[License Exception Request] [Keycloak] [0BSD, CDDL-1.1, EPL-1.0, EPL-2.0, GPL-2.0-only, GPL-2.0-with-classpath-exception, LGPL-2.1, LGPL-2.1-only, MIT-0, MPL-2.0, UPL-1.0]

[stianst]

As Keycloak is a mature project with many past releases and an already large community we are asking for multiple exceptions in a single issue rather than opening many independent issues.

For complete information on third-party libraries included in binary distributions please refer to the third-party licenses report for the latest release.

An additional item we would like to make the CNCF aware of is in previous releases Keycloak included closed source database drivers for Oracle available under Oracle Free Use Terms and Conditions (FUTC). These have been removed from the distribution from 25.0.0 onwards, and require obtaining and installing by the user themselves to connect Keycloak to an Oracle database, but are still present in releases from 17.x to 24.x.

Component details

Dependency	Description	License(s)	Website	Source repository
tslib	Runtime library for TypeScript helper functions	0BSD	https://www.typescriptlang.org/	https://github.com/Microsoft/tslib/
com.h2database:h2	H2 Database Engine	MPL-2.0 OR EPL-1.0	https://h2database.com	https://github.com/h2database/h2database/
com.mysql:mysql-connector-j	JDBC Type 4 driver for MySQL.	GPL-2.0-only	http://dev.mysql.com/doc/connector-j/en/	https://github.com/mysql/mysql-connector-j/
jakarta.annotation:jakarta.annotation-api	Jakarta Annotations API	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://projects.eclipse.org/projects/ee4j.ca	https://github.com/eclipse-ee4j/common-annotations-api/
jakarta.el:jakarta.el-api	Jakarta Expression Language defines an expression language for Java applications	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://projects.eclipse.org/projects/ee4j.el	https://github.com/eclipse-ee4j/el-ri/
jakarta.interceptor:jakarta.interceptor-api	Jakarta Interceptors defines a means of interposing on business method invocations and specific events—such as lifecycle events and timeout events—that occur on instances of Jakarta EE components and other managed classes.	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://github.com/eclipse-ee4j/interceptor-api	https://github.com/eclipse-ee4j/interceptor-api/
jakarta.json:jakarta.json-api	Jakarta JSON Processing defines a Java(R) based framework for parsing, generating, transforming, and querying JSON documents.	EPL-2.0 OR GPL-2.0-only	https://github.com/eclipse-ee4j/jsonp	https://github.com/eclipse-ee4j/jsonp/
jakarta.resource:jakarta.resource-api	Jakarta Connectors 2.1	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://github.com/eclipse-ee4j/jca-api	https://github.com/eclipse-ee4j/jca-api/
jakarta.servlet:jakarta.servlet-api	Eclipse Enterprise for Java (EE4J) is an open source initiative to create standard APIs, implementations of those APIs, and technology compatibility kits for Java runtimes that enable development, deployment, and management of server-side and cloud-native applications.	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://projects.eclipse.org/projects/ee4j.servlet	https://github.com/eclipse-ee4j/servlet-api/
jakarta.transaction:jakarta.transaction-api	Jakarta Transactions	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://projects.eclipse.org/projects/ee4j.jta	https://github.com/eclipse-ee4j/jta-api/
jakarta.ws.rs:jakarta.ws.rs-api	Jakarta RESTful Web Services	EPL-2.0 OR GPL-2.0-with-classpath-exception	https://github.com/eclipse-ee4j/jaxrs-api	https://github.com/eclipse-ee4j/jaxrs-api/
javax.xml.bind:jaxb-api	JAXB (JSR 222) API	CDDL-1.1 OR GPL-2.0-with-classpath-exception	https://github.com/javaee/jaxb-spec/jaxb-api	https://github.com/javaee/jaxb-spec/
org.eclipse.parsson:parsson	Jakarta JSON Processing provider	EPL-2.0 OR GPL-2.0-only	https://github.com/eclipse-ee4j/parsson/parsson	https://github.com/eclipse-ee4j/parsson/
org.graalvm.sdk:nativeimage	A framework that allows to customize native image generation.	UPL-1.0	https://github.com/oracle/graal	https://github.com/oracle/graal/
org.graalvm.sdk:word	A low-level framework for machine-word-sized values in Java.	UPL-1.0	https://github.com/oracle/graal	https://github.com/oracle/graal/
org.hibernate.common:hibernate-commons-annotations	Common reflection code used in support of annotation processing	LGPL-2.1-only	http://hibernate.org	https://github.com/hibernate/hibernate-commons-annotations/
org.hibernate.orm:hibernate-core	Hibernate's core ORM functionality	LGPL-2.1-only	https://hibernate.org/orm	https://github.com/hibernate/hibernate-orm/
org.hibernate.orm:hibernate-graalvm	Experimental extension to make it easier to compile applications into a GraalVM native image	LGPL-2.1-only	https://hibernate.org/orm	https://github.com/hibernate/hibernate-orm/
org.mariadb.jdbc:mariadb-java-client	JDBC driver for MariaDB and MySQL	LGPL-2.1	https://mariadb.com/kb/en/mariadb/about-mariadb-connector-j/	https://github.com/mariadb-corporation/mariadb-connector-j/
org.openjdk.nashorn:nashorn-core	Nashorn is an Open Source JavaScript (ECMAScript 5.1 and some 6 features) engine for the JVM.	GPL-2.0-only	https://github.com/openjdk/nashorn	https://github.com/openjdk/nashorn/
org.reactivestreams:reactive-streams	A Protocol for Asynchronous Non-Blocking Data Sequence	MIT-0	http://www.reactive-streams.org/	https://github.com/reactive-streams/reactive-streams-jvm/

