Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Avoid using UserCredentialManager from user storage extensions #43695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Avoid using UserCredentialManager from user storage extensions #43695

wants to merge 1 commit into from

Conversation

@mposolda
Copy link
Contributor

@mposolda mposolda commented Oct 24, 2025
edited
Loading

closes #43694

There is an issue #43626 for make sure keycloak-model-storage does not have dependency on keycloak-server-spi-private .

In the PR for that issue, I took the approach of moving UserCredentialManager to the keycloak-server-spi-private. But this means that people cannot use the UserCredentialManager from their user-storage providers anymore (due the fact that if they use it, they will need dependency on keycloak-server-spi-private). However this might be a backwards incompatible change as people may already use UserCredentialManager in their providers similarly like for example our quickstart is doing: https://github.com/keycloak/keycloak-quickstarts/blob/main/extension/user-storage-simple/src/main/java/org/keycloak/quickstart/readonly/PropertyFileUserStorageProvider.java#L88 .

So was thinking about doing this in multiple steps:

  • In 26.5, make sure that constructor new UserCredentialManager() is not recommended for the use, so people have a chance to migrate to avoid using this class directly, but rather access it via the method on KeycloakSession
  • In 27.0 move the UserCredentialManager to keycloak-server-spi-private and make sure that keycloak-model-storage can remove the dependency on keycloak-server-spi-private (will require few other minor things done in .

The alternative approach is to keep UserCredentialManager in keycloak-model-storage, but this does not seem right to me TBH as this class contains lots of logic, which does not need to be directly accessible to people in their applications. Among other things, it would also require moving few other classes (like DatastoreProvider for example) to keycloak-server-spi or keycloak-model-storage and it would mean that people will need to declare dependency on opentelemetry in their user-storage providers (as UserCredentialManager is using opentelemetry). But I can revisit if you think this would be better?

What do you think?

@mposolda mposolda self-assigned this Oct 24, 2025
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 24, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

pedroigor
pedroigor reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 27, my proposal would be:

  • Rename org.keycloak.credential.UserCredentialManager to org.keycloak.credential.DefaultUserCredentialManager (and make it private as you are proposing)
  • Rename org.keycloak.models.SubjectCredentialManager to org.keycloak.models.UserCredentialManager

server-spi/src/main/java/org/keycloak/models/KeycloakSession.java
*
* @return user credential manager
*/
SubjectCredentialManager getUserCredentialManager(UserModel user);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it the best place to have this method? It seems a bit weird that we now have this:

session.users()

and:

session.getUserCredentialManager()

Instead of something like this:

session.users().getCredentialManager(user)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedroigor pedroigor pedroigor left review comments

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@mposolda mposolda

Labels

flaky-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Avoid using UserCredentialManager from user storage extensions

2 participants

@mposolda @pedroigor