[wildfly-dev] Keycloak SSO in WildFly 9

Jason Greene jason.greene at redhat.com
Wed Jun 4 13:36:35 EDT 2014 

On Jun 4, 2014, at 12:23 PM, Jason Greene <jason.greene at redhat.com> wrote:

> 
> On Jun 3, 2014, at 1:25 PM, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:
> 
>>> Both the auth server and admin console are served from the same WAR.  It
>>> should be possible to deploy this without using a WAR or servlets, but
>>> that is not planned for the initial WildFly integration.  Because of
>>> this current limitation, the auth server and admin console will not be
>>> present in a domain controller.
>> 
>> This is going against the current design of AS7/WildFly exposing 
>> management related operations over the management interface and leaving 
>> the web container to be purely about a users deployments.
> 
> Sorry for my delayed reply. I hadn’t had a chance to read the full thread.
> 
> My understanding of the original and still current goal of key cloak is to be more of an appliance, and also largely independent of WildFly. 
> 
> From that perspective, I don’t think embedding Keycloak solely to be in the same VM makes a lot of sense (more details as to why follow). It’s fine to have KeyCloak running on a WildFly instance (either as a subsystem or a deployment), but to me this seems to be a bit more of a black box to the user.
> 
> So a typical topology, based on the factors I am aware of would look like this:
> 
>                                                       
>                                                       
>                +------+     Auth       +----------+   
>                |      +---------------->          |   
>                |  DC  |                | Keycloak |   
>           +----+      +----+           |          |   
>           |    +------+    |           +----------+   
>           |                |                          
>       +---v--+          +--v---+                      
>       |      |          |      |                      
>       |  HC  |          |  HC  |                      
>     +-+      +-+      +-+      +-+                    
>     | +--+---+ |      | +--+---+ |                    
>     |    |     |      |    |     |                    
>    +v-+ +v-+ +-v+    +v-+ +v-+ +-v+                   
>    |S1| |S2| |S3|    |S4| |S5| |S6|                   
>    +--+ +--+ +--+    +--+ +--+ +--+

Actually it should look like this, if you factor in deployments doing auth as well.                                                     
                                                      
               +------+     Auth       +----------+   
               |      +---------------->          |   
               |  DC  |                | Keycloak |   
          +----+      +----+           |          |   
          |    +------+    |           +-----^----+   
          |                |                 |        
      +---v--+          +--v---+             |         
      |      |          |      |             |        
      |  HC  |          |  HC  |             | Application Auth        
    +-+      +-+      +-+      +-+           |         
    | +--+---+ |      | +--+---+ |           |         
    |    |     |      |    |     |           |        
   +v-+ +v-+ +-v+    +v-+ +v-+ +-v+          |        
   |S1| |S2| |S3|    |S4| |S5| |S6|----------+                   
   +--+ +--+ +--+    +--+ +--+ +--+                   
                                                      

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

More information about the wildfly-dev mailing list