Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to the Quarkus-based Keycloak distribution #64

Open
XcrigX opened this issue May 2, 2022 · 23 comments
Open

Upgrade to the Quarkus-based Keycloak distribution #64

XcrigX opened this issue May 2, 2022 · 23 comments

Comments

@XcrigX
Copy link

XcrigX commented May 2, 2022

The current project is fixed to Keycloak 16.1.1.
It appears starting with Keycloak 17, significant changes have been made to how keycloak configuration works:
https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-17-0-0

"The default Keycloak distribution is now based on Quarkus. The new distribution is faster, leaner, and a lot easier to configure!
We appreciate migrating from the WildFly distribution is not going to be straightforward for everyone, since how you start and configure Keycloak has radically changed. With that in mind we will continue to support the WildFly distribution until June 2022."

Note also the end support date of June 2022.

Are the maintainers here planning an update, or should your (very appreciative) users plan this on their own?
Thanks!

NOTE: I haven't tried or looked deeply into the changes or upgrading as of yet, but will share back anything I learn or do here.
@lmsurpre
Copy link
Collaborator

lmsurpre commented May 2, 2022

I've now bumped the version to keycloak 18.0.0, but I have not looked into making it compatible with the quarkus distribution. If you don't mind, I'll update the title of this one to indicate the desire to move to that.

@lmsurpre lmsurpre changed the title Upgrading to Keycloak v17/18+ Upgrade to the Quarkus-based Keycloak distribution May 2, 2022
@lmsurpre
Copy link
Collaborator

lmsurpre commented May 2, 2022

I don't have immediate plans for looking into the Quarkus distribution...any insights you (or others) can provide on the changes required for that would be most welcome.

@lmsurpre
Copy link
Collaborator

lmsurpre commented May 2, 2022
edited
Loading

For cases where a user has access to more than one patient and a launch/patient scope is requested, the current implementation makes use IBM FHIR Server client libs (packaged as a jboss module)...I don't think any of that will work in Quarkus. I'd probably start by looking at version 2.x of the testcontainers-keycloak project which supports the Quarkus-based keycloak distribution...hopefully that could provide a nice environment to iterate on the Patient selection form.

Also, if its needed, feel free to open an issue at IBM/FHIR to request quarkus support from the main libs (fhir-model and fhir-provider) there.

@lmsurpre lmsurpre mentioned this issue May 2, 2022
Closed
@XcrigX
Copy link
Author

XcrigX commented Jun 15, 2022

@lmsurpre - We had some luck getting this to work on the Quarkus version. We used the HAPI client libs rather than Jboss to query the FHIR server and packaged the custom authenticator as a shaded/uber jar which can then be deployed with Keycloak at a specific path.
One difference to be aware of is this guidance in the 17.x release notes:
"With the new distribution there is no longer a separate classpath for custom providers, so you may need to be more careful with what additional dependencies you include. In addition, the EAR packaging format, and jboss-deployment-structure.xml files, is no longer supported."

There are of course a lot of differences in how to configure and run Keycloak in the latest version as well.

I hope to share this back when we get to a stable point, but wanted to update that it's possible and not too difficult or different really from what you had.

@jigneshmpatel
Copy link

@XcrigX do you able to make any progress of using keycloak based on quarkus? I am seeing there are many branches created from @lmsurpre. Is there any branch we can pick up and start working on it, if required we can also work towards completing pending task.

@XcrigX
Copy link
Author

XcrigX commented Oct 6, 2022
edited
Loading

@jigneshmpatel - I have my working copy here: https://github.com/XcrigX/keycloak-extensions-for-fhir/tree/quarkus-update

I'm still working through some issues with the unit tests so I haven't pushed it to this repo yet. There is also some work to do to update the readme. I'll update here when I get it fully functioning - I think it's 95% there.
@lmsurpre - Let me know how you'd like to handle it when it's working - a separate branch here?

@jigneshmpatel
Copy link

@XcrigX thank you for response. Since the window of certification of g10 is very close, how do we jump in and start working. Is it only test cases are not working?

@XcrigX
Copy link
Author

XcrigX commented Oct 6, 2022

Some context: I have everything working in a different/private repo we had started from scratch using this project as a guide.
I am now trying to port what we did back to this project. So I know it can work.
I have not tested this version out 'live' yet though. I just started porting it back here today.

I'm down to one strange test failure. The KeyCloakConfig.PropertyGroupTest fails when running from command line, but works in Eclipse. I'm out of time to figure it out today though..

Feel free to grab it and build it. Keycloak does come up.

Be warned - I found Keycloak to be tricky to get configured to run in real environment (behind a reverse-proxy, admin console not publicly available, TLS, etc.).
The Dockerfile here is starting the server in dev mode. You'll need to change all that to run it "for real".
See: https://www.keycloak.org/guides for more info.

@jigneshmpatel
Copy link

ok see if there is a progress being made towards the end of week, we will start exploring about sometime early next week.

