search

Captain-P-Goldfish / scim-for-keycloak

a third party module that extends keycloak by SCIM functionality
BSD 3-Clause "New" or "Revised" License
183 stars 47 forks source link

Support for Keycloak Quarkus, > 17.0.0 #52

Closed calh closed 1 year ago

calh commented 2 years ago

Hi,

Do you have any plans to support the new Keycloak Quarkus deployments, after version 17.0.0? From what I've been reading, there aren't that many changes other than the removal of Wildfly. And the deploy process is slightly different.

I'm playing around with Keycloak 18.0.0, and copied the scim-for-keycloak EAR file as a JAR file into the providers directory, but the scim theme wasn't loaded. I manually copied the scim theme into the themes directory, but the SCIM admin link is not present in the UI. If I try to manually hit /admin/master/console/#/realms/master/scim/service-provider/settings I get an HTTP 404 from /realms/master/scim/admin/serviceProviderConfig

I also tested with KC_HTTP_RELATIVE_PATH=/auth for backwards compatibility with the paths, but the same thing happened.

Any suggestions for me?

Thanks!

Captain-P-Goldfish commented 2 years ago

Hi, currently I will not adapt the project to the new keycloak versions since I am currently working on another project. Once this is done I might use some time to update the source code but I cannot give any date for this at the moment.

irinelbogdan92 commented 2 years ago

Hi,

Indeed the EAR is not supported by Quarkus, but I was able to deploy the SPI by simple copy the file scim-for-keycloak-deployment/target/scim-for-keycloak-*/scim-for-keycloak-server.jar into /opt/keycloak/providers and run bin/kc.sh build. After doing this the SPI and theme is deployed on Keycloak 18.

If you wanna use the /auth for the API paths you have to pass --http-relative-path=/auth during kc.sh build command.

udayskm commented 2 years ago

Hi @Captain-P-Goldfish, I am trying to use SCIM functionality for Keycloak v 18. So far, I am able to enable SCIM UI for realms other than master realm and am able to access "SCIM Service Provider Configuration"

http://localhost:8080/admin/master/console/#/realms/test/scim/service-provider/settings

image

However, when I tried to access "ResourceTypes" tab, it is throwing an error:

image

Request URL: http://localhost:8080/realms/test/scim/v2/ResourceTypes/?sortBy=name&filter=name%20ne%20%22ServiceProviderConfig%22%20and%20name%20ne%20%22ResourceType%22%20and%20name%20ne%20%22Schema%22

Status Code: 404

It is unable to resolve path param "name" when accessing the above URL.

Can you please guide me why this path param "name" is missing when accessing Resource Type?

jcv-yang commented 2 years ago

@irinelbogdan92 Hi, thanks for your information. I tried to do the same thing with you. But I got following error:

ERROR: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @222eb8aa of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @c730b35 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @222eb8aa, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @791d1f8b; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @c730b35, parent loader 'app')

Could you help me how you resolved this issue?

udayskm commented 2 years ago

@irinelbogdan92 Hi, thanks for your information. I tried to do the same thing with you. But I got following error:

ERROR: loader constraint violation: when resolving method 'org.slf4j.ILoggerFactory org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()' the class loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @222eb8aa of the current class, org/slf4j/LoggerFactory, and the class loader java.net.URLClassLoader @c730b35 for the method's defining class, org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type org/slf4j/ILoggerFactory used in the signature (org.slf4j.LoggerFactory is in unnamed module of loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @222eb8aa, parent loader io.quarkus.bootstrap.classloading.QuarkusClassLoader @791d1f8b; org.slf4j.impl.StaticLoggerBinder is in unnamed module of loader java.net.URLClassLoader @c730b35, parent loader 'app')

Could you help me how you resolved this issue?

