[keycloak-user] Removing JaxrsBearerTokenFilter

Marek Posolda mposolda at redhat.com
Tue Feb 26 09:22:01 EST 2019 

It seems we have 3 options:
1) Keep jaxrs filter adapter in the keycloak codebase and start to 
officially support it. In this case, we will need some better docs and 
maybe quickstart?
2) Deprecate it in the keycloak codebase and remove in next version 
(Keycloak 6.X probably?)
3) Remove directly from keycloak codebase

In case (2) or (3), it will be nice if you Lukasz (or someone else from 
community) will maintain Jaxrs filter as an extension. In this case, it 
can be listed from the extensions page 
https://www.keycloak.org/extensions.html .

Your use-case looks ok, but it seems that we didn't have much other 
requirements to maintain separate adapter for Jax RS filter. From 
quickly looking at osgi-jax-rs-connector documentation, it seems that 
connector still needs to be deployed on top of the servlet container or 
Http Servlet filter, which Keycloak has adapter for, so you can always 
secure at that level though. I don't think that we want (1) .

My order of preference is 3, 2, 1. Thoughts?

Marek

On 25/02/2019 15:49, Lukasz Lech wrote:
> I’m using jax-rs connector implementation from Eclipse tema (https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation injected in jax-rs context, and AFAIK this library was the only implementation that provided that.
>
> But never mind, I assume I can use current version, if it wasn’t maintained anyway…
>
> Best regards,
> Lukasz Lech
>
>
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Montag, 25. Februar 2019 15:33
> To: Lukasz Lech <l.lech at ringler.ch>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
>
> On Fri, 22 Feb 2019 at 08:26, Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>> wrote:
> Hmm which is a proper adapter for JaxRS then? I’ve found only that one…
>
>
> From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
> Sent: Freitag, 22. Februar 2019 07:36
> To: Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Why not use one of the proper adapters for the container you are deploying to?
> On Thu, 21 Feb 2019, 14:51 Lukasz Lech, <l.lech at ringler.ch<mailto:l.lech at ringler.ch><mailto:l.lech at ringler.ch<mailto:l.lech at ringler.ch>>> wrote:
> Hello,
>
> I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel...
>
> If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project?
>
>
>
>
> Best regards,
> Lukasz Lech
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>>] On Behalf Of Marek Posolda
> Sent: Donnerstag, 21. Februar 2019 10:21
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> Keycloak team things about removing JaxrsBearerTokenFilter.
>
> Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters).
>
> Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th.
>
> See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
>
> Thanks,
> Marek
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list