Upgrade to the Quarkus-based Keycloak distribution

[XcrigX]

The current project is fixed to Keycloak 16.1.1. It appears starting with Keycloak 17, significant changes have been made to how keycloak configuration works: https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-17-0-0

"The default Keycloak distribution is now based on Quarkus. The new distribution is faster, leaner, and a lot easier to configure! We appreciate migrating from the WildFly distribution is not going to be straightforward for everyone, since how you start and configure Keycloak has radically changed. With that in mind we will continue to support the WildFly distribution until June 2022."

Note also the end support date of June 2022.

Are the maintainers here planning an update, or should your (very appreciative) users plan this on their own? Thanks!

NOTE: I haven't tried or looked deeply into the changes or upgrading as of yet, but will share back anything I learn or do here.

[lmsurpre]

I've now bumped the version to keycloak 18.0.0, but I have not looked into making it compatible with the quarkus distribution. If you don't mind, I'll update the title of this one to indicate the desire to move to that.

[lmsurpre]

I don't have immediate plans for looking into the Quarkus distribution...any insights you (or others) can provide on the changes required for that would be most welcome.

[lmsurpre]

For cases where a user has access to more than one patient and a launch/patient scope is requested, the current implementation makes use IBM FHIR Server client libs (packaged as a jboss module)...I don't think any of that will work in Quarkus. I'd probably start by looking at version 2.x of the testcontainers-keycloak project which supports the Quarkus-based keycloak distribution...hopefully that could provide a nice environment to iterate on the Patient selection form.

Also, if its needed, feel free to open an issue at IBM/FHIR to request quarkus support from the main libs (fhir-model and fhir-provider) there.

[XcrigX]

@lmsurpre - We had some luck getting this to work on the Quarkus version. We used the HAPI client libs rather than Jboss to query the FHIR server and packaged the custom authenticator as a shaded/uber jar which can then be deployed with Keycloak at a specific path. One difference to be aware of is this guidance in the 17.x release notes: "With the new distribution there is no longer a separate classpath for custom providers, so you may need to be more careful with what additional dependencies you include. In addition, the EAR packaging format, and jboss-deployment-structure.xml files, is no longer supported."

There are of course a lot of differences in how to configure and run Keycloak in the latest version as well.

I hope to share this back when we get to a stable point, but wanted to update that it's possible and not too difficult or different really from what you had.

[jigneshmpatel]

@XcrigX do you able to make any progress of using keycloak based on quarkus? I am seeing there are many branches created from @lmsurpre. Is there any branch we can pick up and start working on it, if required we can also work towards completing pending task.

[XcrigX]

@jigneshmpatel - I have my working copy here: https://github.com/XcrigX/keycloak-extensions-for-fhir/tree/quarkus-update

I'm still working through some issues with the unit tests so I haven't pushed it to this repo yet. There is also some work to do to update the readme. I'll update here when I get it fully functioning - I think it's 95% there. @lmsurpre - Let me know how you'd like to handle it when it's working - a separate branch here?

[jigneshmpatel]

@XcrigX thank you for response. Since the window of certification of g10 is very close, how do we jump in and start working. Is it only test cases are not working?

[XcrigX]

Some context: I have everything working in a different/private repo we had started from scratch using this project as a guide. I am now trying to port what we did back to this project. So I know it can work. I have not tested this version out 'live' yet though. I just started porting it back here today.

I'm down to one strange test failure. The KeyCloakConfig.PropertyGroupTest fails when running from command line, but works in Eclipse. I'm out of time to figure it out today though..

Feel free to grab it and build it. Keycloak does come up.

Be warned - I found Keycloak to be tricky to get configured to run in real environment (behind a reverse-proxy, admin console not publicly available, TLS, etc.). The Dockerfile here is starting the server in dev mode. You'll need to change all that to run it "for real". See: https://www.keycloak.org/guides for more info.

[jigneshmpatel]

ok see if there is a progress being made towards the end of week, we will start exploring about sometime early next week.

[XcrigX]

fyi, unit test errors all fixed now - was just an issue with the surefire plugin version and junit5

[XcrigX]

NOTE: I deleted and recreated the branch also so I could squash everything into 1 commit: https://github.com/XcrigX/keycloak-extensions-for-fhir/tree/feature/quarkus-update

[lmsurpre]

Thats awesome @XcrigX ... please open a PR if you're interested in contributing that. We do follow DCO here and so you'd need to amend your commit to add a single-line signoff.

