[keycloak-dev] Programatic configuration

Bruno Oliveira bruno at abstractj.org
Fri Nov 28 07:01:36 EST 2014 

Yes that's an option for sure. I will give it a try,
thanks a lot for borrowing your brain.

On 2014-11-28, Marek Posolda wrote:
> Hi Bruno,
>
> On 27.11.2014 18:36, Bruno Oliveira wrote:
> >Hi Marek, after trying your approach and several combinations. I'm
> >really not sure if that applies for JS clients. Currently I'm getting
> >https://gist.github.com/abstractj/ef42e28903e470d5033d.
> You mean replacing system properties? This doesn't apply for JS clients. If
> you have something like this in your webapp:
>
> var keycloak = new Keycloak('config/admin-ui-keycloak.json');
>
> and in file src/main/webapp/config/admin-ui-keycloak.json you have something
> like:
>
> "auth-server-url" : "${keycloak.url}",
>
> it won't be replaced.
>
> Replacing system properties is done programatically by keycloak and it
> applies only for adapter configs parsed by KeycloakDeploymentBuilder spi
> (this works just in latest KC master due to this https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L95)
> or if you do it manually for some property in AdapterConfig like you did for
> authServerUrl in KeycloakBootstrapListener.
>
>
> If you want replacing system properties for JS adapter configuration, you
> may need something like Proxy servlet, which will do it in java code for
> you. So for example in app.js you will have something like:
>
> var keycloak = new Keycloak('keycloak-client-config');
>
> And path '/keycloak-client-config' will be mapped in web.xml to this
> servlet. Servlet will then parse the adapter json file to AdapterConfig (or
> create it programmatically if you want), then replace system properties and
> then send back JSON with adapter config with system properties replaced. Is
> this an option for you?
>
> Marek
>
> >
> >My servlet listener was configured like you suggested
> >https://github.com/abstractj/aerogear-unifiedpush-server/commit/d5298d613a6bbb80d2c72b8514f353270c59cc76#diff-9f3da7bef7f5073aaa7dc3c851f539a1R31.
> >The adapter related to the JS side was commented once I noticed no
> >effect on leave uncommented.
> >
> >Also I moved my configuration on the client side to
> >https://github.com/abstractj/aerogear-unifiedpush-server/commit/d5298d613a6bbb80d2c72b8514f353270c59cc76#diff-e0ab405f82ed2d1fc13835905c83b4bcR25.
> >If you leave the constructor empty keycloak.js will look for
> >keycloak.json. Btw I tried several combinations, but no luck.
> >
> >I think I'm close, not sure how long to figure this out.
> >
> >On 2014-11-26, Marek Posolda wrote:
> >>Good morning Bruno, if you are using it like in this code snippet (in other
> >>words, AdapterConfig is created programmatically by calling java setters)
> >>then maybe easiest is to use just something like this:
> >>
> >>config.setAuthServerUrl(StringPropertyReplacer.replaceProperties("${keycloak.url}");
> >>
> >>StringPropertyReplacer is already available in KC 1.0 codebase, so you
> >>should be ok to use it like this even on KC 1.0.
> >>
> >>Otherwise if you create AdapterConfig from parsing the json file with
> >>jackson-mapper like it's done in our KeycloakDeploymentBuilder, you may need
> >>to add SystemPropertiesJsonParserFactory to be added into constructor of
> >>particular ObjectMapper. If you can upgrade to 1.1.0.Beta1, you don't need
> >>to fork anything as class is available in KC codebase. If you still need to
> >>be on 1.0 for some time, then you probably need to fork it.
> >>
> >>Marek
> >>
> >>On 26.11.2014 06:59, Bruno Oliveira wrote:
> >>>Good morning Marek, I was using it like mentioned before
> >>>https://gist.github.com/abstractj/bc238623e79d030d37a6. But removed
> >>>that later. Currently I'm running KC beta1 and I'm fine on forking/make
> >>>use of it, just not sure if its the recommended way.
> >>>
> >>>Thanks in advance.
