Use keycloak-client libraries instead of keycloak-common, keycloak-core and keycloak-adapter-spi

[pskopek]

This PR uses keycloak-client 26.0.0-alpha2. If it passes all checks and reviews I can release final and update the PR.

Closes #43259

[rsvoboda]

FYI @maxandersen @gsmet @aloubyansky

[sberyozkin]

Thanks @pskopek for the PR, I think I understand the idea, but I'm not sure I appreciate the consequences if any for Quarkus, I'd like to ask @pedroigor and @mposolda to review, thanks

[sberyozkin]

@pskopek I can try the devservice myself a little bit later to save you some time

[github-actions]

😭 Deploy PR Preview failed.

[aloubyansky]

@pskopek afaics, only the dependency on keycloak-adapter-spi is removed, the rest remain to be dependencies. keycloak-common was just a version constraint. Could you clarify the reason to remove Keycloak version constraints from the BOM?

[gsmet]

The failures are unrelated.

[sberyozkin]

@pskopek Keycloak devservice is OK with this update :-), thanks

[aloubyansky]

Let's add the Keycloak dependencies that are direct dependencies of Quarkus extensions back to the BOM.

[pskopek]

@sberyozkin @aloubyansky I fixed the issues with versions you requested. There is a separation between Keycloak Server (25.0.6) for testing purpose and Keycloak Client Libs (26.0.0) used in Quarkus.
Can you review the new changes, please?

[aloubyansky]

Dependency-wise this looks better @pskopek, thanks!

[gsmet]

CI failures look related.

[gsmet]

Dependencies look good on my side now.

Everything's fine on this side.

[gsmet]

@aloubyansky can you check you're all good now and approve if so? Thanks!

[aloubyansky]

Thanks a lot @pskopek

[gsmet]

@pskopek so we're making progress but there's still a test consistently failing. Could you have a look? Thanks.

[gsmet]

@pskopek do you need help finalizing this?

It's going to be in the way of Keycloak updates very soon.

[gsmet]

Here are a few more details about the failures (apparently a certificate issue):

