[keycloak-dev] Override "native" Keycloak providers
Stian Thorgersen
sthorger at redhat.com
Wed Mar 27 20:35:22 EDT 2019
Instead of trying to deploy a custom provider with the same id as the
default provider you can change the default provider for an SPI. In
standalone.xml just set the default-provider for the SPI to your own. This
will work when Keycloak doesn't specify directly what provider to get.
It was never supported to load a custom provider with same ID as the
built-in providers. I believe that was a side-effect made possible when we
introduced the ability to hot deploy providers.
On Wed, 27 Mar 2019 at 23:27, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:
> Hello Jerry,
>
> I encountered a similar problem with Keycloak 4.x when I needed to
> implement my own SamlProtocolFactory to customize the SAML Message
> handling.
> See:
> http://lists.jboss.org/pipermail/keycloak-dev/2019-February/011745.html
> The only way I could get this to work was to add my custom extension jar to
> the module.xml of the keycloak-services module,
> see the link for details.
>
> It's by far not the best solution, but at least it works.
>
> Cheers,
> Thomas
>
> On Wed, 27 Mar 2019 at 22:28, Jerry Saravia <jerry.saravia at virginpulse.com
> >
> wrote:
>
> > Hello,
> >
> >
> >
> > We’ve been using version 3.4.3 for a while now and are attempting to
> > upgrade to 4.8 and we’ve run into some issues.
> >
> >
> >
> > Summary: We have created our own providers with the same PROVIDER_ID as
> > some of the built in providers. For example, PasswordCredentialProvider
> has
> > a provider id of “keycloak-password” and we created our own with the same
> > id that gets loaded after the native one. This worked because in 3.4.3
> > providers that were using the same id would still have their factories
> > added to the factory map.
> >
> >
> >
> > See this link here for 3.4.3 changes:
> >
> >
> >
> https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L100
> >
> >
> >
> > These are the 4.8 changes
> >
> >
> >
> https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L99
> >
> >
> >
> > In 4.8, the fully qualified class name (FQCN) is not longer used. Instead
> > it uses the provider id and the spi name. I can no longer use the same
> > PROVIDER_ID as the native providers to ‘override’ them, but sometimes
> there
> > is code that gets the provider specifically by id. For example, in the
> > UpdatePassword required action we have this:
> >
> >
> >
> > PasswordCredentialProvider passwordProvider =
> >
> (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class,
> > PasswordCredentialProviderFactory.PROVIDER_ID);
> >
> >
> >
> > In 3.4.3 because our provider was loaded we were able to inject into code
> > that normally isn’t overridable. We did the same for the
> > OIDCLoginProtocolFactory to alter some token endpoint behavior even the
> > UpdatePassword required action itself rather than making a brand new
> > required action that is a “second rate” because it isn’t native to
> Keycloak.
> >
> >
> >
> > Is there a solution for this in 4.8.3? I see this change was made in
> > 4.0.0.Beta1 according to some of the history.
> >
> >
> >
> > J
> >
> >
> > Jerry Saravia
> > Software Engineer
> > T(516) 603-6914
> > M516-603-6914
> > virginpulse.com
> > |virginpulse.com/global-challenge
> > 492 Old Connecticut Path, Framingham, MA 01701, USA
> > Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> > Switzerland | United Kingdom | USA
> > Confidentiality Notice: The information contained in this e-mail,
> > including any attachment(s), is intended solely for use by the designated
> > recipient(s). Unauthorized use, dissemination, distribution, or
> > reproduction of this message by anyone other than the intended
> > recipient(s), or a person designated as responsible for delivering such
> > messages to the intended recipient, is strictly prohibited and may be
> > unlawful. This e-mail may contain proprietary, confidential or privileged
> > information. Any views or opinions expressed are solely those of the
> author
> > and do not necessarily represent those of Virgin Pulse, Inc. If you have
> > received this message in error, or are not the named recipient(s), please
> > immediately notify the sender and delete this e-mail message.
> > v2.48
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list