tessl/maven-org-keycloak--keycloak-server-spi
Service Provider Interface (SPI) contracts and abstractions for the Keycloak identity and access management server enabling extensibility through custom providers
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-keycloak--keycloak-server-spi@26.2.0index.mddocs/
Keycloak Server SPI
Keycloak Server SPI (Service Provider Interface) is the core extensibility framework for the Keycloak identity and access management server. It provides comprehensive interfaces and contracts that enable developers to create custom providers for authentication, user storage, credential management, session handling, and other extensibility points.
Package Information
- Package Name: org.keycloak:keycloak-server-spi
- Package Type: Maven JAR Library
- Language: Java
- Version: 26.2.5
- Installation: Add Maven dependency:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-server-spi</artifactId>
<version>26.2.5</version>
<scope>provided</scope>
</dependency>Core Imports
import org.keycloak.provider.Provider;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.provider.Spi;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.ClientModel;
import org.keycloak.component.ComponentModel;Basic Usage
// Implementing a custom provider
public class MyCustomProvider implements UserStorageProvider {
private KeycloakSession session;
private ComponentModel model;
public MyCustomProvider(KeycloakSession session, ComponentModel model) {
this.session = session;
this.model = model;
}
@Override
public UserModel getUserById(RealmModel realm, String id) {
// Custom user lookup implementation
return null;
}
@Override
public void close() {
// Cleanup resources
}
}
// Creating a provider factory
public class MyCustomProviderFactory implements UserStorageProviderFactory<MyCustomProvider> {
public static final String PROVIDER_ID = "my-custom-provider";
@Override
public MyCustomProvider create(KeycloakSession session, ComponentModel model) {
return new MyCustomProvider(session, model);
}
@Override
public String getId() {
return PROVIDER_ID;
}
}Architecture
The Keycloak Server SPI is built around several key architectural patterns:
- Provider Pattern: Core abstraction using Provider/ProviderFactory/SPI interfaces for all extensibility points
- Session Management: KeycloakSession serves as the central context for all operations
- Model Layer: Rich set of model interfaces (UserModel, RealmModel, ClientModel) representing Keycloak entities
- Component Framework: Configuration-driven component system for provider instantiation and management
- Storage Abstraction: Pluggable storage providers for users, roles, clients, and other entities
- Transaction Management: Built-in transaction support for data consistency
Capabilities
Core Provider Framework
Foundation interfaces for creating extensible Keycloak providers. Essential for all custom integrations.
public interface Provider {
void close();
}
public interface ProviderFactory<T extends Provider> {
T create(KeycloakSession session);
void init(Config.Scope config);
void postInit(KeycloakSessionFactory factory);
void close();
String getId();
}
public interface Spi {
boolean isInternal();
String getName();
Class<? extends Provider> getProviderClass();
Class<? extends ProviderFactory> getProviderFactoryClass();
}Session and Context Management
Central session interfaces providing access to all Keycloak services and transaction management.
public interface KeycloakSession extends AutoCloseable {
KeycloakContext getContext();
KeycloakTransactionManager getTransactionManager();
<T extends Provider> T getProvider(Class<T> clazz);
RealmProvider realms();
UserProvider users();
ClientProvider clients();
}
public interface KeycloakContext {
URI getAuthServerUrl();
String getContextPath();
UriInfo getUri();
HttpHeaders getRequestHeaders();
RealmModel getRealm();
ClientModel getClient();
}Core Model Interfaces
Primary model interfaces representing Keycloak entities like realms, users, clients, and roles.
public interface RealmModel extends RoleContainerModel {
String getId();
String getName();
String getDisplayName();
void setDisplayName(String displayName);
boolean isEnabled();
void setEnabled(boolean enabled);
SslRequired getSslRequired();
void setSslRequired(SslRequired sslRequired);
}
public interface UserModel extends RoleMapperModel {
String getId();
String getUsername();
void setUsername(String username);
String getFirstName();
void setFirstName(String firstName);
String getLastName();
void setLastName(String lastName);
String getEmail();
void setEmail(String email);
}
public interface ClientModel extends ProtocolMapperContainerModel, ScopeContainerModel, RoleContainerModel {
String getId();
String getClientId();
void setClientId(String clientId);
String getName();
void setName(String name);
boolean isEnabled();
void setEnabled(boolean enabled);
}User Storage Federation
Interfaces for integrating external user stores and implementing custom user storage providers.
