Closed martaisty closed 1 year ago
Hi! @martaisty Thanks for starting a discussion on this one. I have faced precisely the same issue. @sberyozkin please take a look at it. Thanks!
Do we really need --features-disabled
? I think whatever the default features are enabled in the current Keycloak version should be available. IMHO adding a Set features
property is sufficient - and it should be doc-ed that it won't be supported for the legacy WildFly based distributions and that java-opts
should be used for enabling the extra features for WildFly based distributions.
Earlier quarkus.keycloak.devservices.java-opts=-Dkeycloak.profile.feature.token_exchange=enabled worked just fine. However, after Quarkus 2.16.6 bumped Keycloak to 21.0.1 this doesn't work anymore.
@martaisty Can you please open an issue/start a discussion in the Keycloak repository ? (CC @pedroigor )
(If it is a blocker - please configure it to use the previous version with image-name
)
+1 to this enhancement. But I'm afraid I may not be able to prioritize on it for a while, please open a PR if it is urgent
--features-disabled
is not really needed, at least for my usage of Keycloak. I just thought it would be nice to have. You're right @sberyozkin features
property will probably be sufficient. I've opened an issue in the Keycloak repository to clarify this behavior.
Having analyzed a bit Keycloak's changes between versions, I've found a workaround to use quarkus.keycloak.devservices.java-opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage
to suffice my needs. I am not really sure if it's a good idea to configure it in this way.
Thanks @martaisty, so if you can continue using JAVA_OPTS, are we going to save a lot with --features
?
I.e as far as DevServices config is concerned, it would be about users doing either
java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage
vs
features=token-exchange,admin-fine-grained-authz,map-storage
The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with java_opts
albeit in a bit more verbose way ?
I may be missing something though...
The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with
java_opts
albeit in a bit more verbose way ?
@sberyozkin actually, it depends on Keycloak team's answer to the opened issue...
If they claim that usage of java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage
is fine, then we can close the issue and keep using it. Otherwise, I believe adding --features=...
worth efforts to have an ability to customize Keycloak devservices.
By the way, adding --features=...
to the start command is not the only option. There are other ways for Keycloak configuration:
Keycloak loads the configuration from four different configuration sources:
- command-line parameters
- environment variables
- user-created .conf file
- keycloak.conf file located in the conf directory.
Maybe, adding support of environment variables to Keycloak devservices will be easier and better, because it can cover more usecases. Then such config can look like this quarkus.keycloak.devservices.envs.KC_FEATURES=token-exchange
Hi @sberyozkin :wave: Back to the issue... I received an answer from Keycloak team. Please check it out: https://github.com/keycloak/keycloak/issues/19577#issuecomment-1516482327
Therefore, I believe support of features config for Keycloak devservices should be added
The latter option looks nicer for sure, but does it warrant adding a new config property which only optimizes what is already possible with
java_opts
albeit in a bit more verbose way ?@sberyozkin actually, it depends on Keycloak team's answer to the opened issue...
If they claim that usage of
java_opts=-Dkc.features=token-exchange,admin-fine-grained-authz,map-storage
is fine, then we can close the issue and keep using it. Otherwise, I believe adding--features=...
worth efforts to have an ability to customize Keycloak devservices.By the way, adding
--features=...
to the start command is not the only option. There are other ways for Keycloak configuration:Keycloak loads the configuration from four different configuration sources:
- command-line parameters
- environment variables
- user-created .conf file
- keycloak.conf file located in the conf directory.
Maybe, adding support of environment variables to Keycloak devservices will be easier and better, because it can cover more usecases. Then such config can look like this
quarkus.keycloak.devservices.envs.KC_FEATURES=token-exchange
It's possible now (since Quarkus 3.2.0.Final) to pass environment variables to devservices containers. See #34223
Environment variables made devservices much more flexible 🎉 Closing the issue
Description
Add a way to enable/disable features for Keycloak devservices. There several ways how Keycloak suggests doing this. It's especially useful when you need something like
token-exchange
feature.Earlier
quarkus.keycloak.devservices.java-opts=-Dkeycloak.profile.feature.token_exchange=enabled
worked just fine. However, after Quarkus2.16.6
bumped Keycloak to21.0.1
this doesn't work anymore. Maybe, it's Keycloak's bug but I haven't foundkeycloak.profile.feature.token_exchange=enabled
option in their documentation, so can't rely on that.Implementation ideas
Add optional
features
andfeatures-disabled
to DevServicesConfig and append Keycloak's start command with--features=...
and--features-disabled=..
if the options are present.