2024-11-21T14:03:31.2001912Z [INFO] Running io.quarkus.keycloak.adminclient.deployment.KeycloakAdminClientMutualTlsDevServicesTest
2024-11-21T14:03:34.3108560Z 2024-11-21 14:03:32,234 INFO  [io.sma.cer.CertificateGenerator] (main) ⭐  PKCS12 keystore and truststore generated successfully!
2024-11-21T14:03:34.3144635Z 2024-11-21 14:03:32,234 INFO  [io.sma.cer.CertificateGenerator] (main) 🔐  Key Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-keystore.p12
2024-11-21T14:03:34.3149816Z 2024-11-21 14:03:32,235 INFO  [io.sma.cer.CertificateGenerator] (main) 🔓  Server Trust Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-server-truststore.p12
2024-11-21T14:03:34.3154144Z 2024-11-21 14:03:32,235 INFO  [io.sma.cer.CertificateGenerator] (main) 🔐  Client Key Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-client-keystore.p12
2024-11-21T14:03:34.3158222Z 2024-11-21 14:03:32,235 INFO  [io.sma.cer.CertificateGenerator] (main) 🔓  Client Trust Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-client-truststore.p12
2024-11-21T14:03:34.3161335Z 2024-11-21 14:03:32,236 INFO  [io.sma.cer.CertificateGenerator] (main) ⭐  PEM certificates, keystore, and truststore named mtls-test generated!
2024-11-21T14:03:34.3164580Z 2024-11-21 14:03:32,237 INFO  [io.sma.cer.CertificateGenerator] (main) 🔑  Key File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test.key
2024-11-21T14:03:34.3167913Z 2024-11-21 14:03:32,237 INFO  [io.sma.cer.CertificateGenerator] (main) 📜  Cert File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test.crt
2024-11-21T14:03:34.3171610Z 2024-11-21 14:03:32,237 INFO  [io.sma.cer.CertificateGenerator] (main) 🔓  Server Trust Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-server-ca.crt
2024-11-21T14:03:34.3175306Z 2024-11-21 14:03:32,238 INFO  [io.sma.cer.CertificateGenerator] (main) 🔑  Client Key File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-client.key
2024-11-21T14:03:34.3196238Z 2024-11-21 14:03:32,238 INFO  [io.sma.cer.CertificateGenerator] (main) 📜  Client Cert File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-client.crt
2024-11-21T14:03:34.3200073Z 2024-11-21 14:03:32,238 INFO  [io.sma.cer.CertificateGenerator] (main) 🔓  Client Trust Store File: /home/runner/work/quarkus/quarkus/extensions/keycloak-admin-resteasy-client/deployment/target/certs/mtls-test-client-ca.crt
2024-11-21T14:03:34.3202942Z 2024-11-21 14:03:34,207 INFO  [io.qua.dev.key.KeycloakDevServicesProcessor] (build-8) Using Quarkus powered Keycloak distribution
2024-11-21T14:03:34.3210606Z 2024-11-21 14:03:34,208 INFO  [tc.qua.io/.0.6] (build-8) Creating container for image: quay.io/keycloak/keycloak:25.0.6
2024-11-21T14:03:34.3213003Z 2024-11-21 14:03:34,268 INFO  [tc.qua.io/.0.6] (build-8) Container quay.io/keycloak/keycloak:25.0.6 is starting: e2b5afdb0a72e48680dd6f828e30e14e16d80e2e0c04b07dc5bd459096665348
2024-11-21T14:03:54.0507290Z 2024-11-21 14:03:53,983 INFO  [tc.qua.io/.0.6] (build-8) Container quay.io/keycloak/keycloak:25.0.6 started in PT19.775192644S
2024-11-21T14:03:54.3510495Z 2024-11-21 14:03:54,342 ERROR [io.ver.cor.net.imp.ConnectionBase] (vert.x-eventloop-thread-1) javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate [Error Occurred After Shutdown]
2024-11-21T14:03:56.4536646Z 2024-11-21 14:03:56,388 ERROR [io.ver.cor.net.imp.ConnectionBase] (vert.x-eventloop-thread-2) javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate [Error Occurred After Shutdown]
2024-11-21T14:03:58.0553799Z 2024-11-21 14:03:57,989 ERROR [io.qua.dev.key.KeycloakDevServicesProcessor] (build-8) Admin token can not be acquired due to a client connection timeout. You may try increasing the `quarkus.oidc.devui.web-client-timeout` property. [Error Occurred After Shutdown]
2024-11-21T14:03:58.0557297Z 2024-11-21 14:03:57,990 INFO  [io.qua.dev.key.KeycloakDevServicesProcessor] (build-8) Dev Services for Keycloak started.
2024-11-21T14:03:59.4017061Z 2024-11-21 14:03:59,310 WARN  [io.qua.oid.com.run.OidcCommonUtils] (vert.x-eventloop-thread-1) OIDC Server is not available:: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-11-21T14:03:59.4020844Z 	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
2024-11-21T14:03:59.4021969Z 	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
2024-11-21T14:03:59.4023268Z 	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
2024-11-21T14:03:59.4024570Z 	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
2024-11-21T14:03:59.4026190Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
2024-11-21T14:03:59.4028195Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
2024-11-21T14:03:59.4030268Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
2024-11-21T14:03:59.4031718Z 	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
2024-11-21T14:03:59.4033000Z 	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
2024-11-21T14:03:59.4034485Z 	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
2024-11-21T14:03:59.4036097Z 	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
2024-11-21T14:03:59.4037548Z 	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
2024-11-21T14:03:59.4038933Z 	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
2024-11-21T14:03:59.4040284Z 	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1679)
2024-11-21T14:03:59.4041453Z 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1525)
2024-11-21T14:03:59.4042509Z 	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1366)
2024-11-21T14:03:59.4043690Z 	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1415)
2024-11-21T14:03:59.4045175Z 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
2024-11-21T14:03:59.4046865Z 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
2024-11-21T14:03:59.4048310Z 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
2024-11-21T14:03:59.4050016Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
2024-11-21T14:03:59.4051923Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
2024-11-21T14:03:59.4053767Z 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
2024-11-21T14:03:59.4055583Z 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
2024-11-21T14:03:59.4057427Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
2024-11-21T14:03:59.4059559Z 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
2024-11-21T14:03:59.4061173Z 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
2024-11-21T14:03:59.4062772Z 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
2024-11-21T14:03:59.4064496Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
2024-11-21T14:03:59.4065957Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
2024-11-21T14:03:59.4067419Z 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
2024-11-21T14:03:59.4068627Z 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
2024-11-21T14:03:59.4070118Z 	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
2024-11-21T14:03:59.4071552Z 	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
2024-11-21T14:03:59.4072902Z 	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2024-11-21T14:03:59.4073968Z 	at java.base/java.lang.Thread.run(Thread.java:840)
2024-11-21T14:03:59.4075984Z Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-11-21T14:03:59.4078275Z 	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
2024-11-21T14:03:59.4079700Z 	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
2024-11-21T14:03:59.4081287Z 	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
2024-11-21T14:03:59.4082666Z 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
2024-11-21T14:03:59.4084323Z 	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
2024-11-21T14:03:59.4086181Z 	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
2024-11-21T14:03:59.4087396Z 	... 31 more
2024-11-21T14:03:59.4088620Z Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2024-11-21T14:03:59.4090527Z 	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
2024-11-21T14:03:59.4092240Z 	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
2024-11-21T14:03:59.4093813Z 	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
2024-11-21T14:03:59.4095200Z 	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
2024-11-21T14:03:59.4096140Z 	... 36 more

[gsmet]

@sberyozkin @michalvavrik could one of you have a look at this test ^? I think this PR is something we want for next LTS/RHBQ.