> >>>
> >>>On 2014-11-25, Marek Posolda wrote:
> >>>>How exactly are you creating AdapterConfig? To replace system properties,
> >>>>you may need to use SystemPropertiesJsonParserFactory similarly like is used
> >>>>here: https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L95
> >>>>
> >>>>Note that replacing system props in adapter config was added in keycloak
> >>>>1.1.0.Beta1 (as prerequisite to clustering support), but I guess that you
> >>>>guys are still on KC 1.0 ? If it's the case, you can maybe fork the
> >>>>SystemPropertiesJsonParserFactory to your env and create ObjectMapper with
> >>>>passing it as an argument?
> >>>>
> >>>>Marek
> >>>>
> >>>>On 25.11.2014 20:12, Bruno Oliveira wrote:
> >>>>>I might be missing something, here is my attempt:
> >>>>>
> >>>>>[standalone at localhost:9990 /] /system-property=keycloak.url:add(value="http://10.0.1.7/auth")
> >>>>>{"outcome" => "success"}
> >>>>>
> >>>>>or
> >>>>>
> >>>>>public class UpsKeycloakApplication extends KeycloakApplication {
> >>>>>     public UpsKeycloakApplication(@Context ServletContext context, @Context Dispatcher dispatcher) {
> >>>>>         super(context, dispatcher);
> >>>>>         System.setProperty("keycloak.url", "http://10.0.1.7/auth");
> >>>>>     }
> >>>>>}
> >>>>>
> >>>>>JSON files:
> >>>>>
> >>>>>- keycloak.json
> >>>>>
> >>>>>{
> >>>>>   "realm" : "aerogear",
> >>>>>   "auth-server-url" : "${keycloak.url}",
> >>>>>   "ssl-required" : "external",
> >>>>>   "resource" : "unified-push-server",
> >>>>>   "bearer-only" : true,
> >>>>>   "disable-trust-manager" : true
> >>>>>}
> >>>>>
> >>>>>- admin-ui-keycloak.json
> >>>>>
> >>>>>
> >>>>>{
> >>>>>     "realm" : "aerogear",
> >>>>>     "auth-server-url" : "${keycloak.url}",
> >>>>>     "ssl-required" : "external",
> >>>>>     "resource" : "unified-push-server-js",
> >>>>>     "public-client" : true
> >>>>>}
> >>>>>
> >>>>>
> >>>>>Exception:
> >>>>>
> >>>>>17:07:38,649 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 2) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "ag-push.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./ag-push" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./ag-push: Failed to start service
> >>>>>     Caused by: java.lang.IllegalArgumentException: Illegal character in path at index 1: ${keycloak.url}
> >>>>>     Caused by: java.net.URISyntaxException: Illegal character in path at index 1: ${keycloak.url}"}}
> >>>>>
> >>>>>
> >>>>>I also tried to make use of keycloak.auth-sever available here
> >>>>>https://github.com/keycloak/keycloak/blob/master/integration/wildfly-subsystem/src/main/resources/org/keycloak/subsystem/extension/LocalDescriptions.properties. But got the same exception.
