Cc: keycloak-dev at lists.jboss.org
> >>>Sent: Tuesday, 25 November, 2014 2:35:58 PM
> >>>Subject: Re: [keycloak-dev] Programatic configuration
> >>>
> >>>Double checking to see if my understanding is correct. On UPS realm we
> >>>have 2 applications:
> >>>
> >>>"applications": [
> >>>         {
> >>>             "name": "unified-push-server",
> >>>             "enabled": true,
> >>>             "bearerOnly": true
> >>>         },
> >>>         {
> >>>             "name": "unified-push-server-js",
> >>>             "enabled": true,
> >>>             "publicClient": true,
> >>>             "baseUrl": "/ag-push",
> >>>             "redirectUris": [
> >>>                 "http://localhost:8080/ag-push/*"
> >>>             ]
> >>>         }
> >>>     ]
> >>>
> >>>The only resource which requires to be modified dinamically is
> >>>unified-push-server-js. So making
> >>>use of servlet listeners like Bill did in the past for UPS we have:
> >>>
> >>>AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext)
> >>>sce.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
> >>>AdapterConfig config = new AdapterConfig();
> >>>config.setRealm("aerogear");
> >>>//Dinamically replaced
> >>>config.setRealmKey("MIGfMA0GCSqGSIb3DQEBAQUAA");
> >>>//Dinamically replaced
> >>>config.setAuthServerUrl("http://mydomain.com:8081/auth");
> >>>config.setResource("unified-push-server-js");
> >>>config.setSslRequired("external");
> >>>config.setPublicClient(true);
> >>>deploymentContext.updateDeployment(config);
> >>>
> >>>Into this way we can remove unified-push-server-js from ups-realm.json,
> >>>right? One thing not totally clear is about Keycloak.js. Currently we
> >>>have something like:
> >>>
> >>>Keycloak kc = new Keycloak('config/keycloak.json')
> >>>
> >>>With the changed mentioned above, the JSON file is still required? Or
> >>>not necessary?
> >>I don't see any point in having all of that, just use the keycloak.json with a system property for the auth-server url. The realm keys are automatically downloaded so no need to specify those.
> >>
> >>>
> >>>On 2014-11-25, Bill Burke wrote:
> >>>>
> >>>>On 11/25/2014 7:50 AM, Stian Thorgersen wrote:
> >>>>>
> >>>>>----- Original Message -----
> >>>>>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>>>>To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>Sent: Tuesday, 25 November, 2014 1:29:24 PM
> >>>>>>Subject: Re: [keycloak-dev] Programatic configuration
> >>>>>>
> >>>>>>On 2014-11-25, Stian Thorgersen wrote:
> >>>>>>>
> >>>>>>>----- Original Message -----
> >>>>>>>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>>>>>>To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>>>Sent: Tuesday, 25 November, 2014 12:22:22 PM
> >>>>>>>>Subject: [keycloak-dev] Programatic configuration
> >>>>>>>>
> >>>>>>>>Good morning, we've been discussing the following workflow on
> >>>>>>>>AeroGear:
> >>>>>>>>
> >>>>>>>>First time
> >>>>>>>>
> >>>>>>>>1. Developer create an UPS instance on OpenShift
> >>>>>>>>2. Visit https://myups-abstractj.rhcloud.com/ag-push
> >>>>>>>>3. The application automagically redirect to the configuration page
> >>>>>>>>the
> >>>>>>>>with
> >>>>>>>>options default or Custom — where default make use of the embbeded
> >>>>>>>>Keycloak on UPS and custom our developer would be able to specify
> >>>>>>>>another Keycloak instance (http://andresgalante.com/configuration/)
> >>>>>>>>4. App changes the keycloak.json/ups-realm.json file based on the URL
> >>>>>>>>provided.
> >>>>>>>>
> >>>>>>>>Second time
> >>>>>>>>
> >>>>>>>>1. Visit https://myups-abstractj.rhcloud.com/ag-push
> >>>>>>>>2. The application check if some configuration already exists (default
> >>>>>>>>or custom)
> >>>>>>>>3. Redirect users to UPS login page or Keycloak login page. It pretty
> >>>>>>>>much depends.
> >>>>>>>>
> >>>>>>>>I would like to programatically change (via Java) `ups-realm.json`,
> >>>>>>>>`keycloak.json`
> >>>>>>>>and `admin-ui-keycloak.json`. See
> >>>>>>>>https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-356b0e49e775810162fd2be9110bb5f4R3
> >>>>>>>>
> >>>>>>>>Possible alternatives off the top of my head:
> >>>>>>>>
> >>>>>>>>1. Read/manipulate JSON files from the database and provide
> >>>>>>>>`keycloak.json`
> >>>>>>>>and
> >>>>>>>>`admin-ui-keycloak.json` as a resource like Keycloak team did for
> >>>>>>>>JavaScript
> >>>>>>>>https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/JsResource.java
> >>>>>>>>2. Dinamically generate to a shared place on WildFly `keycloak.json`
> >>>>>>>>and
> >>>>>>>>`admin-ui-keycloak.json` files.
> >>>>>>>>
> >>>>>>>>Do you have a better idea?
> >>>>>>>Is it only the auth-server url you're changing? keycloak.json supports
> >>>>>>>system properties so you can use for example { "auth-server" :
> >>>>>>>"${keycloak.url}" }. If you do that you don't have to rewrite the file
> >>>>>>>at
> >>>>>>>all.
> >>>>>>Yes! That's gorgeous! Am I supposed to define it during the bootstrap?
> >>>>>>For ups-realm.json file, I'm considering to make use of
> >>>>>>AdapterDeploymentContext like we did in the past, because the redirect
> >>>>>>url must dinamically change
> >>>>>>https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-b8df82f22499b0118c37e0e363c4342aR80
> >>>>>How would AdapterDeploymentContext work for a remote KC server?
> >>>>>
> >>>>>In the past I had an idea of adding support for server aliases, so you
> >>>>>could for example do "http://${ups}/ag-push" as the redirect-uri in KC.
> >>>>>Then we could provide some easy way to manage server-aliases, even
> >>>>>allowing it to resolve to one or more urls.
> >>>>>
> >>>>The idea was that the UPS mgmt console would allow you to specify a
> >>>>remote keycloak URL.  It would store this URL, then update the
> >>>>AdapterDeploymentContext at runtime.
> >>>>
> >>>>
> >>>>
> >>>>--
> >>>>Bill Burke
> >>>>JBoss, a division of Red Hat
> >>>>http://bill.burkecentral.com
> >>>>_______________________________________________
> >>>>keycloak-dev mailing list
> >>>>keycloak-dev at lists.jboss.org
> >>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>--
> >>>
> >>>abstractj
> >>>PGP: 0x84DC9914
> >>>_______________________________________________
> >>>keycloak-dev mailing list
> >>>keycloak-dev at lists.jboss.org
> >>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >--
> >
> >abstractj
> >PGP: 0x84DC9914
> >_______________________________________________
> >keycloak-dev mailing list
> >keycloak-dev at lists.jboss.org
> >https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list