Re: [keycloak-dev] Override "native" Keycloak providers

Hello Jerry, I encountered a similar problem with Keycloak 4.x when I needed to implement my own SamlProtocolFactory to customize the SAML Message handling. See: http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html The only way I could get this to work was to add my custom extension jar to the module.xml of the keycloak-services module, see the link for details. It's by far not the best solution, but at least it works. Cheers, Thomas On Wed, 27 Mar 2019 at 22:28, Jerry Saravia <jerry.saravia(a)virginpulse.com > wrote: > Hello, > > > > We’ve been using version 3.4.3 for a while now and are attempting to > upgrade to 4.8 and we’ve run into some issues. > > > > Summary: We have created our own providers with the same PROVIDER_ID as > some of the built in providers. For example, PasswordCredentialProvider has > a provider id of “keycloak-password” and we created our own with the same > id that gets loaded after the native one. This worked because in 3.4.3 > providers that were using the same id would still have their factories > added to the factory map. > > > > See this link here for 3.4.3 changes: > > > https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j... > > > > These are the 4.8 changes > > > https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j... > > > > In 4.8, the fully qualified class name (FQCN) is not longer used. Instead > it uses the provider id and the spi name. I can no longer use the same > PROVIDER_ID as the native providers to ‘override’ them, but sometimes there > is code that gets the provider specifically by id. For example, in the > UpdatePassword required action we have this: > > > > PasswordCredentialProvider passwordProvider = > (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, > PasswordCredentialProviderFactory.PROVIDER_ID); > > > > In 3.4.3 because our provider was loaded we were able to inject into code > that normally isn’t overridable. We did the same for the > OIDCLoginProtocolFactory to alter some token endpoint behavior even the > UpdatePassword required action itself rather than making a brand new > required action that is a “second rate” because it isn’t native to Keycloak. > > > > Is there a solution for this in 4.8.3? I see this change was made in > 4.0.0.Beta1 according to some of the history. > > > > J > > > Jerry Saravia > Software Engineer > T(516) 603-6914 > M516-603-6914 > virginpulse.com > |virginpulse.com/global-challenge > 492 Old Connecticut Path, Framingham, MA 01701, USA > Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | > Switzerland | United Kingdom | USA > Confidentiality Notice: The information contained in this e-mail, > including any attachment(s), is intended solely for use by the designated > recipient(s). Unauthorized use, dissemination, distribution, or > reproduction of this message by anyone other than the intended > recipient(s), or a person designated as responsible for delivering such > messages to the intended recipient, is strictly prohibited and may be > unlawful. This e-mail may contain proprietary, confidential or privileged > information. Any views or opinions expressed are solely those of the author > and do not necessarily represent those of Virgin Pulse, Inc. If you have > received this message in error, or are not the named recipient(s), please > immediately notify the sender and delete this e-mail message. > v2.48 > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev