For a while, I've been working on a complex KeyCloak extension (for
those interested - it adds support for hardware OTP generators with
lifecycle management, provisioning etc.)
In the course of my work, I have developed some techniques not
documented elsewhere that I'd like to share. The main focus is creating
custom realm admin resources (even not yet having an official admin
resource SPI). However, this could also serve as a general-purpose
example that combines several SPIs in a form of complete, ready-to-use
As the name suggests, the extension brings into KeyCloak... well, beer
:) you can manage a list of beers, and even try to virtually "drink"
some amount to know how drunk you will be.
Humor aside, what's under the hood:
* a JPA entity (using Entity SPI) and LiquiBase changelog;
* a REST resource (using Realm Resource SPI) with CRUD operations and
one special operation ("drink");
* admin console GUI extensions (using theme mechanism) that work with
Now what makes it "admin resource":
* new roles "view-beer" and "manage-beer" are automatically added to
every existing and newly added realms, as well as included into the
master "admin" role;
* an AdminAuth instance is initialized and subsequently used to secure
* an AdminEventBuilder is initialized to be used for event logging.
Future ideas include adding "Beer" tab for users, where the favorite
beer kind could be chosen; this would be to demonstrate many-to-one and
many-to-one relationships between system entities and custom entities.
This could be later used to create a "secret question"-like
authenticator that would ask a user to enter his/her correct beer
If there is demand, I think I could turn this example into a complete
tutorial and maybe publish it on GitBooks. Let me know what you think.