Add a way to extend the UI with an Java API (#23772)

* POC to see how we could extend the UI This is very crude and there are still open issues that need to be worked out Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added saving option Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added list and recreate client form Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * add tab ui Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * integrate tabs Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * remove examples Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * fixed error messages Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> * added Feature for ui customization Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com> --------- Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-01-22 09:19:58 +01:00 · 2024-01-22 09:19:58 +01:00 · 37790c7956
commit 37790c7956
parent 96c882447d
32 changed files with 729 additions and 155 deletions
--- a/common/src/main/java/org/keycloak/common/Profile.java
+++ b/common/src/main/java/org/keycloak/common/Profile.java
@ -105,8 +105,11 @@ public class Profile {
        MULTI_SITE("Multi-site support", Type.PREVIEW),
        OFFLINE_SESSION_PRELOADING("Offline session preloading", Type.DEPRECATED),
        HOSTNAME_V1("Hostname Options V1", Type.DEFAULT),
        //HOSTNAME_V2("Hostname Options V2", Type.DEFAULT, 2),
        DECLARATIVE_UI("declarative ui spi", Type.EXPERIMENTAL),
        ;
        private final Type type;
--- a/common/src/test/java/org/keycloak/common/ProfileTest.java
+++ b/common/src/test/java/org/keycloak/common/ProfileTest.java
@ -78,6 +78,7 @@ public class ProfileTest {
            Profile.Feature.DYNAMIC_SCOPES,
            Profile.Feature.DOCKER,
            Profile.Feature.MULTI_SITE,
            Profile.Feature.DECLARATIVE_UI,
            Profile.Feature.RECOVERY_CODES,
            Profile.Feature.SCRIPTS,
            Profile.Feature.TOKEN_EXCHANGE,
--- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
+++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@ -2987,3 +2987,15 @@ termsAndConditionsUserAttribute=Terms and conditions accepted timestamp
 realmOverridesDescription= Realm overrides allow you to specify translations that will take effect for the entire realm. These translations will override any translation specified by a theme.
 addTranslation=Add translation
 effectiveMessageBundlesDescription=An effective message bundle is the set of translations for a given language, theme, and theme type. It also takes into account any realm overrides, which will take precedence.
 clientsClientScopesHelp=The scopes associated with this resource.
 searchItem=Search item
 createItem=Create item
 itemDelete=Delete item
 itemDeleteConfirm=Are you sure you want to permanently delete the item
 itemDeleteConfirmTitle=Delete item?
 itemDeletedSuccess=The item has been deleted
 itemDeleteError=Could not delete item: {{error}}
 noItems=There are no items
 noItemsInstructions=You haven't created any items in this realm. Create a item to get started.
 itemSaveError=Error could not save item\! {{error}}
 itemSaveSuccessful=Sucessful saved
--- a/js/apps/admin-ui/src/App.tsx
+++ b/js/apps/admin-ui/src/App.tsx
@ -24,6 +24,7 @@ import { AuthWall } from "./root/AuthWall";
 const AppContexts = ({ children }: PropsWithChildren) => (
  <ErrorBoundaryProvider>
    <ServerInfoProvider>
      <RealmsProvider>
        <RealmContextProvider>
          <WhoAmIContextProvider>
@ -39,6 +40,7 @@ const AppContexts = ({ children }: PropsWithChildren) => (
          </WhoAmIContextProvider>
        </RealmContextProvider>
      </RealmsProvider>
    </ServerInfoProvider>
  </ErrorBoundaryProvider>
 );
@ -53,13 +55,11 @@ export const App = () => {
        mainContainerId={mainPageContentId}
      >
        <ErrorBoundaryFallback fallback={ErrorRenderer}>
          <ServerInfoProvider>
          <Suspense fallback={<KeycloakSpinner />}>
            <AuthWall>
              <Outlet />
            </AuthWall>
          </Suspense>
          </ServerInfoProvider>
        </ErrorBoundaryFallback>
      </Page>
    </AppContexts>
--- a/js/apps/admin-ui/src/PageNav.tsx
+++ b/js/apps/admin-ui/src/PageNav.tsx
@ -9,23 +9,25 @@ import {
 import { FormEvent } from "react";
 import { useTranslation } from "react-i18next";
 import { NavLink, useMatch, useNavigate } from "react-router-dom";
 import { RealmSelector } from "./components/realm-selector/RealmSelector";
 import { useAccess } from "./context/access/Access";
 import { useRealm } from "./context/realm-context/RealmContext";
 import { useServerInfo } from "./context/server-info/ServerInfoProvider";
 import { toPage } from "./page/routes";
 import { AddRealmRoute } from "./realm/routes/AddRealm";
 import { routes } from "./routes";
 import "./page-nav.css";
-type LeftNavProps = { title: string; path: string };
+type LeftNavProps = { title: string; path: string; id?: string };
-const LeftNav = ({ title, path }: LeftNavProps) => {
+const LeftNav = ({ title, path, id }: LeftNavProps) => {
  const { t } = useTranslation();
  const { hasAccess } = useAccess();
  const { realm } = useRealm();
  const route = routes.find(
-    (route) => route.path.replace(/\/:.+?(\?|(?:(?!\/).)*|$)/g, "") === path,
+    (route) =>
      route.path.replace(/\/:.+?(\?|(?:(?!\/).)*|$)/g, "") === (id || path),
  );
  const accessAllowed =
@ -56,6 +58,9 @@ const LeftNav = ({ title, path }: LeftNavProps) => {
 export const PageNav = () => {
  const { t } = useTranslation();
  const { hasSomeAccess } = useAccess();
  const { componentTypes } = useServerInfo();
  const pages =
    componentTypes?.["org.keycloak.services.ui.extend.UiPageProvider"];
  const navigate = useNavigate();
@ -116,6 +121,14 @@ export const PageNav = () => {
              <LeftNav title="authentication" path="/authentication" />
              <LeftNav title="identityProviders" path="/identity-providers" />
              <LeftNav title="userFederation" path="/user-federation" />
              {pages?.map((p) => (
                <LeftNav
                  key={p.id}
                  title={p.id}
                  path={toPage({ providerId: p.id }).pathname!}
                  id="/page-section"
                />
              ))}
            </NavGroup>
          )}
        </Nav>
--- a/js/apps/admin-ui/src/components/routable-tabs/RoutableTabs.tsx
+++ b/js/apps/admin-ui/src/components/routable-tabs/RoutableTabs.tsx
@ -1,4 +1,5 @@
 import {
  Tab,
  TabProps,
  Tabs,
  TabsComponent,
@ -6,11 +7,22 @@ import {
 } from "@patternfly/react-core";
 import {
  Children,
  isValidElement,
  JSXElementConstructor,
  PropsWithChildren,
  ReactElement,
  isValidElement,
 } from "react";
-import { Path, useHref, useLocation } from "react-router-dom";
+import {
  Path,
  generatePath,
  matchPath,
  useHref,
  useLocation,
  useParams,
 } from "react-router-dom";
 import { useServerInfo } from "../../context/server-info/ServerInfoProvider";
 import { PageHandler } from "../../page/PageHandler";
 import { TAB_PROVIDER } from "../../page/PageList";
 // TODO: Remove the custom 'children' props and type once the following issue has been resolved:
 // https://github.com/patternfly/patternfly-react/issues/6766
@ -32,14 +44,31 @@ export const RoutableTabs = ({
  ...otherProps
 }: RoutableTabsProps) => {
  const { pathname } = useLocation();
  const params = useParams();
  const { componentTypes } = useServerInfo();
  const tabs = componentTypes?.[TAB_PROVIDER] || [];
-  // Extract event keys from children.
+  const matchedTabs = tabs
    .filter((tab) => matchPath({ path: tab.metadata.path }, pathname))
    .map((t) => ({
      ...t,
      pathname: generatePath(t.metadata.path, {
        ...params,
        ...t.metadata.params,
      }),
    }));
  // Extract all keys from matchedTabs
  const matchedTabsKeys = matchedTabs.map((t) => t.pathname);
  // Extract event keys from children
  const eventKeys = Children.toArray(children)
    .filter((child): child is ChildElement => isValidElement(child))
    .map((child) => child.props.eventKey.toString());
  const allKeys = [...eventKeys, ...matchedTabsKeys];
  // Determine if there is an exact match.
-  const exactMatch = eventKeys.find(
+  const exactMatch = allKeys.find(
    (eventKey) => eventKey === decodeURI(pathname),
  );
@ -63,10 +92,33 @@ export const RoutableTabs = ({
      {...otherProps}
    >
      {children}
      {matchedTabs.map((t) => (
        <DynamicTab key={t.id} eventKey={t.pathname} title={t.id}>
          <PageHandler page={t} providerType={TAB_PROVIDER} />
        </DynamicTab>
      ))}
    </Tabs>
  );
 };
 type DynamicTabProps = {
  title: string;
  eventKey: string;
 };
 const DynamicTab = ({
  children,
  ...props
 }: PropsWithChildren<DynamicTabProps>) => {
  const href = useHref(props.eventKey);
  return (
    <Tab href={href} {...props}>
      {children}
    </Tab>
  );
 };
 export const useRoutableTab = (to: Partial<Path>) => ({
  eventKey: to.pathname ?? "",
  href: useHref(to),
--- a/js/apps/admin-ui/src/page/Page.tsx
+++ b/js/apps/admin-ui/src/page/Page.tsx
@ -0,0 +1,67 @@
 import { ButtonVariant, DropdownItem } from "@patternfly/react-core";
 import { useTranslation } from "react-i18next";
 import { useNavigate, useParams } from "react-router-dom";
 import { adminClient } from "../admin-client";
 import { useAlerts } from "../components/alert/Alerts";
 import { useConfirmDialog } from "../components/confirm-dialog/ConfirmDialog";
 import { ViewHeader } from "../components/view-header/ViewHeader";
 import { useServerInfo } from "../context/server-info/ServerInfoProvider";
 import { PageHandler } from "./PageHandler";
 import { PAGE_PROVIDER } from "./PageList";
 import { PageParams, toPage } from "./routes";
 import { useRealm } from "../context/realm-context/RealmContext";
 export default function Page() {
  const { t } = useTranslation();
  const { componentTypes } = useServerInfo();
  const { realm } = useRealm();
  const pages = componentTypes?.[PAGE_PROVIDER];
  const navigate = useNavigate();
  const { id, providerId } = useParams<PageParams>();
  const { addAlert, addError } = useAlerts();
  const page = pages?.find((p) => p.id === providerId);
  if (!page) {
    throw new Error(t("notFound"));
  }
  const [toggleDeleteDialog, DeleteConfirm] = useConfirmDialog({
    titleKey: "itemDeleteConfirmTitle",
    messageKey: "itemDeleteConfirm",
    continueButtonLabel: "delete",
    continueButtonVariant: ButtonVariant.danger,
    onConfirm: async () => {
      try {
        await adminClient.components.del({
          id: id!,
        });
        addAlert(t("itemDeletedSuccess"));
        navigate(toPage({ realm, providerId: providerId! }));
      } catch (error) {
        addError("itemSaveError", error);
      }
    },
  });
  return (
    <>
      <DeleteConfirm />
      <ViewHeader
        titleKey={id || t("createItem")}
        dropdownItems={
          id
            ? [
                <DropdownItem
                  data-testid="delete-item"
                  key="delete"
                  onClick={() => toggleDeleteDialog()}
                >
                  {t("delete")}
                </DropdownItem>,
              ]
            : undefined
        }
      />
      <PageHandler providerType={PAGE_PROVIDER} id={id} page={page} />
    </>
  );
 }
--- a/js/apps/admin-ui/src/page/PageHandler.tsx
+++ b/js/apps/admin-ui/src/page/PageHandler.tsx
@ -0,0 +1,107 @@
 import ComponentRepresentation from "@keycloak/keycloak-admin-client/lib/defs/componentRepresentation";
 import ComponentTypeRepresentation from "@keycloak/keycloak-admin-client/lib/defs/componentTypeRepresentation";
 import RealmRepresentation from "@keycloak/keycloak-admin-client/lib/defs/realmRepresentation";
 import { ActionGroup, Button, Form, PageSection } from "@patternfly/react-core";
 import { useState } from "react";
 import { FormProvider, useForm } from "react-hook-form";
 import { useTranslation } from "react-i18next";
 import { Link } from "react-router-dom";
 import { adminClient } from "../admin-client";
 import { useAlerts } from "../components/alert/Alerts";
 import { DynamicComponents } from "../components/dynamic/DynamicComponents";
 import { useRealm } from "../context/realm-context/RealmContext";
 import { useFetch } from "../utils/useFetch";
 import { PAGE_PROVIDER, TAB_PROVIDER } from "./PageList";
 import { toPage } from "./routes";
 type PageHandlerProps = {
  id?: string;
  providerType: typeof TAB_PROVIDER | typeof PAGE_PROVIDER;
  page: ComponentTypeRepresentation;
 };
 export const PageHandler = ({
  id: idAttribute,
  providerType,
  page: { id: providerId, ...page },
 }: PageHandlerProps) => {
  const { t } = useTranslation();
  const form = useForm<ComponentTypeRepresentation>();
