[keycloak-dev] Design of Auth Server startup from subsystem

Thu Oct 2 08:46:01 EDT 2014

On 10/2/2014 8:18 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 2 October, 2014 2:08:31 PM
>> Subject: Re: [keycloak-dev] Design of Auth Server startup from subsystem
>>
>>
>>>> /account-spi optionally contains a single jar file that replaces
>>>> keycloak-account-freemarker.jar.
>>>> /login-spi optionally contains a single jar file that replaces
>>>> keycloak-login-freemarker.jar
>>> Why replace keycloak-*-freemarker.jar?
>> http://docs.jboss.org/keycloak/docs/1.0.1.Final/userguide/html/themes.html#d4e1060
>>
>> For account or login SPI, it says to delete these jars or disable with a
>> System property if you want to use your own provider.  I chose replace.
>> It doesn't actually change the original auth-server.war on disk.  It's a
>> virtual replace.
> Ah, forgot that was how it used to work - that doc is out of date, sorry! You don't need to replace or use system properties any more, instead you configure the provider to use in keycloak-server.json:
>
>    {
>      "account" : {
>        "provider": "my-account-provider"
>      }
>    }
>
> Basically Keycloak either retrieves a named provider for an SPI (for example to get the ldap federation) or just picks the default provider configured for the server (for example account provider). The default provider is either specified as above, or if there's only one available it'll pick that one.
That's much better.  So I just need one directory where you drop all the 
SPI jars.  Maybe I'll call it /plugins.  That name covers both SPI jars 
and theme jars.
>
> Made me think about another thing. How should we deal with what providers are included by default, and what users can add later? For instance we could just put everything in the auth-server.war as we do now, or we could have a simple mechanism to add those needed (stuff like ldap, google login, etc, etc..).
>
Is there a reason to leave them out?