Keycloak Yaml Config

[markus.s]

I try to configure keycloak via YAML instead of keycloak.json.

I tried using the swarm.keycloak.realms.KEY.*** parameters but it does not work.

Am I doing something wrong here ?

Thanks
Markus

logger:
  level: DEBUG
swarm:
  context:
    path: foo
  keycloak:
    realms:
      foo-keycloak-example:
        auth-server-url: http://localhost:9090/auth
        ssl-required: external
        bearer-only: true
  deployment:
    foo.war:
      web:
        login-config:
          auth-method: KEYCLOAK
        security-constraints:
          - url-pattern: /bar
            methods: [GET]
            roles: [admin]

[Ladislav Thon]

I'm not sure how the realms work, but configuring a "secure deployment" worked for me:

swarm:
  keycloak:
    secure-deployments:
      my-app.war:
        auth-server-url: "http://localhost:8180/auth"
        realm: test-realm
        resource: test-client
        public-client: true
        ssl-required: EXTERNAL
  deployment:
    my-app.war:
      web:
        security-constraints:
        - url-pattern: /protected/*
          roles:
          - "*"

LT

--
You received this message because you are subscribed to the Google Groups "WildFly Swarm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly-swar...@googlegroups.com.
To post to this group, send email to wildfl...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly-swarm/21e5cf6b-a8e8-43c0-857d-89d330a7c756%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[markus.s]

Worked with secure-deployments. Thanks !

Would be interesting when and how to use "swarm.keycloak.realms.KEY.***"

KR
Markus

[Sergey Beryozkin]

Let me have a look, did not know it was possible to inline.

I thought the only way to point to a realm was to use a keycloak.json (default - in META-INF/keycloak.json, or using a swarm.keycloak.json.path property)

Please check a  security/keycloak demo.

Cheers, Sergey

To unsubscribe from this group and stop receiving emails from it, send an email to wildfly-swarm+unsubscribe@googlegroups.com.

To post to this group, send email to wildfl...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly-swarm/245e901b-2c9b-4eda-a72b-dd06edfa0c61%40googlegroups.com.

[Ladislav Thon]

Indeed it's possible to inline the entire configuration to project-defaults.yml -- the whole example is at https://github.com/Ladicek/swarm-test-suite/tree/master/wildfly/keycloak

I'm not a big fan of keycloak.json, because in case of a web app with an API, you need to

1. configure the server side to use Keycloak
2. publish Keycloak configuration for the client side

and the preferred option for both of them is to use a file called keycloak.json. Too easy to mess up.

LT

To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly-swarm/CAOtGrG%2B0SaXFBx9A5qgvLRDsa_OnnfhSrQxF4id1%2Bmixzt3fRQ%40mail.gmail.com.

[Sergey Beryozkin]

Sorry, missed Ladislav's response.

Not sure the "realms.KEY" approach works as it is not tied to a specific war, and it can supports multiple realms which implies the should be a mechanism

on Swarm to feed a concrete realm info into KC on the per-request basis.

We can probably look more into it as part of the better multi-tenancy support :-)

Cheers, Sergey

[Sergey Beryozkin]

I found this resource:

https://github.com/keycloak/keycloak/blob/master/examples/demo-template/subsystem-config.xml

and confirmed a similar approach works with the testsuite/keycloak.

"realms.KEY" is really there to optimize the configuration in case of the multiple "secure-deployments".

By the way, specifying "secure-servers" instead of "secure-deployments" works too, I'm not exactly sure what is the difference, when I run the test with the "secure-servers" I saw

"2018-04-30 16:17:56,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 22) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "keycloak"),
    ("secure-server" => "test.war")
]) - failure description: "Only public clients are allowed to have their configuration exposed through the management interface""

(indeed the test uses 'bearer-only') which probably implies the "secured-servers" have a higher visibility (added to the management console, etc)

Cheers, Sergey