  const { realm: realmName } = useRealm();
  const [realm, setRealm] = useState<RealmRepresentation>();
  const { addAlert, addError } = useAlerts();
  const [id, setId] = useState(idAttribute);
  useFetch(
    async () =>
      await Promise.all([
        adminClient.realms.findOne({ realm: realmName }),
        id ? adminClient.components.findOne({ id }) : Promise.resolve(),
        providerType === TAB_PROVIDER
          ? adminClient.components.find({ type: TAB_PROVIDER })
          : Promise.resolve(),
      ]),
    ([realm, data, tabs]) => {
      setRealm(realm);
      const tab = (tabs || []).find((t) => t.providerId === providerId);
      form.reset(data || tab || {});
      if (tab) setId(tab.id);
    },
    [],
  );
  const onSubmit = async (component: ComponentRepresentation) => {
    if (component.config)
      Object.entries(component.config).forEach(
        ([key, value]) =>
          (component.config![key] = Array.isArray(value) ? value : [value]),
      );
    try {
      const updatedComponent = {
        ...component,
        providerId,
        providerType,
        parentId: realm?.id,
      };
      if (id) {
        await adminClient.components.update({ id }, updatedComponent);
      } else {
        await adminClient.components.create(updatedComponent);
      }
      addAlert("itemSaveSuccessful");
    } catch (error) {
      addError("itemSaveError", error);
    }
  };
  return (
    <PageSection variant="light">
      <Form
        isHorizontal
        onSubmit={form.handleSubmit(onSubmit)}
        className="keycloak__form"
      >
        <FormProvider {...form}>
          <DynamicComponents properties={page.properties} />
        </FormProvider>
        <ActionGroup>
          <Button data-testid="save" type="submit">
            {t("save")}
          </Button>
          <Button
            variant="link"
            component={(props) => (
              <Link
                {...props}
                to={toPage({ realm: realmName, providerId: providerId! })}
              />
            )}
          >
            {t("cancel")}
          </Button>
        </ActionGroup>
      </Form>
    </PageSection>
  );
 };
--- a/js/apps/admin-ui/src/page/PageList.tsx
+++ b/js/apps/admin-ui/src/page/PageList.tsx
@ -0,0 +1,140 @@
 import ComponentRepresentation from "@keycloak/keycloak-admin-client/lib/defs/componentRepresentation";
 import type RealmRepresentation from "@keycloak/keycloak-admin-client/lib/defs/realmRepresentation";
 import type { ComponentQuery } from "@keycloak/keycloak-admin-client/lib/resources/components";
 import {
  Button,
  ButtonVariant,
  PageSection,
  ToolbarItem,
 } from "@patternfly/react-core";
 import { IRowData } from "@patternfly/react-table";
 import { useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Link, useNavigate, useParams } from "react-router-dom";
 import { adminClient } from "../admin-client";
 import { useAlerts } from "../components/alert/Alerts";
 import { useConfirmDialog } from "../components/confirm-dialog/ConfirmDialog";
 import { ListEmptyState } from "../components/list-empty-state/ListEmptyState";
 import { KeycloakDataTable } from "../components/table-toolbar/KeycloakDataTable";
 import { ViewHeader } from "../components/view-header/ViewHeader";
 import { useRealm } from "../context/realm-context/RealmContext";
 import { useServerInfo } from "../context/server-info/ServerInfoProvider";
 import { useFetch } from "../utils/useFetch";
 import { PageListParams, toDetailPage } from "./routes";
 export const PAGE_PROVIDER = "org.keycloak.services.ui.extend.UiPageProvider";
 export const TAB_PROVIDER = "org.keycloak.services.ui.extend.UiTabProvider";
 const DetailLink = (obj: ComponentRepresentation) => {
  const { realm } = useRealm();
  return (
    <Link
      key={obj.id}
      to={toDetailPage({ realm, providerId: obj.providerId!, id: obj.id! })}
    >
      {obj.id}
    </Link>
  );
 };
 export default function PageList() {
  const { t } = useTranslation();
  const { addAlert, addError } = useAlerts();
  const navigate = useNavigate();
  const { providerId } = useParams<PageListParams>();
  const [key, setKey] = useState(0);
  const refresh = () => setKey(key + 1);
  const { realm: realmName } = useRealm();
  const [realm, setRealm] = useState<RealmRepresentation>();
  const [selectedItem, setSelectedItem] = useState<ComponentRepresentation>();
  const { componentTypes } = useServerInfo();
  const pages = componentTypes?.[PAGE_PROVIDER];
  const page = pages?.find((p) => p.id === providerId)!;
  useFetch(