> >>>>>
> >>>>>
> >>>>>On 2014-11-25, Stian Thorgersen wrote:
> >>>>>>----- Original Message -----
> >>>>>>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>>>>>To: "Bill Burke" <bburke at redhat.com>
> >>>>>>>Cc: keycloak-dev at lists.jboss.org
> >>>>>>>Sent: Tuesday, 25 November, 2014 2:35:58 PM
> >>>>>>>Subject: Re: [keycloak-dev] Programatic configuration
> >>>>>>>
> >>>>>>>Double checking to see if my understanding is correct. On UPS realm we
> >>>>>>>have 2 applications:
> >>>>>>>
> >>>>>>>"applications": [
> >>>>>>>         {
> >>>>>>>             "name": "unified-push-server",
> >>>>>>>             "enabled": true,
> >>>>>>>             "bearerOnly": true
> >>>>>>>         },
> >>>>>>>         {
> >>>>>>>             "name": "unified-push-server-js",
> >>>>>>>             "enabled": true,
> >>>>>>>             "publicClient": true,
> >>>>>>>             "baseUrl": "/ag-push",
> >>>>>>>             "redirectUris": [
> >>>>>>>                 "http://localhost:8080/ag-push/*"
> >>>>>>>             ]
> >>>>>>>         }
> >>>>>>>     ]
> >>>>>>>
> >>>>>>>The only resource which requires to be modified dinamically is
> >>>>>>>unified-push-server-js. So making
> >>>>>>>use of servlet listeners like Bill did in the past for UPS we have:
> >>>>>>>
> >>>>>>>AdapterDeploymentContext deploymentContext = (AdapterDeploymentContext)
> >>>>>>>sce.getServletContext().getAttribute(AdapterDeploymentContext.class.getName());
> >>>>>>>AdapterConfig config = new AdapterConfig();
> >>>>>>>config.setRealm("aerogear");
> >>>>>>>//Dinamically replaced
> >>>>>>>config.setRealmKey("MIGfMA0GCSqGSIb3DQEBAQUAA");
> >>>>>>>//Dinamically replaced
> >>>>>>>config.setAuthServerUrl("http://mydomain.com:8081/auth");
> >>>>>>>config.setResource("unified-push-server-js");
> >>>>>>>config.setSslRequired("external");
> >>>>>>>config.setPublicClient(true);
> >>>>>>>deploymentContext.updateDeployment(config);
> >>>>>>>
> >>>>>>>Into this way we can remove unified-push-server-js from ups-realm.json,
> >>>>>>>right? One thing not totally clear is about Keycloak.js. Currently we
> >>>>>>>have something like:
> >>>>>>>
> >>>>>>>Keycloak kc = new Keycloak('config/keycloak.json')
> >>>>>>>
> >>>>>>>With the changed mentioned above, the JSON file is still required? Or
> >>>>>>>not necessary?
> >>>>>>I don't see any point in having all of that, just use the keycloak.json with a system property for the auth-server url. The realm keys are automatically downloaded so no need to specify those.
> >>>>>>
> >>>>>>>On 2014-11-25, Bill Burke wrote:
> >>>>>>>>On 11/25/2014 7:50 AM, Stian Thorgersen wrote:
> >>>>>>>>>----- Original Message -----
> >>>>>>>>>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>>>>>>>>To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>>>>Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>>>>>Sent: Tuesday, 25 November, 2014 1:29:24 PM
> >>>>>>>>>>Subject: Re: [keycloak-dev] Programatic configuration
> >>>>>>>>>>
> >>>>>>>>>>On 2014-11-25, Stian Thorgersen wrote:
> >>>>>>>>>>>----- Original Message -----
> >>>>>>>>>>>>From: "Bruno Oliveira" <bruno at abstractj.org>
> >>>>>>>>>>>>To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> >>>>>>>>>>>>Sent: Tuesday, 25 November, 2014 12:22:22 PM
> >>>>>>>>>>>>Subject: [keycloak-dev] Programatic configuration
> >>>>>>>>>>>>
> >>>>>>>>>>>>Good morning, we've been discussing the following workflow on
> >>>>>>>>>>>>AeroGear:
> >>>>>>>>>>>>
> >>>>>>>>>>>>First time
> >>>>>>>>>>>>
> >>>>>>>>>>>>1. Developer create an UPS instance on OpenShift
> >>>>>>>>>>>>2. Visit https://myups-abstractj.rhcloud.com/ag-push
> >>>>>>>>>>>>3. The application automagically redirect to the configuration page
> >>>>>>>>>>>>the
> >>>>>>>>>>>>with
> >>>>>>>>>>>>options default or Custom — where default make use of the embbeded
> >>>>>>>>>>>>Keycloak on UPS and custom our developer would be able to specify
> >>>>>>>>>>>>another Keycloak instance (http://andresgalante.com/configuration/)
> >>>>>>>>>>>>4. App changes the keycloak.json/ups-realm.json file based on the URL
> >>>>>>>>>>>>provided.
> >>>>>>>>>>>>
> >>>>>>>>>>>>Second time
> >>>>>>>>>>>>
> >>>>>>>>>>>>1. Visit https://myups-abstractj.rhcloud.com/ag-push
> >>>>>>>>>>>>2. The application check if some configuration already exists (default
> >>>>>>>>>>>>or custom)
> >>>>>>>>>>>>3. Redirect users to UPS login page or Keycloak login page. It pretty
> >>>>>>>>>>>>much depends.
