tessl/maven-org-keycloak--keycloak-adapter-spi
Service Provider Interface for Keycloak authentication adapters across different application server environments
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-keycloak--keycloak-adapter-spi@26.2.0index.mddocs/
Keycloak Adapter SPI
The Keycloak Adapter SPI (Service Provider Interface) is a Java library that defines the core interfaces and contracts for building Keycloak authentication adapters across different application server environments. It provides abstractions for HTTP request/response handling, session management, user authentication state, and error handling, enabling consistent authentication adapter implementations across various platforms like Jakarta EE, Spring, and other Java application servers.
Package Information
- Package Name: keycloak-adapter-spi
- Package Type: maven
- Language: Java
- Installation:
<dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-adapter-spi</artifactId> <version>26.2.5</version> </dependency>
Core Imports
import org.keycloak.adapters.spi.*;For specific interfaces:
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.KeycloakAccount;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapperUpdater;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.AuthenticationError;
import org.keycloak.adapters.spi.LogoutError;Basic Usage
import org.keycloak.adapters.spi.*;
import javax.security.cert.X509Certificate;
// Implement HTTP facade for your platform
public class MyHttpFacade implements HttpFacade {
@Override
public Request getRequest() { /* implementation */ }
@Override
public Response getResponse() { /* implementation */ }
@Override
public X509Certificate[] getCertificateChain() { /* implementation */ }
}
// Use session mapping for multi-session management
SessionIdMapper sessionMapper = new InMemorySessionIdMapper();
sessionMapper.map("sso-session-123", "user@example.com", "http-session-456");
// Handle authentication outcomes
public void handleAuth(AuthOutcome outcome) {
switch (outcome) {
case AUTHENTICATED:
// Process successful authentication
break;
case FAILED:
// Handle authentication failure
break;
case NOT_ATTEMPTED:
// No authentication attempted
break;
// ... handle other outcomes
}
}Architecture
The Keycloak Adapter SPI follows a clean interface-based design with several key components:
- HTTP Abstraction Layer:
HttpFacadeprovides platform-agnostic HTTP request/response handling - Session Management: Multiple interfaces for mapping between SSO sessions, user principals, and HTTP sessions
- Authentication State: Enums and interfaces for tracking authentication outcomes and errors
- Request Storage:
AdapterSessionStorefor preserving request state during authentication flows - Challenge Handling:
AuthChallengeinterface for implementing protocol-specific authentication challenges
This architecture enables platform-specific adapter implementations while maintaining consistent authentication patterns across different Java web frameworks and application servers.
Capabilities
HTTP Request/Response Abstraction
Platform-agnostic HTTP handling with request and response facades, cookie management, and certificate chain access. Essential for building adapters that work across different web frameworks.
public interface HttpFacade {
Request getRequest();
Response getResponse();
X509Certificate[] getCertificateChain();
}Session Management
Comprehensive session mapping and management capabilities for correlating SSO sessions with application sessions, including user session management and request storage.
public interface SessionIdMapper {
boolean hasSession(String id);
void clear();
Set<String> getUserSessions(String principal);
String getSessionFromSSO(String sso);
void map(String sso, String principal, String session);
void removeSession(String session);
}
public class InMemorySessionIdMapper implements SessionIdMapper {
// Thread-safe in-memory implementation
}Authentication State Management
Authentication outcome tracking, user account representation, and error handling for comprehensive authentication flow management.
public enum AuthOutcome {
NOT_ATTEMPTED, FAILED, AUTHENTICATED, NOT_AUTHENTICATED, LOGGED_OUT
}
public interface KeycloakAccount {
Principal getPrincipal();
Set<String> getRoles();
}
public interface AuthChallenge {
boolean challenge(HttpFacade exchange);
int getResponseCode();
}Types
Core Session Types
public interface SessionIdMapperUpdater {
void clear(SessionIdMapper idMapper);
void map(SessionIdMapper idMapper, String sso, String principal, String httpSessionId);
void removeSession(SessionIdMapper idMapper, String httpSessionId);
boolean refreshMapping(SessionIdMapper idMapper, String httpSessionId);
// Predefined update strategies
SessionIdMapperUpdater DIRECT = /* direct update implementation */;
SessionIdMapperUpdater EXTERNAL = /* external update implementation */;
}
public interface UserSessionManagement {
void logoutAll();
void logoutHttpSessions(List<String> ids);
}
public interface AdapterSessionStore {
void saveRequest();
boolean restoreRequest();
}Error Handling Types
// Marker interfaces for error identification
public interface AuthenticationError {
// Marker interface - specific protocols implement subclasses
}
public interface LogoutError {
// Marker interface - specific protocols implement subclasses
}