This kinda works by accident and it's not fully reliable as something could
change.
I'd like to make sure only one provider is registered with a specific id,
but allow disabling built-in providers.
If that sounds like a plan please create an issue.
On Wed, 5 Jun 2019, 13:29 Thomas Darimont, <thomas.darimont(a)googlemail.com>
wrote:
Hi Hiroyuki,
I had some classloading issues with embedded libraries when I tried this
approach. That's why I used the module variant. Do you use additional
libraries in your custom SAMLProtocolFactory extension? Would you mind
sharing your deployment-structure.xml for reference?
Cheers and many thanks for your numerous valuable discussions and
contributions!
Thomas
h2-wada <h2-wada(a)nri.co.jp> schrieb am Mi., 5. Juni 2019, 11:08:
> Hi,
>
> I also wanted to override the default SAMLProtocolFactory with my class
> with the same provider id as Thomas mentioned.
> In my case, it has been successful in replacing the native provider with
> the same provider id by using the Keycloak Deployer [1]. I confirmed it
> works with keycloak version 4.3.0.Final, 4.8.3.Final and 6.0.1.
>
> The deployment approach is as follows. I think it's a straightforward way
> than deployment as a module. +Bonus: Hot deployment works !!
>
> - Create "jboss-deployment-structure.xml" and place under the
"META-INF"
> directory in your JAR or EAR which contains your classes.
> - Deploy JAR or EAR by placing it in the
> "$KEYCLOAK_HOME/standalone/deployments/" directory.
>
>
> [1]
>
https://www.keycloak.org/docs/latest/server_development/index.html#using-...
>
>
> --
> Hiroyuki Wada
> Nomura Research Institute, Ltd.
> h2-wada(a)nri.co.jp
>
> --------------------------------------------------------------------
> このメールには、本来の宛先の方のみに限定された機密情報が含まれている
> 場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
> このメールを削除してくださいますようお願い申し上げます。
> PLEASE READ:This e-mail is confidential and intended for
> the named recipient only. If you are not an intended recipient,
> please notify the sender and delete this e-mail.
> --------------------------------------------------------------------
>
>
> ________________________________________
> 差出人: keycloak-dev-bounces(a)lists.jboss.org <
> keycloak-dev-bounces(a)lists.jboss.org> が Jerry Saravia <
> jerry.saravia(a)virginpulse.com> の代理で送信
> 送信日時: 2019年4月15日 22:12
> 宛先: Thomas Darimont
> CC: keycloak-dev(a)lists.jboss.org
> 件名: Re: [keycloak-dev] Override "native" Keycloak providers
>
> Thanks Thomas,
>
> This worked!!!
>
>
> Jerry Saravia
> Software Engineer
> T(516) 603-6914
> M516-603-6914
>
virginpulse.com
> |virginpulse.com/global-challenge
> 492 Old Connecticut Path, Framingham, MA 01701, USA
> Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> Switzerland | United Kingdom | USA
> Confidentiality Notice: The information contained in this e-mail,
> including any attachment(s), is intended solely for use by the designated
> recipient(s). Unauthorized use, dissemination, distribution, or
> reproduction of this message by anyone other than the intended
> recipient(s), or a person designated as responsible for delivering such
> messages to the intended recipient, is strictly prohibited and may be
> unlawful. This e-mail may contain proprietary, confidential or privileged
> information. Any views or opinions expressed are solely those of the
author
> and do not necessarily represent those of Virgin Pulse, Inc. If you have
> received this message in error, or are not the named recipient(s), please
> immediately notify the sender and delete this e-mail message.
> v2.52
> From: Thomas Darimont <thomas.darimont(a)googlemail.com>
> Date: Wednesday, March 27, 2019 at 18:23
> To: Jerry Saravia <jerry.saravia(a)virginpulse.com>
> Cc: "keycloak-dev(a)lists.jboss.org" <keycloak-dev(a)lists.jboss.org>
> Subject: Re: [keycloak-dev] Override "native" Keycloak providers
>
> This email originates outside Virgin Pulse.
>
> Hello Jerry,
>
> I encountered a similar problem with Keycloak 4.x when I needed to
> implement my own SamlProtocolFactory to customize the SAML Message
handling.
> See:
>
http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html<
>
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jb...
> >
> The only way I could get this to work was to add my custom extension jar
> to the module.xml of the keycloak-services module,
> see the link for details.
>
> It's by far not the best solution, but at least it works.
>
> Cheers,
> Thomas
>
> On Wed, 27 Mar 2019 at 22:28, Jerry Saravia <
jerry.saravia(a)virginpulse.com
> <mailto:jerry.saravia@virginpulse.com>> wrote:
> Hello,
>
>
>
> We’ve been using version 3.4.3 for a while now and are attempting to
> upgrade to 4.8 and we’ve run into some issues.
>
>
>
> Summary: We have created our own providers with the same PROVIDER_ID as
> some of the built in providers. For example, PasswordCredentialProvider
has
> a provider id of “keycloak-password” and we created our own with the same
> id that gets loaded after the native one. This worked because in 3.4.3
> providers that were using the same id would still have their factories
> added to the factory map.
>
>
>
> See this link here for 3.4.3 changes:
>
>
>
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j...
> <
>
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
> >
>
>
>
> These are the 4.8 changes
>
>
>
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j...
> <
>
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
> >
>
>
>
> In 4.8, the fully qualified class name (FQCN) is not longer used. Instead
> it uses the provider id and the spi name. I can no longer use the same
> PROVIDER_ID as the native providers to ‘override’ them, but sometimes
there
> is code that gets the provider specifically by id. For example, in the
> UpdatePassword required action we have this:
>
>
>
> PasswordCredentialProvider passwordProvider =
>
(PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class,
> PasswordCredentialProviderFactory.PROVIDER_ID);
>
>
>
> In 3.4.3 because our provider was loaded we were able to inject into code
> that normally isn’t overridable. We did the same for the
> OIDCLoginProtocolFactory to alter some token endpoint behavior even the
> UpdatePassword required action itself rather than making a brand new
> required action that is a “second rate” because it isn’t native to
Keycloak.
>
>
>
> Is there a solution for this in 4.8.3? I see this change was made in
> 4.0.0.Beta1 according to some of the history.
>
>
>
> J
>
>
> Jerry Saravia
> Software Engineer
> T(516) 603-6914
> M516-603-6914
> virginpulse.com<
>
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpu...
> >
> |virginpulse.com/global-challenge<
>
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpu...
> >
> 492 Old Connecticut Path, Framingham, MA 01701, USA
> Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> Switzerland | United Kingdom | USA
> Confidentiality Notice: The information contained in this e-mail,
> including any attachment(s), is intended solely for use by the designated
> recipient(s). Unauthorized use, dissemination, distribution, or
> reproduction of this message by anyone other than the intended
> recipient(s), or a person designated as responsible for delivering such
> messages to the intended recipient, is strictly prohibited and may be
> unlawful. This e-mail may contain proprietary, confidential or privileged
> information. Any views or opinions expressed are solely those of the
author
> and do not necessarily represent those of Virgin Pulse, Inc. If you have
> received this message in error, or are not the named recipient(s), please
> immediately notify the sender and delete this e-mail message.
> v2.48
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<
>
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.j...
> >
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev