Use keycloak-client libraries instead of keycloak-common, keycloak-core and keycloak-adapter-spi

[pskopek]

This PR uses keycloak-client 26.0.0-alpha2. If it passes all checks and reviews I can release final and update the PR.

Closes #43259

[rsvoboda]

FYI @maxandersen @gsmet @aloubyansky

[sberyozkin]

Thanks @pskopek for the PR, I think I understand the idea, but I'm not sure I appreciate the consequences if any for Quarkus, I'd like to ask @pedroigor and @mposolda to review, thanks

[sberyozkin]

@pskopek I can try the devservice myself a little bit later to save you some time

[github-actions]

🎊 PR Preview 00852eb has been successfully built and deployed to https://quarkus-pr-main-43260-preview.surge.sh/version/main/guides/

• Images of blog posts older than 3 months are not available.
• Newsletters older than 3 months are not available.

[aloubyansky]

@pskopek afaics, only the dependency on keycloak-adapter-spi is removed, the rest remain to be dependencies. keycloak-common was just a version constraint. Could you clarify the reason to remove Keycloak version constraints from the BOM?

[gsmet]

The failures are unrelated.

[sberyozkin]

@pskopek Keycloak devservice is OK with this update :-), thanks

[aloubyansky]

Let's add the Keycloak dependencies that are direct dependencies of Quarkus extensions back to the BOM.

[pskopek]

@sberyozkin @aloubyansky I fixed the issues with versions you requested. There is a separation between Keycloak Server (25.0.6) for testing purpose and Keycloak Client Libs (26.0.0) used in Quarkus.
Can you review the new changes, please?

[aloubyansky]

Dependency-wise this looks better @pskopek, thanks!

[sberyozkin]

@pskopek I've pushed the latest Quarkus updates to check if the OIDC test failure is repeatable, thanks

[sberyozkin]

@pskopek Hi, the fact that so many dependencies are coming in with the new keycloak client now and we have to exclude them for example in the OIDC deployment, makes me a little bit nervous, any code now which only needs to work, for example, with RealmRepresentation only, will have to exclude all those dependencies manually...
I'd also suggest to keep keycloak.version, someone may be expecting it being set, some integration tests might be picking it up

[maxandersen]

If every quarkus user have to exclude those dependencies that is definitely problematic since afaik we cannot even do this in the platform bom.

We need a dependency that does not drag in unnecessary classes.

[maxandersen]

-1 until this is show to work without users having to exclude dependencies manually.

[gsmet]

Hmmm. Wait a bit: it has always been the case that we needed to exclude dependencies: the Keycloak Admin Client comes with a default REST Client implementation (or it wouldn't work out of the box).

In Quarkus, we have 2 extensions for the admin client that comes with either the RESTEasy client or the Quarkus REST client.

In practice, it's not a problem for our users: we are doing the work for them and this PR doesn't change a thing.

Happy to be corrected if I'm wrong.

[michalvavrik]

Hmmm. Wait a bit: it has always been the case that we needed to exclude dependencies: the Keycloak Admin Client comes with a default REST Client implementation (or it wouldn't work out of the box).

In Quarkus, we have 2 extensions for the admin client that comes with either the RESTEasy client or the Quarkus REST client.

In practice, it's not a problem for our users: we are doing the work for them and this PR doesn't change a thing.

Happy to be corrected if I'm wrong.

I watched this discussion progress and I think you are right, but there is one point in discussion I am missing. There are exclusions in Keycloak Dev Services for RESTEasy that is not needed. The keycloak-admin-client brings dependencies even though we only use POJOs (DTOs basically). AKA we don't use the REST client in many of these places. Therefore:

a default REST Client implementation (or it wouldn't work out of the box)

I think is mixing points. @pskopek is bringing Keycloak Admin Client instead of Keycloak Core and they don't want to put these DTOs into separate dependency because it would require additional work and that is why exclusions are needed. Do I get situation correctly @pskopek ?

