Search code examples
devopskeycloakwildfly-swarm

Wildfly Swarm: Environment specific configuration of Keycloak Backend

Given is a JavaEE application on wildfly that uses keycloak as authentication backend, configured in project-stages.yml:

swarm:
  deployment:
    my.app.war:
      web:
        login-config:
          auth-method: KEYCLOAK

The application will be deployed in different environments using a Gitlab-CD-Pipeline. Therefore keycloak specifics must be configured per environment.

By now the only working configuration that I found is adding a keycloak.json like (the same file in every environment):

{
  "realm": "helsinki",
  "bearer-only": true,
  "auth-server-url": "http://localhost:8180/auth",
  "ssl-required": "external",
  "resource": "backend" 
}

According to the Wildfly-Swarm Documentation it should be possible to configure keycloak in project-stages.yml like:

swarm:      
  keycloak:
    secure-deployments:
      my-deployment:
        realm: keycloakrealmname
        bearer-only: true
        ssl-required: external
        resource: keycloakresource
        auth-server-url: http://localhost:8180/auth

But when I deploy the application, no configuration is read:

2018-03-08 06:29:03,540 DEBUG [org.keycloak.adapters.undertow.KeycloakServletExtension] (ServerService Thread Pool -- 12) KeycloakServletException initialization
2018-03-08 06:29:03,540 DEBUG [org.keycloak.adapters.undertow.KeycloakServletExtension] (ServerService Thread Pool -- 12) using /WEB-INF/keycloak.json
2018-03-08 06:29:03,542 WARN  [org.keycloak.adapters.undertow.KeycloakServletExtension] (ServerService Thread Pool -- 12) No adapter configuration.  Keycloak is unconfigured and will deny all requests.
2018-03-08 06:29:03,545 DEBUG [org.keycloak.adapters.undertow.KeycloakServletExtension] (ServerService Thread Pool -- 12) Keycloak is using a per-deployment configuration.

If you take a look at the source of the above class, it looks like the only way to get around is to provide a KeycloakConfigResolver. Does Wildfly-Swarm provide a resolver that reads the project-stages.yml?

How can I configure environment-specific auth-server-urls?

A workaround would be to have different keycloak.json-Files, but I would rather use the project-stages.yml.

Solution

  • I have a small WildFly Swarm project which configures Keycloak exclusively via project-defaults.yml here: https://github.com/Ladicek/swarm-test-suite/tree/master/wildfly/keycloak

    From the snippets you post, the only thing that looks wrong is this:

    swarm:      
  keycloak:
    secure-deployments:
      my-deployment:

    The my-deployment name needs to be the actual name of the deployment, same as what you have in

    swarm:
  deployment:
    my.app.war:

    If you already have that, then I'm afraid I'd have to start speculating: which WildFly Swarm version you use? Which Keycloak version?