[keycloak-dev] Override "native" Keycloak providers

h2-wada h2-wada at nri.co.jp
Wed Jun 5 09:36:09 EDT 2019


Hi Thomas,

> Do you use additional libraries in your custom SAMLProtocolFactory extension? Would you mind sharing your deployment-structure.xml for reference?

In my real project, I don't use any additional libraries.

So I created a very simple extension which replaces default LoginFormsProvider and use a third-party library (i.e. webauthn4j). But there is no classloading issues. I pushed the sample extension to our github repository.
Could you check it? The extension works when accessing login page.

https://github.com/openstandia/keycloak-extension-test


Best regards,

--
Hiroyuki Wada
Nomura Research Institute, Ltd.
h2-wada at nri.co.jp

--------------------------------------------------------------------
このメールには、本来の宛先の方のみに限定された機密情報が含まれている
場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
このメールを削除してくださいますようお願い申し上げます。
PLEASE READ:This e-mail is confidential and intended for
the named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
--------------------------------------------------------------------


________________________________________
差出人: Thomas Darimont <thomas.darimont at googlemail.com>
送信日時: 2019年6月5日 20:23
宛先: h2-wada
CC: Jerry Saravia; keycloak-dev
件名: Re: [keycloak-dev] Override "native" Keycloak providers

Hi Hiroyuki,

I had some classloading issues with embedded libraries when I tried this approach. That's why I used the module variant. Do you use additional libraries in your custom SAMLProtocolFactory extension? Would you mind sharing your deployment-structure.xml for reference?

Cheers and many thanks for your numerous valuable discussions and contributions!
Thomas

h2-wada <h2-wada at nri.co.jp<mailto:h2-wada at nri.co.jp>> schrieb am Mi., 5. Juni 2019, 11:08:
Hi,

I also wanted to override the default SAMLProtocolFactory with my class with the same provider id as Thomas mentioned.
In my case, it has been successful in replacing the native provider with the same provider id by using the Keycloak Deployer [1]. I confirmed it works with keycloak version 4.3.0.Final, 4.8.3.Final and 6.0.1.

The deployment approach is as follows. I think it's a straightforward way than deployment as a module. +Bonus: Hot deployment works !!

- Create "jboss-deployment-structure.xml" and place under the "META-INF" directory in your JAR or EAR which contains your classes.
- Deploy JAR or EAR by placing it in the "$KEYCLOAK_HOME/standalone/deployments/" directory.


[1] https://www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer


--
Hiroyuki Wada
Nomura Research Institute, Ltd.
h2-wada at nri.co.jp<mailto:h2-wada at nri.co.jp>

--------------------------------------------------------------------
このメールには、本来の宛先の方のみに限定された機密情報が含まれている
場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、
このメールを削除してくださいますようお願い申し上げます。
PLEASE READ:This e-mail is confidential and intended for
the named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
--------------------------------------------------------------------


________________________________________
差出人: keycloak-dev-bounces at lists.jboss.org<mailto:keycloak-dev-bounces at lists.jboss.org> <keycloak-dev-bounces at lists.jboss.org<mailto:keycloak-dev-bounces at lists.jboss.org>> が Jerry Saravia <jerry.saravia at virginpulse.com<mailto:jerry.saravia at virginpulse.com>> の代理で送信
送信日時: 2019年4月15日 22:12
宛先: Thomas Darimont
CC: keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
件名: Re: [keycloak-dev] Override "native" Keycloak providers

Thanks Thomas,

This worked!!!


Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com<http://virginpulse.com>
|virginpulse.com/global-challenge<http://virginpulse.com/global-challenge>
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.52
From: Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>>
Date: Wednesday, March 27, 2019 at 18:23
To: Jerry Saravia <jerry.saravia at virginpulse.com<mailto:jerry.saravia at virginpulse.com>>
Cc: "keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>" <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>
Subject: Re: [keycloak-dev] Override "native" Keycloak providers

This email originates outside Virgin Pulse.

Hello Jerry,

I encountered a similar problem with Keycloak 4.x when I needed to implement my own SamlProtocolFactory to customize the SAML Message handling.
See: http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-dev%2F2019-February%2F011745.html&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988678776&sdata=JRszK70Y260c5Lvbra19Qp4E%2B9FswzPwPMJRQb8t5G4%3D&reserved=0>
The only way I could get this to work was to add my custom extension jar to the module.xml of the keycloak-services module,
see the link for details.

It's by far not the best solution, but at least it works.

Cheers,
Thomas

On Wed, 27 Mar 2019 at 22:28, Jerry Saravia <jerry.saravia at virginpulse.com<mailto:jerry.saravia at virginpulse.com><mailto:jerry.saravia at virginpulse.com<mailto:jerry.saravia at virginpulse.com>>> wrote:
Hello,



We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.



Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.



See this link here for 3.4.3 changes:

https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L100<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F3.4.3.Final%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprovider%2FProviderManager.java%23L96-L100&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988678776&sdata=0pjRiO7IuJLBc7XxS%2F2UOwZKDDL4RGbu3yHPJO%2FFG5U%3D&reserved=0>



These are the 4.8 changes

https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L99<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F4.8.3.Final%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprovider%2FProviderManager.java%23L96-L99&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988688789&sdata=I5hMBZLoQsSFqEakuWb6uSTtuAGOAUSfeQ%2B4CIOwPZY%3D&reserved=0>



In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:



PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);



In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.



Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.



J


Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com<http://virginpulse.com><https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpulse.com&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988688789&sdata=wFxdGkMhleh%2F9flNW3Kf%2FLs38Sead7L07IvapwyQPY4%3D&reserved=0>
|virginpulse.com/global-challenge<http://virginpulse.com/global-challenge><https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvirginpulse.com%2Fglobal-challenge&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988698793&sdata=2LvPxrCOKkzZnCzkNOLGCHj4Jpq74Z70Iy4CNDJCbRw%3D&reserved=0>
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.48
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org><mailto:keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cjerry.saravia%40virginpulse.com%7C40d6fd71af6b4998c21a08d6b302ceed%7Cb123a16e892b4cf6a55a6f8c7606a035%7C0%7C0%7C636893221988708801&sdata=6IayjP%2Bvxtn2C7pH9%2FQQK8rE4zrXRX4%2BWEmXu9ReeMI%3D&reserved=0>



More information about the keycloak-dev mailing list