    async () => adminClient.realms.findOne({ realm: realmName }),
    setRealm,
    [],
  );
  const loader = async () => {
    const params: ComponentQuery = {
      parent: realm?.id,
      type: PAGE_PROVIDER,
    };
    return await adminClient.components.find({ ...params });
  };
  const [toggleDeleteDialog, DeleteConfirm] = useConfirmDialog({
    titleKey: "itemDeleteConfirmTitle",
    messageKey: "itemDeleteConfirm",
    continueButtonLabel: "delete",
    continueButtonVariant: ButtonVariant.danger,
    onConfirm: async () => {
      try {
        await adminClient.components.del({
          id: selectedItem!.id!,
        });
        addAlert(t("itemDeletedSuccess"));
        refresh();
      } catch (error) {
        addError("itemSaveError", error);
      }
    },
  });
  return (
    <PageSection variant="light" className="pf-u-p-0">
      <DeleteConfirm />
      <ViewHeader titleKey={page.id} subKey={page.helpText} divider={false} />
      <KeycloakDataTable
        key={key}
        toolbarItem={
          <ToolbarItem>
            <Button
              component={(props) => (
                <Link
                  {...props}
                  to={toDetailPage({ realm: realmName, providerId: page.id })}
                />
              )}
            >
              {t("createItem")}
            </Button>
          </ToolbarItem>
        }
        actionResolver={(item: IRowData) => [
          {
            title: t("delete"),
            onClick() {
              setSelectedItem(item.data);
              toggleDeleteDialog();
            },
          },
        ]}
        searchPlaceholderKey="searchItem"
        loader={loader}
        columns={[
          { name: "id", cellRenderer: DetailLink },
          ...page.properties.slice(0, 3).map((p) => ({
            name: `config.${p.name}[0]`,
            displayKey: p.label,
          })),
        ]}
        ariaLabelKey="list"
        emptyState={
          <ListEmptyState
            hasIcon
            message={t("noItems")}
            instructions={t("noItemsInstructions")}
            primaryActionText={t("createItem")}
            onPrimaryAction={() =>
              navigate(toDetailPage({ realm: realmName, providerId: page.id }))
            }
          />
        }
      />
    </PageSection>
  );
 }
--- a/js/apps/admin-ui/src/page/routes.tsx
+++ b/js/apps/admin-ui/src/page/routes.tsx
@ -0,0 +1,39 @@
 import { Path, generatePath } from "react-router-dom";
 import type { AppRouteObject } from "../routes";
 import { lazy } from "react";
 export type PageListParams = { realm?: string; providerId: string };
 export type PageParams = { realm: string; providerId: string; id?: string };
 const PageList = lazy(() => import("./PageList"));
 const Page = lazy(() => import("./Page"));
 const PageListRoute: AppRouteObject = {
  path: "/:realm?/page-section/:providerId",
  element: <PageList />,
  breadcrumb: (t) => t("page"),
  handle: {
    access: "view-realm",
  },
 };
 const PageDetailRoute: AppRouteObject = {
  path: "/:realm/page/:providerId/:id?",
  element: <Page />,
  breadcrumb: (t) => t("page"),
  handle: {
    access: "view-realm",
  },
 };
 const routes: AppRouteObject[] = [PageListRoute, PageDetailRoute];
 export const toPage = (params: PageListParams): Partial<Path> => ({
  pathname: generatePath(PageListRoute.path, params),
 });
 export const toDetailPage = (params: PageParams): Partial<Path> => ({
  pathname: generatePath(PageDetailRoute.path, params),
 });
 export default routes;
--- a/js/apps/admin-ui/src/routes.tsx
+++ b/js/apps/admin-ui/src/routes.tsx
@ -18,6 +18,7 @@ import realmRoutes from "./realm/routes";
 import sessionRoutes from "./sessions/routes";
 import userFederationRoutes from "./user-federation/routes";
 import userRoutes from "./user/routes";
 import pageRoutes from "./page/routes";
 export type AppRouteObjectHandle = {
  access: AccessType | AccessType[];
@ -51,6 +52,7 @@ export const routes: AppRouteObject[] = [
  ...userRoutes,
  ...groupsRoutes,
  ...dashboardRoutes,
  ...pageRoutes,
  NotFoundRoute,
 ];
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt
@ -64,20 +64,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 HTTP(S):
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.windows.approved.txt
@ -64,20 +64,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 HTTP(S):
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt
@ -59,20 +59,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Config:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt
@ -59,20 +59,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Config:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt
