[keycloak-dev] Location of User Federation Provider jar in Keycloak 1.1 Beta-2

Fri Jan 16 10:28:37 EST 2015

On 1/16/2015 9:42 AM, Bill Burke wrote:
>
> On 1/16/2015 9:20 AM, Stan Silvert wrote:
>> On 1/16/2015 9:07 AM, Stian Thorgersen wrote:
>>> Currently, I'm not overly happy with releasing 1.1.0.Final and it's down to this issue. I should have raised it before, but it completely slipped my mind :(
>> We did talk about this at great length before.   I tried and tried to
>> preserve the "drop it in the file system" approach.  It just plain won't
>> work for domains.
>>> IMO we need:
>>>
>>> 1. A usable way to deploy a provider without using the CLI GUI
>>> 2. Ideally be able to deploy a provider with an offline server
>> We have 5 ways to add a provider:
>> 1. CLI
>> 2. CLI GUI
>> 3. CLI script
>> 4. Explode the WAR in the subsystem and drop it in WEB-INF/lib
>> 5. Use the war dist and do it the old way.
>>
> 6. Create a module for your new provider.  Import that module (with
> service import too) into the main Keycloak module.  Of course this
> requires knowledge of JBoss Modules.  Not sure if this would work.  You
> tell me.
I tried that and ran into problems.  I consulted with Jason and Stuart 
to see if there was any way to get it to work.  They concluded that it 
probably could be made to work but it would require moving everything 
out of the WEB-INF/lib and creating modules for each jar.  I don't 
remember all the details but I can probably find the chat log where we 
discussed it.

At the time I didn't want to go that far because pulling everything out 
of the WAR and forcing the user to create modules seemed like too 
radical of a change.  But maybe we need to revisit that.  We've already 
been talking about moving more stuff into modules.  If we decide to not 
support the auth server on other platforms then it would make even more 
sense to go ahead and do it because we wouldn't be tied to testing 
everything as a WAR.
>
> BTW, come to think of it, this upload through CLI just won't work, if
> the provider has even one third-party library dependency.
It still works.  You can upload as many provider jars as you want.
>
> Stan, can you explain again the issue with domain mode?  Is it that
> you're trying to secure the domain controller itself with keycloak?
>
>
The domain controller won't be secured with Keycloak until we integrate 
with Elytron.   But having Keycloak compatible with domain mode is a 
piece of that puzzle.

Deployment scanners are not allowed in domain mode.  You upload to the 
domain controller and the deployment is distributed to wherever you want 
it to run.   So there is no place in the file system where you can just 
copy a file and have it become part of the deployment.    And as I found 
out, there is no way to create your own deployment scanner that will 
work.  The architecture blocks you from doing that.

Operationally, using overlays is a lot cleaner for upgrades, especially 
in domain mode.   Your provider jar is the thing most likely to change.  
So when it does, you just need to upload the one jar and you are done.  
Same is true for keycloak-server.json changes.

If you used a single hacked-up WAR, you would need to rebuild the entire 
WAR off line and upload the whole thing.  So you would also need to keep 
up with manually versioning your own customized WAR.