Remove @Slf4j annotation from the provider factory classes (since no loggers were added in those classes) and rebuild it.

https://github.com/Captain-P-Goldfish/scim-for-keycloak/blob/master/scim-for-keycloak-server/src/main/java/de/captaingoldfish/scim/sdk/keycloak/provider/ScimJpaEntityProviderFactory.java

https://raw.githubusercontent.com/Captain-P-Goldfish/scim-for-keycloak/master/scim-for-keycloak-server/src/main/java/de/captaingoldfish/scim/sdk/keycloak/provider/ScimEndpointProviderFactory.java

jcv-yang commented 2 years ago

@udayskm Really thanks for your help, the issue was resolved 👍

udayskm commented 2 years ago

@udayskm Really thanks for your help, the issue was resolved 👍

Are you able to create Provider Jar and deploy it in Keycloak?

jcv-yang commented 2 years ago

@udayskm No luck on that 😭

udayskm commented 2 years ago

@udayskm No luck on that 😭

Since we are not going to generate ear file, we need to use maven-assembly-plugin to generate a final jar with dependencies. By that, we can bundle all dependencies into a single jar.

jcv-yang commented 2 years ago

@udayskm I see, that's why I encountered the class not found error message, I should bundle all of them together. Thanks again for your kindly instruction

calh commented 1 year ago

Thanks @Captain-P-Goldfish! I placed the new JAR in my providers directory, built a new Docker image, and ran it. My first startup gave me:

liquibase.exception.ValidationFailedException: Validation Failed:
     1 change sets check sum
          META-INF/scim-changelog.xml::scim-sdk-1.0::pascal knueppel was: 7:54900cba59debc2ce8fe7a3a8067e8b2 but is now: 8:fc78a5690c6c0f158148d1e19cdc6f22

But I realized I still had the same database running with a previous docker storage volume. After deleting the volume and recreating a new postgres container from scratch, it did work.

If I want to move this to my production system, is there something else that needs to be done to trigger the db schema update?

udayskm commented 1 year ago

@calh Are you able to enable SCIM in master realm and other realms?

calh commented 1 year ago

@udayskm, yep! After I nuked my old database schema, it started up and I was able to create a test user & group and get:

curl localhost:8080/auth/realms/master/scim/v2/Users | jq

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 2,
  "itemsPerPage": 2,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "9cd5e369-7635-456e-9183-b60ae375d9e7",
      "userName": "admin",
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2022-07-14T20:26:42.024Z",
        "lastModified": "2022-07-14T20:26:42.024Z",
        "location": "http://localhost:8080/auth/realms/master/scim/v2/Users/9cd5e369-7635-456e-9183-b60ae375d9e7"
      }
    },
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "dda754b0-9837-49e0-8f69-97d29095c118",
      "userName": "test",
      "active": true,
      "groups": [
        {
          "value": "67a28ec0-e578-4ad2-8c30-2a002db81dc2",
          "display": "test",
          "type": "direct"
        }
      ],
      "meta": {
        "resourceType": "User",
        "created": "2022-07-14T20:39:40.923Z",
        "lastModified": "2022-07-14T20:39:40.923Z",
        "location": "http://localhost:8080/auth/realms/master/scim/v2/Users/dda754b0-9837-49e0-8f69-97d29095c118"
      }
    }
  ]
}
Captain-P-Goldfish commented 1 year ago

Thanks @Captain-P-Goldfish! I placed the new JAR in my providers directory, built a new Docker image, and ran it. My first startup gave me:

liquibase.exception.ValidationFailedException: Validation Failed:
     1 change sets check sum
          META-INF/scim-changelog.xml::scim-sdk-1.0::pascal knueppel was: 7:54900cba59debc2ce8fe7a3a8067e8b2 but is now: 8:fc78a5690c6c0f158148d1e19cdc6f22

But I realized I still had the same database running with a previous docker storage volume. After deleting the volume and recreating a new postgres container from scratch, it did work.

If I want to move this to my production system, is there something else that needs to be done to trigger the db schema update?

There are no changes on the liquibase files so I can only assume that this has to do with the classpath that is entered into the database when liquibase creates its checksums. It should be possible to fix it by executing the following sql-query:

update keycloak.DATABASECHANGELOG_SCIM_JPA_E set MD5SUM=null;
calh commented 1 year ago

I started fresh to see if I could recreate the same problem, and it didn't happen again.

I must have messed up my change logs from installing various things in the past.

Captain-P-Goldfish commented 1 year ago

this is a migration problem when switching from 16 or before to 18. This might have happened because the deployment was changed from ear to jar. So this problem would only occur if the scim-for-keycloak deployment was already present in a keycloak of version 16 or before and if you add it then to keycloak 18 the problem should be recreated.