@ -59,20 +59,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Config:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt
@ -59,20 +59,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Config:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt
@ -89,20 +89,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.windows.approved.txt
@ -89,20 +89,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1],impersonation[:v1], js-adapter[:v1], kerberos
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[:
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
-                       v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1],
+                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
-                       step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1],
+                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
-                       update-email[:v1], web-authn[:v1].
+                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt
@ -89,20 +89,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.windows.approved.txt
@ -89,20 +89,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1],impersonation[:v1], js-adapter[:v1], kerberos
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[:
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
-                       v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1],
+                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
-                       step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1],
+                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
-                       update-email[:v1], web-authn[:v1].
+                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt
@ -90,20 +90,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt
@ -90,20 +90,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1],impersonation[:v1], js-adapter[:v1], kerberos
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[:
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
-                       v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1],
+                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
-                       step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1],
+                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
-                       update-email[:v1], web-authn[:v1].
+                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt
@ -90,20 +90,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt
@ -90,20 +90,21 @@ Feature:
 --features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
-                       client-secret-rotation[:v1], device-flow[:v1], docker[:v1], dpop[:v1],
+                       client-secret-rotation[:v1], declarative-ui[:v1], device-flow[:v1], docker[:
-                       dynamic-scopes[:v1], fips[:v1], hostname[:v1],impersonation[:v1], js-adapter[:v1], kerberos
+                       v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation
-                       [:v1], linkedin-oauth[:v1], multi-site[:v1], offline-session-preloading[:
+                       [:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], multi-site[:v1],
-                       v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1],
+                       offline-session-preloading[:v1], par[:v1], preview, recovery-codes[:v1],
-                       step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1],
+                       scripts[:v1], step-up-authentication[:v1], token-exchange[:v1],
-                       update-email[:v1], web-authn[:v1].
+                       transient-users[:v1], update-email[:v1], web-authn[:v1].
 --features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
-                       authorization, ciba, client-policies, client-secret-rotation, device-flow,
+                       authorization, ciba, client-policies, client-secret-rotation,
-                       docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos,
+                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
-                       linkedin-oauth, multi-site, offline-session-preloading, par, preview,
+                       impersonation, js-adapter, kerberos, linkedin-oauth, multi-site,
-                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       offline-session-preloading, par, preview, recovery-codes, scripts,
-                       transient-users, update-email, web-authn.