[michalvavrik]

@pskopek I think the native failure is related Caused by: java.lang.IllegalStateException: Not able to load any cryptoProvider with the classLoader: jdk.internal.loader.ClassLoaders$AppClassLoader@1134affc.

[sberyozkin]

@michalvavrik

@pskopek is bringing Keycloak Admin Client instead of Keycloak Core and they don't want to put these DTOs into separate dependency because it would require additional work and that is why exclusions are needed.

This is likely to be precise... Peter, @pskopek, what do you think, would it be a problem to release keycloak-core on its own ?

I'm pretty sure that Keycloak devservice is not the only piece of code which uses keycloak core classes like RealmRepresentation but does not use any of Keycloak Admin APIs alongside them...

@pskopek Think about it please, check with the team, hopefully it won't be a problem to have keycloak-core separated from the Keycloak Admin Client API...

Let's try to finalize it as we need to to move to Keycloak 26.x

[michalvavrik]

This change is interesting because it will only impact scenario when user customized objected mapper (or provided his own instance). I kinda expect that most users won't be impacted by this change. @geoand please review this file. Thank you

[michalvavrik]

These changes makes Admin client to not fail when working with older KC versions. I trust that @pskopek determined that KC admin client is always backwards compatible and it is fine that KC Admin client will be used with older versions.

But - these changes will only affect scenarios when user customized ObjectMapper bean or provided his own bean:

• https://quarkus.io/guides/all-config#quarkus-jackson_quarkus-jackson-fail-on-unknown-properties is set to false by default
• https://quarkus.io/guides/all-config#quarkus-jackson_quarkus-jackson-serialization-inclusion is not set by default

And what I say:

• either I read situation wrong
• or this needs to be done for all the scenarios, because I expect that affected scenario here is only minor, most users don't need to customize default ObjectMapper?

Please @geoand or @pskopek check again or prove me wrong. Maybe I misread situation. Thank you

[geoand]

This change is interesting because it will only impact scenario when user customized objected mapper (or provided his own instance). I kinda expect that most users won't be impacted by this change. @geoand please review this file. Thank you

Agreed

[geoand]

I don't know what Keycloak's requirements are, but from the looks of this PR, it seems Keycloak needs a completely separate ObjecMapper

[michalvavrik]

Thanks for having a look @geoand

[geoand]

Thanks for bringing it to my attention!

[sberyozkin]

@pskopek Can you please comment here ?

[pskopek]

Yes, Keycloak Admin needs differently configured ObjectMapper. I modified the PR, but I am not the Quarkus expert. @geoand , can you review the change, please?

[pskopek]

@sberyozkin I have updated keycloak-client to 26.0.2 and fixed all issues in tests.
I changed dependency to pure representations artifact (keycloak-client-common-synced) when possible. The issue with unwanted excludes is resolved now.

@michalvavrik missing CryptoProvider issue is fixed as well.

[sberyozkin]

Thanks Peter, @pskopek, looks much better now.

I have a couple of questions:

• Does AuthzClientCryptoProvider have to be in the common code ? If that broke Keycloak Authorization native build then it could equally break someone else's extension native build; I propose to push it up to where it is required...
• Can you name it keycloak-client-common ? Is -synced suffix important ?

PR is getting much closer to the completion though, thanks

[sberyozkin]

@pskopek Oh sorry, ignore please the Does AuthzClientCryptoProvider have to be in the common code ? question, as I think I got it wrong...

So then the only question is, can the common release artifact be named as keycloak-client-common ? It is probably not very important, just curious

[pskopek]

So then the only question is, can the common release artifact be named as keycloak-client-common ? It is probably not very important, just curious

We decided to name it with -synced suffix to indicate the fact that it is synced with some Keycloak server classes. It doesn't have to be named like this, but it somehow made sense for us.

