Fork me on GitHub
#aws
<
2020-04-27
>
steveb8n02:04:24

I’m using Cognito. It was nasty to set up but (as you say) is good to keep everything with one vendor. I eventually set it up using CDK

steveb8n02:04:50

I plan to move to Keycloak in the future though: better features and docs all around. Can still run that on AWS

Ahmed Hassan07:04:00

There's library named `keycloak-clojure` to wrap the Keycloak Java Adapter https://github.com/jgrodziski/keycloak-clojure

Ahmed Hassan07:04:01

How much feasible is setting up Keycloak for a single developer? vs using sessions and PostgreSQL tables for user's email/username, roles, hashed password and permissions? Using Buddy and Permissions (https://github.com/tuhlmann/permissions) for this purpose. I'm asking from the perspective of operational cost, complexity, barriers versus benefit.

ackerleytng08:04:12

I've not used keycloak with clojure before, but i've used it with a python webapp

ackerleytng08:04:45

i liked not having to worry about sessions, and getting to offload a lot of the security stuff to gatekeeper

Ahmed Hassan08:04:10

How did you setup keycloak? is it feasible to do it on same machine on DO droplet on which app installed (with postgresql for app data)?

ackerleytng08:04:21

actually the nice part is more gatekeeper than keycloak! not sure if AWS has a similar setup, but the idea behind gatekeeper is that it takes client traffic like a reverse proxy, and only forwards it upstream if it passes validation

ackerleytng08:04:05

i set it up on another VM

ackerleytng08:04:33

if you set it up on the same machine, you'll have to deal with routing the client requests between keycloak and your app

ackerleytng08:04:11

the client will need to be redirected to keycloak, that's the way OAuth works

Ahmed Hassan08:04:32

so request would go like nginx -> keycloak -> keycloak gatekeeper -> clojure app

ackerleytng08:04:24

nope, it'll be something like

nginx -> keycloak
  |
  V
gatekeeper -> clojure app

ackerleytng08:04:09

this isn't the python app, it's a quickstart that keycloak provided

ackerleytng08:04:30

i modified it to work in docker and added further instructions to make it a quicker quickstart

ackerleytng08:04:56

I used caddy to route between keycloak and the java app (this one doesn't use gatekeeper)

ackerleytng08:04:14

not sure if this is such a good idea for a production service though