License name

• BSD Zero Clause License
• Common Development and Distribution License 1.1
• Eclipse Public License 1.0
• Eclipse Public License 2.0
• GNU General Public License v2.0 only
• GNU General Public License v2.0 w/Classpath exception
• GNU Lesser General Public License v2.1 only
• MIT No Attribution
• Mozilla Public License 2.0
• Universal Permissive License v1.0

Code modified?

Code is used in unmodified form

Changes contributed?

No response

Any alternatives?

The majority of dependencies included in this report are transitive dependencies from the Quarkus framework and have no suitable alternatives available, with the exception of the components listed below.

com.mysql:mysql-connector-j and org.mariadb.jdbc:mariadb-java-client could be removed from the distribution, and require users to install these themselves. However, this would have a negative effect on end-users as it introduces an extra step in connect Keycloak to MySQL or MariaDB databases.

org.openjdk.nashorn:nashorn-core could be removed from the distribution, and require users to install themselves. However, this would have a negative effect on end-users as it introduces an extra step in deploying custom JavaScript code.

An extra point to mention with regard to the above is Keycloak is frequently used and deployed by developers and administrators unfamiliar to Java and JAR files, which increases the difficulty of any additional steps of obtaining and deploying additional JAR files.

Integrates with other components?

Keycloak is distributed as a container as well as an archive. In addition there is a separate container distribution for a Kubernetes Operator. For more details see https://www.keycloak.org/downloads.

All binary distributions of Keycloak include a number of third-party libraries; including Java JAR files and client-side JavaScript libraries.

The majority of Java JARs are transitive dependencies from the Quarkus framework that Keycloak is built-on, with the exception of the components listed below.

com.h2database:h2 is a fast in-memory database written in Java that makes it easier to try out Keycloak for evaluation, development, or integration testing.

com.mysql:mysql-connector-j provides the database driver for Keycloak to connect to MySQL databases.

org.mariadb.jdbc:mariadb-java-client provides the database driver for Keycloak to connect to MariaDB databases.

org.openjdk.nashorn:nashorn-core provides a JavaScript engine to enable custom JavaScript code to be deployed to Keycloak.