Add nashorn javascript engine to Keycloak server

closes #17671
This commit is contained in:
mposolda 2023-04-03 20:06:30 +02:00 committed by Marek Posolda
parent 84e763b472
commit c6f13363b9
8 changed files with 26 additions and 111 deletions

View file

@ -345,53 +345,6 @@ The name of the script file. This property is *mandatory* and should map to a fi
Once you have a JAR file with a descriptor and the scripts you want to deploy, you just need to copy the JAR to the {project_name} `providers/` directory, then run `bin/kc.[sh|bat] build`.
===== Deploy the script engine on Java 15 and later
To run the scripts, JavaScript providers require that a JavaScript engine is available in your Java application. Java 14 and lower versions include the Nashorn JavaScript Engine. It is
automatically available as part of the Java itself and JavaScript providers are able to use this script engine by default. However, for Java 15 or higher versions, the script engine is not part
of the Java itself. It needs to be added to your server because {project_name} does not have any script engine by default. Java 15 and higher versions require an extra step when deploying script
providers - adding the script engine of your choice to your distribution.
You can use any script engine. However, we only test with the Nashorn JavaScript Engine. The following steps assume that this engine is used:
Install the script engine by copying the nashorn script engine JAR and its dependencies directly to the `KEYCLOAK_HOME/providers` directory. In the `pom.xml` file
of your script project, you can declare the dependency such as this in the `dependencies` section:
```xml
<dependency>
<groupId>org.openjdk.nashorn</groupId>
<artifactId>nashorn-core</artifactId>
<version>15.3</version>
</dependency>
```
and declare `maven-dependency-plugin` in the `plugins` section to copy the dependencies to the specified directory:
```xml
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-dependencies-quarkus</id>
<phase>package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/keycloak-server-copy/providers</outputDirectory>
<includeArtifactIds>nashorn-core,asm,asm-util,asm-commons</includeArtifactIds>
</configuration>
</execution>
</executions>
</plugin>
```
Once the project is built, copy the script engine and its dependencies to the `KEYCLOAK_HOME/providers` directory.
```bash
cp target/keycloak-server-copy/providers/*.jar KEYCLOAK_HOME/providers/
```
After re-augment the distribution with `kc.sh build`, the script engine should be deployed and your script providers should work.
=== Available SPIs
If you want to see list of all available SPIs at runtime, you can check `Server Info` page in Admin Console as described in <<_providers_admin_console,Admin Console>> section.

View file

@ -0,0 +1,16 @@
= Javascript engine available by default on the classpath
In the previous version, when Keycloak was used on Java 17 with Javascript providers (Script authenticator, Javascript authorization policy or Script protocol mappers for OIDC and SAML clients),
it was needed to copy javascript engine to the distribution. This is no longer needed as Nashorn javascript engine is available in Keycloak server by default. When you deploy script providers,
it is recommended to not copy the nashorn script engine and it's dependencies into the Keycloak distribution.
= Change of the default Client ID mapper of Service Account Client
Default `Client ID` mapper of `Service Account Client` has been changed. `Token Claim Name` field value has been changed from `clientId` to `client_id`.
`client_id` claim is compliant with OAuth2 specifications:
- https://datatracker.ietf.org/doc/html/rfc9068#section-2.2[JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]
- https://www.rfc-editor.org/rfc/rfc7662#section-2.2[OAuth 2.0 Token Introspection]
- https://datatracker.ietf.org/doc/html/rfc8693#section-4.3[OAuth 2.0 Token Exchange]
`clientId` userSession note still exists.

View file

@ -1,14 +1,3 @@
= Change of the default Client ID mapper of Service Account Client
Default `Client ID` mapper of `Service Account Client` has been changed. `Token Claim Name` field value has been changed from `clientId` to `client_id`.
`client_id` claim is compliant with OAuth2 specifications:
- https://datatracker.ietf.org/doc/html/rfc9068#section-2.2[JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]
- https://www.rfc-editor.org/rfc/rfc7662#section-2.2[OAuth 2.0 Token Introspection]
- https://datatracker.ietf.org/doc/html/rfc8693#section-4.3[OAuth 2.0 Token Exchange]
`clientId` userSession note still exists.
= Legacy Promise API removed from Keycloak JS adapter
The legacy Promise API methods have been removed from the Keycloak JS adapter. This means that calling `.success()` and `.error()` on promises returned from the adapter is no longer possible. Instead standardized Promise methods such as https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/then[`.then()`] and https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/catch[`.catch()`] should be used.

View file

@ -4,6 +4,10 @@
include::changes-22_0_0.adoc[leveloffset=3]
=== Migrating to 21.1.0
include::changes-21_1_0.adoc[leveloffset=3]
=== Migrating to 21.0.2
include::changes-21_0_2.adoc[leveloffset=3]

View file

@ -111,7 +111,7 @@
<woodstox.version>6.0.3</woodstox.version>
<xmlsec.version>2.2.3</xmlsec.version>
<wildfly.common.version>1.6.0.Final</wildfly.common.version>
<nashorn.version>15.3</nashorn.version>
<nashorn.version>15.4</nashorn.version>
<ua-parser.version>1.5.4</ua-parser.version>
<picketbox.version>5.0.3.Final</picketbox.version>
<google.guava.version>30.1-jre</google.guava.version>

View file

@ -641,6 +641,11 @@
<groupId>org.jboss.spec.javax.xml.bind</groupId>
<artifactId>jboss-jaxb-api_2.3_spec</artifactId>
</dependency>
<dependency>
<groupId>org.openjdk.nashorn</groupId>
<artifactId>nashorn-core</artifactId>
<version>${nashorn.version}</version>
</dependency>
<dependency>
<groupId>com.sun.xml.messaging.saaj</groupId>
<artifactId>saaj-impl</artifactId>

View file

@ -264,43 +264,6 @@
</properties>
</profile>
<!-- Nashorn script engine needs to be manually added for the new Java versions as it is not part of the JDK anymore -->
<profile>
<id>jdk15</id>
<activation>
<jdk>[15,)</jdk>
</activation>
<dependencies>
<dependency>
<groupId>org.openjdk.nashorn</groupId>
<artifactId>nashorn-core</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>copy-dependencies-quarkus</id>
<phase>generate-resources</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${auth.server.home}/providers</outputDirectory>
<includeArtifactIds>nashorn-core,asm,asm-util,asm-commons</includeArtifactIds>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>auth-server-fips140-2</id>
<properties>

View file

@ -276,21 +276,6 @@
<profiles>
<!-- Nashorn script engine needs to be manually added for the new Java versions as it is not part of the JDK anymore -->
<profile>
<id>jdk15</id>
<activation>
<jdk>[15,)</jdk>
</activation>
<dependencies>
<dependency>
<groupId>org.openjdk.nashorn</groupId>
<artifactId>nashorn-core</artifactId>
</dependency>
</dependencies>
</profile>
<profile>
<id>keycloak-server</id>
<build>