[michalvavrik]

@sberyozkin @michalvavrik could one of you have a look at this test ^?

I checked code / deps changes and can't see anything obvious. Will check this PR out later this week and debug it unless @sberyozkin comes first.

[sberyozkin]

@gsmet @michalvavrik Sorry, I'll have a look

[sberyozkin]

@gsmet @michalvavrik It is not certificate issue. It is a 400 failure returned from Keycloak in response to Keycloak Admin RestEasy Client posting a realm to keycloak.

On main we have (I use ... to make it shorter):

2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "POST /admin/realms HTTP/1.1[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Authorization: Bearer <admin-token>[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Content-Type: application/json[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Content-Length: 4395[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Host: localhost:8083[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.5)[\r][\n]"
2024-12-21 19:12:18,418 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "[\r][\n]"
2024-12-21 19:12:18,419 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "{"id":null,"realm":"mtls","displayName":null,...,"roles":{"realm":[{"id":null,"name":"Ron","description":"Weasley","scopeParamRequired":false,...}"
2024-12-21 19:12:19,391 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "HTTP/1.1 201 Created[\r][\n]"

With this PR:

2024-12-21 18:49:48,878 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "POST /admin/realms HTTP/1.1[\r][\n]"
2024-12-21 18:49:48,878 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Authorization: Bearer <admin-token>[\r][\n]"
2024-12-21 18:49:48,878 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Content-Type: application/json[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Content-Length: 4421[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Host: localhost:8083[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.5)[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "[\r][\n]"
2024-12-21 18:49:48,879 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 >> "{"id":null,"realm":"mtls","displayName":null,...,**"bruteForceStrategy":null**,...,"roles":{"realm":[{"id":null,"name":"Ron","description":"Weasley","scopeParamRequired":false,...}"
2024-12-21 18:49:48,957 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "HTTP/1.1 400 Bad Request[\r][\n]"
2024-12-21 18:49:48,957 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "content-length: 54[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "Content-Type: application/json[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "Referrer-Policy: no-referrer[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "X-Content-Type-Options: nosniff[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "X-XSS-Protection: 1; mode=block[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "[\r][\n]"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.wire] (executor-thread-1) http-outgoing-1 << "{"errorMessage":"unable to read contents from stream"}"
2024-12-21 18:49:48,958 DEBUG [org.apa.htt.headers] (executor-thread-1) http-outgoing-1 << HTTP/1.1 400 Bad Request

In the latter case, and it is the only difference I see, is an extra attribute "bruteForceStrategy":null is included with the realm request in the "{"id":null,"realm":"mtls","displayName":null,..., **"bruteForceStrategy":null**,..."roles":{"realm": part.

The content-length difference is 26 characters, which I matches . "bruteForceStrategy":null,

It might not be necessarily a cause of the failure, but it very well might be. My bet at this stage is that Jackson Object Mapping has been affected, but I'd appreciate some help with tracing what may have been impacted as I'm not very uptodate on the mapping mechanics

[michalvavrik]

@sberyozkin I'll have a look at that and serialization discussed in a comment thread above and get back to you today.

[michalvavrik]

Hello @sberyozkin ,

please cherry-pick and push this commit 0d282a3 into this PR (provided you agree with changes of course), because I don't have required rights. It both fixed the test failures and resolves this comment thread: #43260 (comment). Ideally, also rebase this PR on current main. Thanks

Then we will need to get @geoand approval and this PR can be merged.

Cheers

[sberyozkin]

Thanks @michalvavrik, that is brilliant, let me cherry-pick it

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 27d6bc2.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

[geoand]

I'm surprised to this both here and in ResteasyReactiveClientProvider.java. ObjectMapper is a really heavy object and reusing them should be done if possible.

[michalvavrik]

@geoand I'll need bit more information. I'll try to answer your comment and please provide more context:

I'm surprised to this both here and in ResteasyReactiveClientProvider.java. ObjectMapper is a really heavy object and reusing them should be done if possible.

