Parametrizing secure-deployment name in keycloak subsystem in WildFly

Question

I'm looking for a way to parametrize KeyCloak subsystem (WildFly adapter properties) to allow external input for secure-deployment name attribute.

I'm deploying application to multiple environments with the exact same configuration aside from the WAR name, so I'd like to have everything configurable as an input parameter, either from the system properties from standalone.xml or environmental variable. I was however unable to achieve the result with the aforementioned subsystem. I've already experimented with setting up system-properties, environmental variables. The following is the sample current configuration of the subsystem, with

    some_war_name.war 

being hardcoded

        <secure-deployment name="some_war_name.war">
            <realm>${keycloak.realm}</realm>
            <resource>${keycloak.client.id}</resource>
            <auth-server-url>${keycloak.server.url}</auth-server-url>
            <ssl-required>external</ssl-required>
            <credential name="secret">${keycloak.credential.secret}</credential>
        </secure-

Unfortunately I was unable to parametrize the secure-deployment name in any way. Is it even achievable?

Answer 1

Parametrizing secure deployment name doesn't work on subsystem.

You can workaround that by creating a keycloak.json adapter configuration file within the WEB-INF directory of your WAR as explained in the doc: https://www.keycloak.org/docs/latest/securing_apps/#required-per-war-configuration

For example:

{
  "realm": "${env.keycloak.realm}",
  "auth-server-url": "${env.keycloak.auth-server-url}",
  "ssl-required": "${env.keycloak.ssl-required}",
  "resource": "${env.keycloak.resource}",
}

Answer 2

unfortunately I don't have the answer but exactly the same problem here using Wildfly 16.0 (docker image).

When providing:

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
        <secure-deployment name="my.very.special.war.file.war">
            <realm>${env.keycloak.realm}</realm>
            <auth-server-url>${env.keycloak.auth-server-url}</auth-server-url>
            <ssl-required>${env.keycloak.ssl-required}</ssl-required>
            <resource>${env.keycloak.resource}</resource>
            <credential name="secret">${env.keycloak.credentials.secret}</credential>
            <principal-attribute>preferred_username</principal-attribute>
            <use-resource-role-mappings>${env.keycloak.use-resource-role-mappings}</use-resource-role-mappings>
        </secure-deployment>
    </subsystem>

Everything works as expected. But when doing

    <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
        <secure-deployment name="${env.keycloak.deployment.name}">
            <realm>${env.keycloak.realm}</realm>
            <auth-server-url>${env.keycloak.auth-server-url}</auth-server-url>
            <ssl-required>${env.keycloak.ssl-required}</ssl-required>
            <resource>${env.keycloak.resource}</resource>
            <credential name="secret">${env.keycloak.credentials.secret}</credential>
            <principal-attribute>preferred_username</principal-attribute>
            <use-resource-role-mappings>${env.keycloak.use-resource-role-mappings}</use-resource-role-mappings>
        </secure-deployment>
    </subsystem>

I get the following warning log:

[org.keycloak.adapters.undertow.KeycloakServletExtension] (ServerService Thread Pool -- 54) No adapter configuration. Keycloak is unconfigured and will deny all requests.

The environment variable is available and has no typo in it Cheers