[keycloak-dev] Override "native" Keycloak providers
Stian Thorgersen
sthorger at redhat.com
Wed Jun 5 08:29:59 EDT 2019
This kinda works by accident and it's not fully reliable as something could
change.
I'd like to make sure only one provider is registered with a specific id,
but allow disabling built-in providers.
If that sounds like a plan please create an issue.
On Wed, 5 Jun 2019, 13:29 Thomas Darimont, <thomas.darimont at googlemail.com>
wrote:
> Hi Hiroyuki,
>
> I had some classloading issues with embedded libraries when I tried this
> approach. That's why I used the module variant. Do you use additional
> libraries in your custom SAMLProtocolFactory extension? Would you mind
> sharing your deployment-structure.xml for reference?
>
> Cheers and many thanks for your numerous valuable discussions and
> contributions!
> Thomas
>
> h2-wada <h2-wada at nri.co.jp> schrieb am Mi., 5. Juni 2019, 11:08:
>
> > Hi,
> >
> > I also wanted to override the default SAMLProtocolFactory with my class
> > with the same provider id as Thomas mentioned.
> > In my case, it has been successful in replacing the native provider with
> > the same provider id by using the Keycloak Deployer [1]. I confirmed it
> > works with keycloak version 4.3.0.Final, 4.8.3.Final and 6.0.1.
> >
> > The deployment approach is as follows. I think it's a straightforward way
> > than deployment as a module. +Bonus: Hot deployment works !!
> >
> > - Create "jboss-deployment-structure.xml" and place under the "META-INF"
> > directory in your JAR or EAR which contains your classes.
> > - Deploy JAR or EAR by placing it in the
> > "$KEYCLOAK_HOME/standalone/deployments/" directory.
> >
> >
> > [1]
> >
> https://www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer
> >
> >
> > --
> > Hiroyuki Wada
> > Nomura Research Institute, Ltd.
> > h2-wada at nri.co.jp
> >
> > --------------------------------------------------------------------
> > このメールには、本来の宛先の方のみに限定された機密情報が含まれている
> > 場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
> > このメールを削除してくださいますようお願い申し上げます。
> > PLEASE READ:This e-mail is confidential and intended for
> > the named recipient only. If you are not an intended recipient,
> > please notify the sender and delete this e-mail.
> > --------------------------------------------------------------------
> >
> >
> > ________________________________________
> > 差出人: keycloak-dev-bounces at lists.jboss.org <
> > keycloak-dev-bounces at lists.jboss.org> が Jerry Saravia <
> > jerry.saravia at virginpulse.com> の代理で送信
> > 送信日時: 2019年4月15日 22:12
> > 宛先: Thomas Darimont
> > CC: keycloak-dev at lists.jboss.org
> > 件名: Re: [keycloak-dev] Override "native" Keycloak providers
> >
> > Thanks Thomas,
> >
> > This worked!!!
> >
> >
> > Jerry Saravia
> > Software Engineer
> > T(516) 603-6914
> > M516-603-6914
> > virginpulse.com
> > |virginpulse.com/global-challenge
> > 492 Old Connecticut Path, Framingham, MA 01701, USA
> > Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> > Switzerland | United Kingdom | USA
> > Confidentiality Notice: The information contained in this e-mail,
> > including any attachment(s), is intended solely for use by the designated
> > recipient(s). Unauthorized use, dissemination, distribution, or
> > reproduction of this message by anyone other than the intended
> > recipient(s), or a person designated as responsible for delivering such
> > messages to the intended recipient, is strictly prohibited and may be
> > unlawful. This e-mail may contain proprietary, confidential or privileged
> > information. Any views or opinions expressed are solely those of the
> author
> > and do not necessarily represent those of Virgin Pulse, Inc. If you have
> > received this message in error, or are not the named recipient(s), please
> > immediately notify the sender and delete this e-mail message.
> > v2.52
> > From: Thomas Darimont <thomas.darimont at googlemail.com>
> > Date: Wednesday, March 27, 2019 at 18:23
> > To: Jerry Saravia <jerry.saravia at virginpulse.com>
> > Cc: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>
> > Subject: Re: [keycloak-dev] Override "native" Keycloak providers
> >
> > This email originates outside Virgin Pulse.
> >
> > Hello Jerry,
> >
> > I encountered a similar problem with Keycloak 4.x when I needed to
> > implement my own SamlProtocolFactory to customize the SAML Message
> handling.