1. They are 2 different extensions, considering they are just 3 lines, I repeated it instead of putting this method to some util in Keycloak Admin client common
2. These 2 extensions are not going to be used together, so they can't share same ObjectMapper instance
3. AFAICT this object mapper is stored on the provider level (at least in the RESTEasy Classic where I debugged it), so the method you are commenting on is called once per provider instance. If you think I should create it on startup and keep it in static variable, np, I'll do it
4. we need different object mapper than is managed by Quarkus (instance in CDI) because these to options set here (include non-null, fail on unknown false) shouldn't be set for other REST clients or wherever is the ObjectMapper used
5. I checked jacksonprovider that is part of the Keycloak here https://github.com/keycloak/keycloak/blob/main/integration/admin-client/src/main/java/org/keycloak/admin/client/JacksonProvider.java and it's basically c&p so I trust Keycloak folk know what they are doing with setting these 2 configuration properties

[geoand]

These 2 extensions are not going to be used together, so they can't share same ObjectMapper instance

Okay, that settles it, thanks!

[gsmet]

If we are not reusing an ObjectMapper we already have, shouldn't we let the Keycloak libraries instantiate and configure the ObjectMapper as they see fit?

Or do we absolutely need to pass one?

[michalvavrik]

Experience is that Keycloaks provider wasn't native compatible in the past. What I did now was necessary in past (you can lookup issues, JSONB was one of them), but I don't know if it is still true, I think we have limited native test coverage for RESTEasy one. Does it matter?

[gsmet]

Well, it somehow matters given we had to tweak things to have a compatible client. And we're not entirely sure we enabled all the right options. It seems to work for now but what if they change the serialization options in the future?

Now maybe I'm being too cautious but that's something we could miss in the future. And if for instance, we don't serialize something correctly, it might end up having security consequences.

[gsmet]

Note that if you're on PTO, this can wait early Janiuary :). I'm not on PTO so that's why you see me popping :).

[michalvavrik]

Well, it somehow matters given we had to tweak things to have a compatible client. And we're not entirely sure we enabled all the right options. It seems to work for now but what if they change the serialization options in the future?

note that this code came from @pskopek in the REST client version and I repeatedly asked him if it is fine to do that (not that I got satisfactory answer, this was only one - #43260 (comment)).

It seems to work for now but what if they change the serialization options in the future?
Now maybe I'm being too cautious but that's something we could miss in the future. And if for instance, we don't serialize something correctly, it might end up having security consequences.

1. Absolutely, but we can't know and I asked repeatedly if it is fine. I agree with you. We have Keycloak folk integrating Keycloak admin client here, it can't get any better. Only thing we could do is to switch to the KC JacksonProvider in the RESTEasy one, but I am pretty sure we don't have test coverage for all the past native issues because there wasn't a good place to put them. I believe that Keycloak Admin REST Client is both tested in native and preferred.
2. Even if we do that, we still have manually managed ObjectMapper in the REST admin client, so if we need to get it right there, why can't we use same code here?

[michalvavrik]

Now maybe I'm being too cautious but that's something we could miss in the future. And if for instance, we don't serialize something correctly, it might end up having security consequences.

I agree, but the situation in the reactive client is same, so I don't believe it would make a difference here. What would make a difference is Keycloak providing ObjectMapper factory we could re-use in both extensions. @pskopek WDYT? This way, Keycloak would be owner of the logic.

The idea that Keycloak client is compatible with both previous and future versions of Keycloak makes me nervous as I can't forsee if any incompatibility could result in a vulnerability, but I have already mentioned it before.

[sberyozkin]

Thanks everyone

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 27d6bc2.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

---

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17 Windows

📦 integration-tests/grpc-hibernate

✖ com.example.grpc.hibernate.VertxBlockingRawTest.shouldAdd - History

• Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds. - org.awaitility.core.ConditionTimeoutException

org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1006)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:975)
	at com.example.grpc.hibernate.BlockingRawTestBase.shouldAdd(BlockingRawTestBase.java:59)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)

📦 integration-tests/opentelemetry-quickstart

✖ io.quarkus.it.opentelemetry.OpenTelemetryDisabledTest.buildTimeDisabled - History

• Condition with Lambda expression in io.quarkus.it.opentelemetry.OpenTelemetryDisabledTest was not fulfilled within 200 milliseconds. - org.awaitility.core.ConditionTimeoutException

org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in io.quarkus.it.opentelemetry.OpenTelemetryDisabledTest was not fulfilled within 200 milliseconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1006)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:975)
	at io.quarkus.it.opentelemetry.OpenTelemetryDisabledTest.buildTimeDisabled(OpenTelemetryDisabledTest.java:29)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)