Add possibility to enable/disable features for Keycloak devservices

[martaisty]

Description

Add a way to enable/disable features for Keycloak devservices. There several ways how Keycloak suggests doing this. It's especially useful when you need something like token-exchange feature.

Earlier quarkus.keycloak.devservices.java-opts=-Dkeycloak.profile.feature.token_exchange=enabled worked just fine. However, after Quarkus 2.16.6 bumped Keycloak to 21.0.1 this doesn't work anymore. Maybe, it's Keycloak's bug but I haven't found keycloak.profile.feature.token_exchange=enabled option in their documentation, so can't rely on that.

Implementation ideas

Add optional features and features-disabled to DevServicesConfig and append Keycloak's start command with --features=... and --features-disabled=.. if the options are present.

[antonvovk]

Hi! @martaisty Thanks for starting a discussion on this one. I have faced precisely the same issue. @sberyozkin please take a look at it. Thanks!

[sberyozkin]

Do we really need --features-disabled ? I think whatever the default features are enabled in the current Keycloak version should be available. IMHO adding a Set features property is sufficient - and it should be doc-ed that it won't be supported for the legacy WildFly based distributions and that java-opts should be used for enabling the extra features for WildFly based distributions.

Earlier quarkus.keycloak.devservices.java-opts=-Dkeycloak.profile.feature.token_exchange=enabled worked just fine. However, after Quarkus 2.16.6 bumped Keycloak to 21.0.1 this doesn't work anymore.

@martaisty Can you please open an issue/start a discussion in the Keycloak repository ? (CC @pedroigor ) (If it is a blocker - please configure it to use the previous version with image-name)

+1 to this enhancement. But I'm afraid I may not be able to prioritize on it for a while, please open a PR if it is urgent

[martaisty]

--features-disabled is not really needed, at least for my usage of Keycloak. I just thought it would be nice to have. You're right @sberyozkin features property will probably be sufficient. I've opened an issue in the Keycloak repository to clarify this behavior.

Having analyzed a bit Keycloak's changes between versions, I've found a workaround to use quarkus.keycloak.devservices.java-opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage to suffice my needs. I am not really sure if it's a good idea to configure it in this way.

[sberyozkin]

Thanks @martaisty, so if you can continue using JAVA_OPTS, are we going to save a lot with --features ? I.e as far as DevServices config is concerned, it would be about users doing either

java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage

vs

features=token-exchange,admin-fine-grained-authz,map-storage

The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with java_opts albeit in a bit more verbose way ?

I may be missing something though...

[martaisty]

The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with java_opts albeit in a bit more verbose way ?

@sberyozkin actually, it depends on Keycloak team's answer to the opened issue...

If they claim that usage of java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage is fine, then we can close the issue and keep using it. Otherwise, I believe adding --features=... worth efforts to have an ability to customize Keycloak devservices.

By the way, adding --features=... to the start command is not the only option. There are other ways for Keycloak configuration:

Keycloak loads the configuration from four different configuration sources:

• command-line parameters
• environment variables
• user-created .conf file
• keycloak.conf file located in the conf directory.

Maybe, adding support of environment variables to Keycloak devservices will be easier and better, because it can cover more usecases. Then such config can look like this quarkus.keycloak.devservices.envs.KC_FEATURES=token-exchange

[martaisty]

Hi @sberyozkin :wave: Back to the issue... I received an answer from Keycloak team. Please check it out: https://github.com/keycloak/keycloak/issues/19577#issuecomment-1516482327

Therefore, I believe support of features config for Keycloak devservices should be added

[Eng-Fouad]

The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with java_opts albeit in a bit more verbose way ?

@sberyozkin actually, it depends on Keycloak team's answer to the opened issue...

If they claim that usage of java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage is fine, then we can close the issue and keep using it. Otherwise, I believe adding --features=... worth efforts to have an ability to customize Keycloak devservices.

By the way, adding --features=... to the start command is not the only option. There are other ways for Keycloak configuration:

Keycloak loads the configuration from four different configuration sources:

• command-line parameters
• environment variables
• user-created .conf file
• keycloak.conf file located in the conf directory.

Maybe, adding support of environment variables to Keycloak devservices will be easier and better, because it can cover more usecases. Then such config can look like this quarkus.keycloak.devservices.envs.KC_FEATURES=token-exchange

It's possible now (since Quarkus 3.2.0.Final) to pass environment variables to devservices containers. See #34223

[martaisty]

Environment variables made devservices much more flexible 🎉 Closing the issue