+                       step-up-authentication, token-exchange, transient-users, update-email,
                       web-authn.
 Hostname:
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageProvider.java
@ -0,0 +1,10 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.provider.ConfiguredProvider;
 import org.keycloak.provider.Provider;
 import java.util.List;
 public interface UiPageProvider extends Provider, ConfiguredProvider {
 }
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageProviderFactory.java
@ -0,0 +1,12 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.component.ComponentFactory;
 import org.keycloak.component.ComponentModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.provider.ProviderFactory;
 public interface UiPageProviderFactory<T> extends ComponentFactory<T, UiPageProvider> {
    default T create(KeycloakSession session, ComponentModel model) {
        return null;
    }
 }
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageSpi.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiPageSpi.java
@ -0,0 +1,33 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.common.Profile;
 import org.keycloak.provider.Provider;
 import org.keycloak.provider.ProviderFactory;
 import org.keycloak.provider.Spi;
 public class UiPageSpi implements Spi {
    @Override
    public boolean isInternal() {
        return true;
    }
    @Override
    public String getName() {
        return "ui-page";
    }
    @Override
    public Class<? extends Provider> getProviderClass() {
        return UiPageProvider.class;
    }
    @Override
    public Class<? extends ProviderFactory> getProviderFactoryClass() {
        return UiPageProviderFactory.class;
    }
    @Override
    public boolean isEnabled() {
        return Profile.isFeatureEnabled(Profile.Feature.DECLARATIVE_UI);
    }
 }
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabProvider.java
@ -0,0 +1,8 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.provider.ConfiguredProvider;
 import org.keycloak.provider.Provider;
 public interface UiTabProvider extends Provider, ConfiguredProvider {
 }
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabProviderFactory.java
@ -0,0 +1,26 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.component.ComponentFactory;
 import org.keycloak.component.ComponentModel;
 import org.keycloak.models.KeycloakSession;
 import java.util.HashMap;
 import java.util.Map;
 public interface UiTabProviderFactory<T> extends ComponentFactory<T, UiTabProvider> {
    default T create(KeycloakSession session, ComponentModel model) {
        return null;
    }
    @Override
    default Map<String, Object> getTypeMetadata() {
        Map<String, Object> metadata = new HashMap<>();
        metadata.put("path", getPath());
        metadata.put("params", getParams());
        return metadata;
    }
    String getPath();
    Map<String, String> getParams();
 }
--- a/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabSpi.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/ui/extend/UiTabSpi.java
@ -0,0 +1,33 @@
 package org.keycloak.services.ui.extend;
 import org.keycloak.common.Profile;
 import org.keycloak.provider.Provider;
 import org.keycloak.provider.ProviderFactory;
 import org.keycloak.provider.Spi;
 public class UiTabSpi implements Spi {
    @Override
    public boolean isInternal() {
        return true;
    }
    @Override
    public String getName() {
        return "ui-tab";
    }
    @Override
    public Class<? extends Provider> getProviderClass() {
        return UiTabProvider.class;
    }
    @Override
    public Class<? extends ProviderFactory> getProviderFactoryClass() {
        return UiTabProviderFactory.class;
    }
    @Override
    public boolean isEnabled() {
        return Profile.isFeatureEnabled(Profile.Feature.DECLARATIVE_UI);
    }
 }
--- a/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi
+++ b/server-spi-private/src/main/resources/META-INF/services/org.keycloak.provider.Spi
@ -38,6 +38,8 @@ org.keycloak.scripting.ScriptingSpi
 org.keycloak.services.managers.BruteForceProtectorSpi
 org.keycloak.services.resource.AccountResourceSpi
 org.keycloak.services.resource.RealmResourceSPI
 org.keycloak.services.ui.extend.UiPageSpi
 org.keycloak.services.ui.extend.UiTabSpi
 org.keycloak.sessions.AuthenticationSessionSpi
 org.keycloak.sessions.StickySessionEncoderSpi
 org.keycloak.protocol.ClientInstallationSpi