@XcrigX
Copy link
Author

XcrigX commented Oct 7, 2022

fyi, unit test errors all fixed now - was just an issue with the surefire plugin version and junit5

@XcrigX
Copy link
Author

XcrigX commented Oct 7, 2022
edited
Loading

NOTE: I deleted and recreated the branch also so I could squash everything into 1 commit: https://github.com/XcrigX/keycloak-extensions-for-fhir/tree/feature/quarkus-update

@lmsurpre
Copy link
Collaborator

lmsurpre commented Oct 7, 2022

Thats awesome @XcrigX ... please open a PR if you're interested in contributing that.
We do follow DCO here and so you'd need to amend your commit to add a single-line signoff.

@jigneshmpatel
Copy link

jigneshmpatel commented Oct 7, 2022 via email

@XcrigX
Copy link
Author

XcrigX commented Oct 7, 2022

pushed another update to fix some docker build issues and update the readme to reflect proper docker build commands and paths. @jigneshmpatel - I haven't run it through the ringer yet to functionally test it and I may not get to that right now. The images build and come up. The code should not require any modifications unless there are bugs/issues - however you will need to make your own Dockerfile if you intend to deploy it in a non-test environment. You'll need to fill in various env variables to the container for your environment (database, hostnames, etc.) , and you'd want to start keycloak NOT in dev mode.

@jigneshmpatel
Copy link

got it.

@jigneshmpatel
Copy link

are there build steps I can follow?
I believe I need to checkout the branch: keycloak-extensions-for-fhir

@jigneshmpatel
Copy link

jigneshmpatel commented Oct 9, 2022
edited
Loading

I am not able to run
docker run -v <My_PATH>:/config -e KEYCLOAK_BASE_URL=http://localhost:8081/auth alvearie/keycloak-config -configFile config/keycloak-config.json

not only that localhost:8080 doesn't not show appropriate screen to login, instead gives following message:
Open http://localhost:8080/
or set the environment variables KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD before starting the server.
after running following command
docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin alvearie/smart-keycloak

I have tried with JDK 11 and JDK 17.

@jigneshmpatel
Copy link

My team member able to bring up the server in main branch but as stated above I can't run the feature/quarkus-update branch.

@XcrigX
Copy link
Author

XcrigX commented Oct 10, 2022

@jigneshmpatel - Be sure to check that you are connected to the proper branch - I deleted and recreated it a couple of times.
I updated the readme.md documentation to update the environment variable names and things - but possible I still missed something.

You could also access the code from the PR I submitted:
#97

Once you've verified you have the latest updates from the proper branch, these commands I think should work to start it:

docker build . -f keycloak-config/Dockerfile -t alvearie/keycloak-config

docker run -v /local/config/dir:/config -e KEYCLOAK_BASE_URL=http://host.docker.internal:8080 alvearie/keycloak-config -configFile config/keycloak-config.json

You'd then need to build and run the keycloakConfig container as well once that is working to create the test realm with SMART support.

@XcrigX
Copy link
Author

XcrigX commented Oct 10, 2022

apologies, I gave the keycloak config info above.. The smart keycloak command would be:

docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin alvearie/smart-keycloak

@jigneshmpatel
Copy link

jigneshmpatel commented Oct 11, 2022
edited
Loading

Is it advisable to run with JDK 17? As it has a long term support.
I can confirm that I can run on JDK 11 without any issues.
Also what are the other configuration required that we should work on to integrate with smart FHIR application.

@jigneshmpatel
Copy link

We need some guidance
How to configure following:
keycloak
"capabilities": [
        "launch-ehr",
        "launch-standalone",
        "client-public",
        "client-confidential-symmetric",
        "sso-openid-connect",
        "context-banner",
        "context-style",
        "context-ehr-patient",
        "context-ehr-encounter",
        "context-standalone-patient",
        "context-standalone-encounter",
        "permission-offline",
        "permission-patient",
        "permission-user"
    ]
   
    management_endpoint
also in response we are not able to set header values

@XcrigX
Copy link
Author

XcrigX commented Oct 17, 2022

@jigneshmpatel - Suggest you re-read the readme wiki for this project. It's not a complete implementation of all things Smart on FHIR. Rather it extends Keycloak to add support for some things in the SMART spec which are not supported by Keycloak out of the box.
It will give you a base to support standalone app launch for "launch/patient" - but may still require some customizations for your specific use-cases. For instance, in my case the way I am correlating FHIR Patient IDs to Keycloak users is different from what this project does - so I had to further customize those parts in my private repo.

I have not looked into using it for use-cases other than launch/patient. Presumably for most of those the EHR would already have an authenticated user - so I'm not certain where Keycloak would even play a role unless it is the Auth server for the EHR.

For general SMART on FHIR info/questions (not specific to Keycloak), you can also utilize the SMART channel/stream here: https://chat.fhir.org/

@XcrigX XcrigX mentioned this issue Aug 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jigneshmpatel @lmsurpre @XcrigX