While developing a KC extension, I've faced the requirement to
implement global writable persistent configuration. That means, 1) it
should not be bound to any particular realm, 2) it should be accessible
from providers, 3) it should be updatable from the Admin console and
via REST. Additionally, there exists an (independent) requirement to
process INI-style files. With all the above, introducing Apache Commons
Configuration as a dependency would be an obvious choice.
But before that, I wanted to know if there are any plans to introduce
the same on the Keycloak side? If so, I think we could save ourselves
From the "business" side, most configuration in Keycloak is
But if we take a look at the similar software, like Atlassian Crowd or
WSO2 Identity Server, we'll find most of them have some sort of global
settings, for example:
- auto-update settings;
- periodic tasks;
- scheduled backups;
- plugin-specific global settings.
At the moment, I don't think any of the above is of high priority for
Keycloak, but I'm pretty sure there's a good chance things will change
in the future.
From the technical side, we currently have global config in
standalone.xml which is read-only, and a lot of per-realm stuff that is
persisted into the database (including e.g. components). We also have
org.keycloak.Config stuff that is also read-only and only supports
system properties; and trying to make it writable and persistent will
inevitably result in the reinvention of "ad-hoc, informally-specified,
bug-ridden, slow implementation of half of" Apache Commons
With the above, please let me know what do you think of the idea of
introducing unified global config service backed by (tentatively)
Commons Configuration, with the following features (here's what's most
important in the context):
- support for multiple config sources under single API, most
importantly system properties, XML and JDBC;
- automatically selecting writable backend (e.g. JDBC) when writing to
a combined/composite config;
- events and notification;
- synchronization & thread safety.
If this is not topical for Keycloak proper, I'd appreciate any ideas on
how to do it the right way on the extension side.
Thanks in advance,