[keycloak-user] Deprecating/Removing keycloak-servlet-oauth-client

Marek Posolda mposolda at redhat.com
Fri Mar 15 04:31:33 EDT 2019


We plan to deprecate and then eventually remove 
keycloak-servlet-oauth-client.  We don't officially support this client 
(it is not documented and tested) and it is additional maintenance 
overhead to have it in our codebase. Is someone around, who uses this 
client? Do you want to become a maintainer of it? If yes, let us know. 
You can fork it to your repository and we will reference it from the 
"Extensions" page [1].

Some more details about the client:

AFAIR it is one of the very early-days keycloak features and the 
use-case behind this was, that you have web frontend java application, 
which is not secured by Keycloak and doesn't use adapter. But you still 
want to have a way to invoke the REST services from this application, 
which are secured by Keycloak. So you want to trigger the OAuth flow 
manually from the Java without having the adapter to do it for you - 
that's what this client is doing.

I think that this client can be almost always replaced by adapter or by 
the servlet filter. The only case when it couldn't be replaced by 
servlet filter is, when you have non-servlet java application.

This OAuth client is unmaintained and it is missing lot of features, 
which were recently added to the adapter.

[1] https://www.keycloak.org/extensions.html

Marek



More information about the keycloak-user mailing list