[keycloak-user] Best practices for building appliances

Mon Feb 2 09:42:29 EST 2015

This is something that we need to figure out and find a proper solution for. It should be very easy for any JBoss project/product to both embed Keycloak and to use a centralized Keycloak for SSO. 

There are quite a few issues that needs resolving to achieve this properly:

* Do we support embedding Keycloak in other containers than WildFly/EAP?
* Do we provide a slimmed down version of Keycloak for embedding? An embedded Keycloak should be for securing the projects console in a simple deployment, not for a SSO solution.
* How do we handle bootstrapping? Applications needs to configure themselves, including realm keys and application secrets. What happens if realm keys, application urls, etc change.
* How do we provide a simple mechanism to link to a centralized Keycloak server
* How do we make sure multiple projects can share the same Keycloak realm? Roles for example is a problem here if multiple projects use realm level roles (Keycloak itself does!)
* How to enable SSL for a project? Keycloak is not secure without SSL! That's one of the downsides to bearer auth.

Those issues (and probably a whole bunch more) should all be solved consistently for all JBoss projects.

----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 2 February, 2015 1:26:43 PM
> Subject: [keycloak-user] Best practices for building appliances
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> In our project, we plan to have a distribution where we ship our
> application with a Wildfly bundled, a la Keycloak Appliance.
> 
> My main concern is shipping our distribution with a default pair of
> realm keys or with a pre-filled database. I know it's possible to
> import a realm on the first boot and KC will generate the required
> keys if they are missing from the imported JSON template, but as we
> are shipping our own WAR, we would need to get the public key into our
> application's keycloak.json (or subsystem) before it gets deployed.
> 
> I wonder if this is a common situation and what would be the best
> practices for such case. I think Stian mentioned before that a future
> version of KC would allow auto registration of applications, but until
> that is available, I'd be interested in hearing your experiences about it.
> 
> Another situation is for a contributor of the project or for users who
> would want to build from the source: what would be the best practice
> for generating new keys at each build? If there's no easy solution for
> that now, I'd be interested in building a "keycloak-cli" utility that
> would generate realm and application JSON files, possibly with a Maven
> plugin wrapper to make it easier to consume from maven projects. Would
> something like that be interesting for the project?
> 
> Best,
> Juca.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a
> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX
> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL
> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee
> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu
> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo=
> =wYHW
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 