> > See:
> > http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html<
> >
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-dev%2F2019-February%2F011745.html&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988678776&sdata=JRszK70Y260c5Lvbra19Qp4E%2B9FswzPwPMJRQb8t5G4%3D&reserved=0
> > >
> > The only way I could get this to work was to add my custom extension jar
> > to the module.xml of the keycloak-services module,
> > see the link for details.
> >
> > It's by far not the best solution, but at least it works.
> >
> > Cheers,
> > Thomas
> >
> > On Wed, 27 Mar 2019 at 22:28, Jerry Saravia <
> jerry.saravia at virginpulse.com
> > <mailto:jerry.saravia at virginpulse.com>> wrote:
> > Hello,
> >
> >
> >
> > We’ve been using version 3.4.3 for a while now and are attempting to
> > upgrade to 4.8 and we’ve run into some issues.
> >
> >
> >
> > Summary: We have created our own providers with the same PROVIDER_ID as
> > some of the built in providers. For example, PasswordCredentialProvider
> has
> > a provider id of “keycloak-password” and we created our own with the same
> > id that gets loaded after the native one. This worked because in 3.4.3
> > providers that were using the same id would still have their factories
> > added to the factory map.
> >
> >
> >
> > See this link here for 3.4.3 changes:
> >
> >
> >
> https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L100
> > <
> >
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F3.4.3.Final%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprovider%2FProviderManager.java%23L96-L100&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988678776&sdata=0pjRiO7IuJLBc7XxS%2F2UOwZKDDL4RGbu3yHPJO%2FFG5U%3D&reserved=0
> > >
> >
> >
> >
> > These are the 4.8 changes
> >
> >
> >
> https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L99
> > <
> >
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F4.8.3.Final%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprovider%2FProviderManager.java%23L96-L99&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988688789&sdata=I5hMBZLoQsSFqEakuWb6uSTtuAGOAUSfeQ%2B4CIOwPZY%3D&reserved=0
> > >
> >
> >
> >
> > In 4.8, the fully qualified class name (FQCN) is not longer used. Instead
> > it uses the provider id and the spi name. I can no longer use the same
> > PROVIDER_ID as the native providers to ‘override’ them, but sometimes
> there
> > is code that gets the provider specifically by id. For example, in the
> > UpdatePassword required action we have this:
> >
> >
> >
> > PasswordCredentialProvider passwordProvider =
> >
> (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class,
> > PasswordCredentialProviderFactory.PROVIDER_ID);
> >
> >
> >
> > In 3.4.3 because our provider was loaded we were able to inject into code
> > that normally isn’t overridable. We did the same for the
> > OIDCLoginProtocolFactory to alter some token endpoint behavior even the
> > UpdatePassword required action itself rather than making a brand new
> > required action that is a “second rate” because it isn’t native to
> Keycloak.
> >
> >
> >
> > Is there a solution for this in 4.8.3? I see this change was made in
> > 4.0.0.Beta1 according to some of the history.
> >
> >
> >
> > J
> >
> >
> > Jerry Saravia
> > Software Engineer
> > T(516) 603-6914
> > M516-603-6914
> > virginpulse.com<
> >
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpulse.com&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988688789&sdata=wFxdGkMhleh%2F9flNW3Kf%2FLs38Sead7L07IvapwyQPY4%3D&reserved=0
> > >
> > |virginpulse.com/global-challenge<
> >
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpulse.com%2Fglobal-challenge&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988698793&sdata=2LvPxrCOKkzZnCzkNOLGCHj4Jpq74Z70Iy4CNDJCbRw%3D&reserved=0
> > >
> > 492 Old Connecticut Path, Framingham, MA 01701, USA
> > Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> > Switzerland | United Kingdom | USA
> > Confidentiality Notice: The information contained in this e-mail,
> > including any attachment(s), is intended solely for use by the designated
> > recipient(s). Unauthorized use, dissemination, distribution, or
> > reproduction of this message by anyone other than the intended
> > recipient(s), or a person designated as responsible for delivering such
> > messages to the intended recipient, is strictly prohibited and may be
> > unlawful. This e-mail may contain proprietary, confidential or privileged
> > information. Any views or opinions expressed are solely those of the
> author
> > and do not necessarily represent those of Virgin Pulse, Inc. If you have
> > received this message in error, or are not the named recipient(s), please
> > immediately notify the sender and delete this e-mail message.
> > v2.48
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev<
> >
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988708801&sdata=6IayjP%2Bvxtn2C7pH9%2FQQK8rE4zrXRX4%2BWEmXu9ReeMI%3D&reserved=0
> > >
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list