[keycloak-dev] Code quality & bugs

Perot Francis francis.perot at elca.ch
Sun Oct 6 17:29:02 EDT 2019 

Hi all,

I recently had to start working with Keycloak and, as I’m using a static code analyzer in my IDE (Sonar Lint), I got lots of recommendations about Keycloak code.
These recommendations are not always very relevant but can help to increase the code quality, the readability, can help to detect bugs (I actually found some) and this might be an important point for the stability of the product, especially for a product managing authentication.

First, in MultiValuedHashMap.equalsIgnoreValueOrder(), there is a bug but it can be considered as assumed if we suppose that it is not possible to have duplicated values in this map (which is often the case).
For a given key, if we compare associated lists of 2 MultivaluedHashMap instances [1, 2, 2] and [1, 2, 3], equalsIgnoreValueOrder will return true because lengths are equal and all elements from the first list exist in the second list. Do you think it is necessary to fix this ?

Static code analysis revealed issues described in the following examples and show some inconsistencies : In FileTruststoreProviderFactory.init(), if pass is null, we “return” at the beginning of the method… but pass is still compared to null twice after that.
Similary, in FreeMarkerUtil.processTemplate(), we set cache=null; then we compare cache to null (if (cache!=null))
Don’t you think it could be better to follow some recommendations ? I could work on this : as it should impact lots of code but maybe you should decide which type of recommendation you want to follow and how you prefer to do this : all changes at once, one PR per type of recommendation, on PR per maven module, …

Francis Pérot

(about me: I’m currently working on the multi-factor feature and we had a meeting two weeks ago with Marek P. and Peter S. : the left ear you saw was mine 😊)


Example 1:
            byte[] signature = null;
            try {
                signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS512, sharedSecret);
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
Can become:
            byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS512, sharedSecret);

Example 2:
            LDAPObject ldapUser = ldapQuery.getFirstResult();
            if (ldapUser == null) {
                return null;
            }

            return ldapUser;
Can become:
            return ldapQuery.getFirstResult();

Example 3:


        if (responderURIs.size() == 0) {


        if (responderURIs.isEmpty()) {



Example 4:


        Set<Annotation> set = new HashSet<Annotation>();


        Set<Annotation> set = new HashSet<>();



Other examples : https://github.com/fperot74/keycloak/pull/1/files

More information about the keycloak-dev mailing list