[wildfly-dev] Keycloak SSO in WildFly 9

Bill Burke bburke at redhat.com
Tue Jun 3 16:27:25 EDT 2014



On 6/3/2014 2:25 PM, Darran Lofthouse wrote:
>> Both the auth server and admin console are served from the same WAR.  It
>> should be possible to deploy this without using a WAR or servlets, but
>> that is not planned for the initial WildFly integration.  Because of
>> this current limitation, the auth server and admin console will not be
>> present in a domain controller.
>
> This is going against the current design of AS7/WildFly exposing
> management related operations over the management interface and leaving
> the web container to be purely about a users deployments.

Keycloak uses Resteasy.  We could write an adapter for whatever HTTP 
engine the mgmt interface is using.  Unfortunately, we also need a 
storage mechanism  JPA or Mongo.  We could write a file-based back-end 
if needed.


>> Questions for further discussion
>> --------------------------------------------
>> 1.  WildFly ships with pre-defined RBAC roles. [3]  Should these roles
>> be available at the realm level or only to the WildFly Web Console?
>> Could/should other consoles make use of these roles?
>
> The direction we are moving towards with the wildfly-elytron work is
> that role assignment / mapping is something that happens at the point a
> call reaches a secured resource and will be in the context of that
> secure resource.  As an example a user could call one deployment and be
> assigned one set of roles, that same user could call a different
> deployment and have a completely different set of roles - for simplicity
> we will allow a 1:1 mapping from what was loaded from the identity store
> to roles but that will not be always the case.

Keycloak works similarly, albeit with remote invocations.  Clients get a 
unique token with each application they do SSO with.  For nested 
invocations, i.e. If you log into Application A and it needs to invoke 
on Application B, things can be configured so that the token has all 
role mappings that are needed.  Each application in the nested call 
chain looks inside the token for the role mappings it is interested in.

If there was an adequate SPI, then Keycloak would fit in with this idea 
of each deployment call would have its own set of role mappings.


* Keycloak supports realm-level and per-app-level roles.

* Keycloak has the concept of scope mappings. Scopes are the roles the 
application is allowed to ask for.  So the token is only populated with 
permissions the application is allowed to ask for.  So, if a user has 
"admin" role, the token will not get populated with the "admin" role 
mapping unless the application has that scope.

* Keycloak has the concept of a "composite role".  Its kinda like a 
combination of a role group and a role.

BTW, I think cross-component calls need to be able to inherit the 
"identity store" from the calling component.   IMO, it would be very 
rare (even weird) if cross-component calls each used their own "identity 
store".

Currently, Its even more weird (and wrong) that each time you cross a 
component layer (deployment) reauthentication happens with the identity 
store.




>
>> 2.  On first login, you are required to change the admin password. What
>> other initial setup should be required?  Change realm public key?
>> Change client secret?  Others?
>
> This is something that would be required to happen at the command line,
> a connection from a web browser could not be trusted to perform this.
>

What if Keycloak out of the box only allowed connections from localhost? 
  That it would block all other incoming traffic and only allow 
connections from 127.0.0.1?  Admins would have to remove this restriction.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the wildfly-dev mailing list