[sberyozkin]

So then the only question is, can the common release artifact be named as keycloak-client-common ? It is probably not very important, just curious

We decided to name it with -synced suffix to indicate the fact that it is synced with some Keycloak server classes. It doesn't have to be named like this, but it somehow made sense for us.

@pskopek OK, thanks for the explanation, I guess we can work with this artifact name as well.

[gsmet]

I had another look.

I think we really need to inspect the dependencies of the adjusted modules as I think I have seen the Apache HTTP Client crawling back in the dependencies and I'm not sure that's what we want.

/cc @cescoffier @sberyozkin

[gsmet]

This now brings the Apache HTTP client as a dependency.

We used to have:

[INFO] +- org.keycloak:keycloak-core:jar:25.0.6:compile
[INFO] |  +- org.keycloak:keycloak-common:jar:25.0.6:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:2.1.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.18.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.18.1:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.18.1:compile
[INFO] |  \- org.eclipse.microprofile.openapi:microprofile-openapi-api:jar:4.0.2:compile

we now have:

[INFO] +- org.keycloak:keycloak-client-common-synced:jar:26.0.2:compile
[INFO] |  +- org.jboss.logging:commons-logging-jboss-logging:jar:1.0.0.Final:runtime
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.18.1:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.18.1:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.18.1:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.18.1:compile
[INFO] |  +- org.eclipse.microprofile.openapi:microprofile-openapi-api:jar:4.0.2:compile
[INFO] |  \- jakarta.activation:jakarta.activation-api:jar:2.1.3:compile

I'm not sure we want that?

Now I don't know if we actually want to use the Admin Client now (or later?) to initialize the container in some way?

[michalvavrik]

Now I don't know if we actually want to use the Admin Client now (or later?) to initialize the container in some way?

We don't use the Admin Client in KC Dev Svc. We use there Vert.x Web Client. We only need DTOs from org.keycloak.representations.

Not sure if it is relevant, but KC Dev Svc is now KC Admin Client dependency, I don't know if above-mentioned tree was done when rebased on current main. It only happened lately.

[michalvavrik]

It's not relevant for the tree of one dependency, but it is relevant for context - if you do exclusions.

[gsmet]

Same here actually. We now have a dependency with the Apache HTTP Client and I don't think we want (except if I'm mistaken) that.

[pskopek]

@gsmet This is a mistake at keycloak-client-common-synced side. I will fix it there and update this PR with new version of keycloak-client.

[gsmet]

Thanks I will have another look next week.

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit fbf5c2a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit fbf5c2a.

Failing Jobs

Status	Name	Step	Failures	Logs	Raw logs	Build scan
✖	JVM Tests - JDK 17	Build	Failures	Logs	Raw logs	🔍
✖	JVM Tests - JDK 21	Build	Failures	Logs	Raw logs	🔍

Full information is available in the Build summary check run.
You can consult the Develocity build scans.

Failures

⚙️ JVM Tests - JDK 17 #

- Failing: extensions/keycloak-admin-resteasy-client/deployment 
! Skipped: extensions/keycloak-authorization/deployment integration-tests/keycloak-authorization 

📦 extensions/keycloak-admin-resteasy-client/deployment

✖ io.quarkus.keycloak.adminclient.deployment.KeycloakAdminClientMutualTlsDevServicesTest.testCreateRealm line 50 - History - More details - Source on GitHub

java.lang.AssertionError: 
1 expectation failed.
Expected status code <204> but was <400>.

	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)

---

⚙️ JVM Tests - JDK 21 #

- Failing: extensions/keycloak-admin-resteasy-client/deployment 
! Skipped: extensions/keycloak-authorization/deployment integration-tests/keycloak-authorization 

📦 extensions/keycloak-admin-resteasy-client/deployment

✖ io.quarkus.keycloak.adminclient.deployment.KeycloakAdminClientMutualTlsDevServicesTest.testCreateRealm line 50 - History - More details - Source on GitHub

java.lang.AssertionError: 
1 expectation failed.
Expected status code <204> but was <400>.

	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:73)