Hey guys,
Thank you for commenting.
@Stian, the default-provider option works well enough for times where native keycloak code
doesn’t use a specific ID to request the provider.
However, for cases like the SAML provider as Thomas highlighted, it doesn’t work. I too
had to change some of the SAML behavior such as the template that is used for errors and
the way that some of the errors are handled.
I’ll be trying Thomas’ approach for now since it seems like it’ll help.
Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com
|virginpulse.com/global-challenge
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United
Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any
attachment(s), is intended solely for use by the designated recipient(s). Unauthorized
use, dissemination, distribution, or reproduction of this message by anyone other than the
intended recipient(s), or a person designated as responsible for delivering such messages
to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may
contain proprietary, confidential or privileged information. Any views or opinions
expressed are solely those of the author and do not necessarily represent those of Virgin
Pulse, Inc. If you have received this message in error, or are not the named recipient(s),
please immediately notify the sender and delete this e-mail message.
v2.50
From: Stian Thorgersen <sthorger(a)redhat.com>
Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
Date: Wednesday, March 27, 2019 at 20:35
To: Thomas Darimont <thomas.darimont(a)googlemail.com>
Cc: Jerry Saravia <jerry.saravia(a)virginpulse.com>,
"keycloak-dev(a)lists.jboss.org" <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] Override "native" Keycloak providers
This email originates outside Virgin Pulse.
Instead of trying to deploy a custom provider with the same id as the default provider you
can change the default provider for an SPI. In standalone.xml just set the
default-provider for the SPI to your own. This will work when Keycloak doesn't specify
directly what provider to get.
It was never supported to load a custom provider with same ID as the built-in providers. I
believe that was a side-effect made possible when we introduced the ability to hot deploy
providers.
On Wed, 27 Mar 2019 at 23:27, Thomas Darimont
<thomas.darimont@googlemail.com<mailto:thomas.darimont@googlemail.com>>
wrote:
Hello Jerry,
I encountered a similar problem with Keycloak 4.x when I needed to
implement my own SamlProtocolFactory to customize the SAML Message handling.
See:
http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html&l...
The only way I could get this to work was to add my custom extension jar to
the module.xml of the keycloak-services module,
see the link for details.
It's by far not the best solution, but at least it works.
Cheers,
Thomas
On Wed, 27 Mar 2019 at 22:28, Jerry Saravia
<jerry.saravia@virginpulse.com<mailto:jerry.saravia@virginpulse.com>>
wrote:
Hello,
We’ve been using version 3.4.3 for a while now and are attempting to
upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as
some of the built in providers. For example, PasswordCredentialProvider has
a provider id of “keycloak-password” and we created our own with the same
id that gets loaded after the native one. This worked because in 3.4.3
providers that were using the same id would still have their factories
added to the factory map.
See this link here for 3.4.3 changes:
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j...
These are the 4.8 changes
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j...
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead
it uses the provider id and the spi name. I can no longer use the same
PROVIDER_ID as the native providers to ‘override’ them, but sometimes there
is code that gets the provider specifically by id. For example, in the
UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider =
(PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class,
PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code
that normally isn’t overridable. We did the same for the
OIDCLoginProtocolFactory to alter some token endpoint behavior even the
UpdatePassword required action itself rather than making a brand new
required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in
4.0.0.Beta1 according to some of the history.
J
Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com<https://nam02.safelinks.protection.outlook.com/?url=ht...
|virginpulse.com/global-challenge<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpulse.com%2Fglobal-challenge&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C29bb3f9e3749470e566e08d6b3154a33%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893301423013114&sdata=Vx2gyBFI0DaPSoAjof7PQmwqX59pnQ54jelBdf5sljU%3D&reserved=0>
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail,
including any attachment(s), is intended solely for use by the designated
recipient(s). Unauthorized use, dissemination, distribution, or
reproduction of this message by anyone other than the intended
recipient(s), or a person designated as responsible for delivering such
messages to the intended recipient, is strictly prohibited and may be
unlawful. This e-mail may contain proprietary, confidential or privileged
information. Any views or opinions expressed are solely those of the author
and do not necessarily represent those of Virgin Pulse, Inc. If you have
received this message in error, or are not the named recipient(s), please
immediately notify the sender and delete this e-mail message.
v2.48
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://nam02.sa...
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://nam02.sa...