> >>>>>>>>>>>>
> >>>>>>>>>>>>I would like to programatically change (via Java) `ups-realm.json`,
> >>>>>>>>>>>>`keycloak.json`
> >>>>>>>>>>>>and `admin-ui-keycloak.json`. See
> >>>>>>>>>>>>https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-356b0e49e775810162fd2be9110bb5f4R3
> >>>>>>>>>>>>
> >>>>>>>>>>>>Possible alternatives off the top of my head:
> >>>>>>>>>>>>
> >>>>>>>>>>>>1. Read/manipulate JSON files from the database and provide
> >>>>>>>>>>>>`keycloak.json`
> >>>>>>>>>>>>and
> >>>>>>>>>>>>`admin-ui-keycloak.json` as a resource like Keycloak team did for
> >>>>>>>>>>>>JavaScript
> >>>>>>>>>>>>https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/JsResource.java
> >>>>>>>>>>>>2. Dinamically generate to a shared place on WildFly `keycloak.json`
> >>>>>>>>>>>>and
> >>>>>>>>>>>>`admin-ui-keycloak.json` files.
> >>>>>>>>>>>>
> >>>>>>>>>>>>Do you have a better idea?
> >>>>>>>>>>>Is it only the auth-server url you're changing? keycloak.json supports
> >>>>>>>>>>>system properties so you can use for example { "auth-server" :
> >>>>>>>>>>>"${keycloak.url}" }. If you do that you don't have to rewrite the file
> >>>>>>>>>>>at
> >>>>>>>>>>>all.
> >>>>>>>>>>Yes! That's gorgeous! Am I supposed to define it during the bootstrap?
> >>>>>>>>>>For ups-realm.json file, I'm considering to make use of
> >>>>>>>>>>AdapterDeploymentContext like we did in the past, because the redirect
> >>>>>>>>>>url must dinamically change
> >>>>>>>>>>https://github.com/abstractj/aerogear-unifiedpush-server/commit/e8fc8461fea69801cc495127a88aff05a55c68cd#diff-b8df82f22499b0118c37e0e363c4342aR80
> >>>>>>>>>How would AdapterDeploymentContext work for a remote KC server?
> >>>>>>>>>
> >>>>>>>>>In the past I had an idea of adding support for server aliases, so you
> >>>>>>>>>could for example do "http://${ups}/ag-push" as the redirect-uri in KC.
> >>>>>>>>>Then we could provide some easy way to manage server-aliases, even
> >>>>>>>>>allowing it to resolve to one or more urls.
> >>>>>>>>>
> >>>>>>>>The idea was that the UPS mgmt console would allow you to specify a
> >>>>>>>>remote keycloak URL.  It would store this URL, then update the
> >>>>>>>>AdapterDeploymentContext at runtime.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>--
> >>>>>>>>Bill Burke
> >>>>>>>>JBoss, a division of Red Hat
> >>>>>>>>http://bill.burkecentral.com
> >>>>>>>>_______________________________________________
> >>>>>>>>keycloak-dev mailing list
> >>>>>>>>keycloak-dev at lists.jboss.org
> >>>>>>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>>>--
> >>>>>>>
> >>>>>>>abstractj
> >>>>>>>PGP: 0x84DC9914
> >>>>>>>_______________________________________________
> >>>>>>>keycloak-dev mailing list
> >>>>>>>keycloak-dev at lists.jboss.org
> >>>>>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>--
> >>>>>
> >>>>>abstractj
> >>>>>PGP: 0x84DC9914
> >>>>>_______________________________________________
> >>>>>keycloak-dev mailing list
> >>>>>keycloak-dev at lists.jboss.org
> >>>>>https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>--
> >>>
> >>>abstractj
> >>>PGP: 0x84DC9914
> >--
> >
> >abstractj
> >PGP: 0x84DC9914
>

--

abstractj
PGP: 0x84DC9914

More information about the keycloak-dev mailing list