public interface UserStorageProvider extends Provider {
// Base interface for user storage providers
}
public interface UserLookupProvider {
UserModel getUserById(RealmModel realm, String id);
UserModel getUserByUsername(RealmModel realm, String username);
UserModel getUserByEmail(RealmModel realm, String email);
}
public interface UserQueryProvider extends UserQueryMethodsProvider, UserCountMethodsProvider {
Stream<UserModel> searchForUserStream(RealmModel realm, String search);
Stream<UserModel> searchForUserStream(RealmModel realm, String search, Integer firstResult, Integer maxResults);
Stream<UserModel> getGroupMembersStream(RealmModel realm, GroupModel group);
}Credential Management
Framework for handling various credential types including passwords, OTP, and WebAuthn.
public interface CredentialProvider extends Provider {
String getType();
CredentialModel createCredential(RealmModel realm, UserModel user, CredentialModel credential);
boolean deleteCredential(RealmModel realm, UserModel user, String credentialId);
CredentialModel getCredentialFromModel(CredentialModel model);
}
public interface CredentialInputValidator {
boolean supportsCredentialType(String credentialType);
boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType);
boolean isValid(RealmModel realm, UserModel user, CredentialInput input);
}
public interface CredentialInputUpdater {
boolean supportsCredentialType(String credentialType);
boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input);
void disableCredentialType(RealmModel realm, UserModel user, String credentialType);
}Authentication and Session Management
Interfaces for managing authentication flows, user sessions, and client sessions.
public interface AuthenticationSessionModel extends CommonClientSessionModel {
String getTabId();
RootAuthenticationSessionModel getParentSession();
Map<String, ExecutionStatus> getExecutionStatus();
void setExecutionStatus(String authenticator, ExecutionStatus status);
void clearExecutionStatus();
UserModel getAuthenticatedUser();
void setAuthenticatedUser(UserModel user);
}
public interface UserSessionModel {
String getId();
RealmModel getRealm();
UserModel getUser();
String getLoginUsername();
String getIpAddress();
String getAuthMethod();
int getStarted();
int getLastSessionRefresh();
void setLastSessionRefresh(int seconds);
}Component Framework
Configuration-driven component system for managing provider instances and their configurations.
public interface ComponentFactory<T extends Provider> extends ProviderFactory<T> {
T create(KeycloakSession session, ComponentModel model);
void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel model) throws ComponentValidationException;
void onCreate(KeycloakSession session, RealmModel realm, ComponentModel model);
void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel oldModel, ComponentModel newModel);
}
public class ComponentModel {
private String id;
private String name;
private String providerId;
private String providerType;
private String parentId;
private String subType;
private MultivaluedHashMap<String, String> config;
}Theme and Localization
Framework for customizing Keycloak UI themes and handling internationalization.
public interface Theme {
String getName();
String getParentName();
String getImportName();
Type getType();
URL getTemplate(String name) throws IOException;
InputStream getResourceAsStream(String path) throws IOException;
Properties getMessages() throws IOException;
Properties getProperties() throws IOException;
}
public interface ThemeSelectorProvider extends Provider {
String getThemeName(Theme.Type type);
}
public interface LocaleSelectorProvider extends Provider {
Locale resolveLocale(RealmModel realm, UserModel user);
}Validation Framework
Extensible validation system for form fields and user input validation.
public interface Validator {
String getId();
ValidationResult validate(Object input, String inputHint, ValidationContext context, ValidatorConfig config) throws ValidationException;
}
public interface ValidationContext extends AttributeContext {
KeycloakSession getSession();
Attributes getAttributes();
RealmModel getRealm();
UserModel getUser();
}
public class ValidationResult {
public static final ValidationResult VALID = new ValidationResult();
private final boolean valid;
private final Set<ValidationError> errors;
}Vault Integration
Secure secrets management through vault provider integration.
public interface VaultProvider extends Provider {
VaultRawSecret obtainSecret(String vaultSecretId);
}
public interface VaultStringSecret extends VaultCharSecret {
Optional<String> get();
default String getOrDefault(String defaultValue) {
return get().orElse(defaultValue);
}
}
public interface VaultTranscriber {
String transcribe(String value);
}Common Types
// Core model enumerations
public enum SslRequired {
ALL, EXTERNAL, NONE
}
// Authentication execution status
public enum ExecutionStatus {
SUCCESS, FAILED, SETUP_REQUIRED, ATTEMPTED, SKIPPED, CHALLENGED, FLOW_RESET
}
// Provider event base interface
public interface ProviderEvent {
// Marker interface for provider events
}
// Component validation exception
public class ComponentValidationException extends Exception {
public ComponentValidationException(String message);
public ComponentValidationException(String message, Object... parameters);
}
// Model exceptions
public class ModelException extends RuntimeException {
public ModelException(String message);
public ModelException(String message, Throwable cause);
}
public class ModelDuplicateException extends ModelException {
public ModelDuplicateException(String message);
public String getDuplicateFieldName();
public Object getDuplicateFieldValue();
}