[jigneshmpatel]

That is awesome so @XcrigX https://github.com/XcrigX this branch code does not require any mocifcations? https://github.com/XcrigX/keycloak-extensions-for-fhir/tree/quarkus-update

On Fri, Oct 7, 2022 at 11:43 AM Lee Surprenant @.***> wrote:

Thats awesome @XcrigX https://github.com/XcrigX ... please open a PR if you're interested in contributing that. We do follow DCO https://github.com/Alvearie/keycloak-extensions-for-fhir/blob/main/CONTRIBUTING.md#developers-certificate-of-origin here and so you'd need to amend your commit to add a single-line signoff.

— Reply to this email directly, view it on GitHub https://github.com/Alvearie/keycloak-extensions-for-fhir/issues/64#issuecomment-1271757322, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF6OEBGSW5KKMMM3IC3I3LWCBAIVANCNFSM5U4MDYYQ . You are receiving this because you were mentioned.Message ID: @.***>

[XcrigX]

pushed another update to fix some docker build issues and update the readme to reflect proper docker build commands and paths. @jigneshmpatel - I haven't run it through the ringer yet to functionally test it and I may not get to that right now. The images build and come up. The code should not require any modifications unless there are bugs/issues - however you will need to make your own Dockerfile if you intend to deploy it in a non-test environment. You'll need to fill in various env variables to the container for your environment (database, hostnames, etc.) , and you'd want to start keycloak NOT in dev mode.

[jigneshmpatel]

got it.

[jigneshmpatel]

are there build steps I can follow? I believe I need to checkout the branch: keycloak-extensions-for-fhir

[jigneshmpatel]

I am not able to run docker run -v :/config -e KEYCLOAK_BASE_URL=http://localhost:8081/auth alvearie/keycloak-config -configFile config/keycloak-config.json

not only that localhost:8080 doesn't not show appropriate screen to login, instead gives following message: Open http://localhost:8080/ or set the environment variables KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD before starting the server. after running following command docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin alvearie/smart-keycloak

I have tried with JDK 11 and JDK 17.

[jigneshmpatel]

My team member able to bring up the server in main branch but as stated above I can't run the feature/quarkus-update branch.

[XcrigX]

@jigneshmpatel - Be sure to check that you are connected to the proper branch - I deleted and recreated it a couple of times. I updated the readme.md documentation to update the environment variable names and things - but possible I still missed something.

You could also access the code from the PR I submitted: https://github.com/Alvearie/keycloak-extensions-for-fhir/pull/97

Once you've verified you have the latest updates from the proper branch, these commands I think should work to start it:

docker build . -f keycloak-config/Dockerfile -t alvearie/keycloak-config

docker run -v /local/config/dir:/config -e KEYCLOAK_BASE_URL=http://host.docker.internal:8080 alvearie/keycloak-config -configFile config/keycloak-config.json

You'd then need to build and run the keycloakConfig container as well once that is working to create the test realm with SMART support.

[XcrigX]

apologies, I gave the keycloak config info above.. The smart keycloak command would be:

docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin alvearie/smart-keycloak

[jigneshmpatel]

Is it advisable to run with JDK 17? As it has a long term support. I can confirm that I can run on JDK 11 without any issues. Also what are the other configuration required that we should work on to integrate with smart FHIR application.

[jigneshmpatel]

We need some guidance How to configure following: keycloak "capabilities": [         "launch-ehr",         "launch-standalone",         "client-public",         "client-confidential-symmetric",         "sso-openid-connect",         "context-banner",         "context-style",         "context-ehr-patient",         "context-ehr-encounter",         "context-standalone-patient",         "context-standalone-encounter",         "permission-offline",         "permission-patient",         "permission-user"     ]         management_endpoint also in response we are not able to set header values

[XcrigX]

@jigneshmpatel - Suggest you re-read the readme wiki for this project. It's not a complete implementation of all things Smart on FHIR. Rather it extends Keycloak to add support for some things in the SMART spec which are not supported by Keycloak out of the box. It will give you a base to support standalone app launch for "launch/patient" - but may still require some customizations for your specific use-cases. For instance, in my case the way I am correlating FHIR Patient IDs to Keycloak users is different from what this project does - so I had to further customize those parts in my private repo.

I have not looked into using it for use-cases other than launch/patient. Presumably for most of those the EHR would already have an authenticated user - so I'm not certain where Keycloak would even play a role unless it is the Auth server for the EHR.

For general SMART on FHIR info/questions (not specific to Keycloak), you can also utilize the SMART channel/stream here: https://chat.fhir.org/