Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Avoid using UserCredentialManager from user storage extensions #43695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 29, 2025
Merged

Avoid using UserCredentialManager from user storage extensions #43695

merged 2 commits into from
Oct 29, 2025

Conversation

@mposolda
Copy link
Contributor

@mposolda mposolda commented Oct 24, 2025
edited
Loading

closes #43694

There is an issue #43626 for make sure keycloak-model-storage does not have dependency on keycloak-server-spi-private .

In the PR for that issue, I took the approach of moving UserCredentialManager to the keycloak-server-spi-private. But this means that people cannot use the UserCredentialManager from their user-storage providers anymore (due the fact that if they use it, they will need dependency on keycloak-server-spi-private). However this might be a backwards incompatible change as people may already use UserCredentialManager in their providers similarly like for example our quickstart is doing: https://github.com/keycloak/keycloak-quickstarts/blob/main/extension/user-storage-simple/src/main/java/org/keycloak/quickstart/readonly/PropertyFileUserStorageProvider.java#L88 .

So was thinking about doing this in multiple steps:

  • In 26.5, make sure that constructor new UserCredentialManager() is not recommended for the use, so people have a chance to migrate to avoid using this class directly, but rather access it via the method on KeycloakSession
  • In 27.0 move the UserCredentialManager to keycloak-server-spi-private and make sure that keycloak-model-storage can remove the dependency on keycloak-server-spi-private (will require few other minor things done in .

The alternative approach is to keep UserCredentialManager in keycloak-model-storage, but this does not seem right to me TBH as this class contains lots of logic, which does not need to be directly accessible to people in their applications. Among other things, it would also require moving few other classes (like DatastoreProvider for example) to keycloak-server-spi or keycloak-model-storage and it would mean that people will need to declare dependency on opentelemetry in their user-storage providers (as UserCredentialManager is using opentelemetry). But I can revisit if you think this would be better?

What do you think?

@mposolda mposolda self-assigned this Oct 24, 2025
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 24, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

pedroigor
pedroigor reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 27, my proposal would be:

  • Rename org.keycloak.credential.UserCredentialManager to org.keycloak.credential.DefaultUserCredentialManager (and make it private as you are proposing)
  • Rename org.keycloak.models.SubjectCredentialManager to org.keycloak.models.UserCredentialManager

server-spi/src/main/java/org/keycloak/models/KeycloakSession.java Outdated
*
* @return user credential manager
*/
SubjectCredentialManager getUserCredentialManager(UserModel user);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it the best place to have this method? It seems a bit weird that we now have this:

session.users()

and:

session.getUserCredentialManager()

Instead of something like this:

session.users().getCredentialManager(user)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should work as well.

Was thinking about this and originally did not used this just because we have multiple implementations of UserProvider and the jpa/infinispan implementations are more towards to have mostly logic related to CRUD of particular storage (EG. JpaUserProvider has mostly methods related to CRUD of users to the DB). At the same time, introducing the method to KeycloakSession is also not great... So I've updated to use the approach you suggest.

@mposolda
Copy link
Contributor Author

For 27, my proposal would be:

* Rename `org.keycloak.credential.UserCredentialManager` to `org.keycloak.credential.DefaultUserCredentialManager` (and make it private as you are proposing)

* Rename `org.keycloak.models.SubjectCredentialManager` to `org.keycloak.models.UserCredentialManager`

This works.

Considering this, I wonder that it is possible to introduce already class org.keycloak.models.UserCredentialManager? In this case, people have already the possibility to update using that class instead of having breaking changes later as they can use something like:

@Override
public org.keycloak.models.UserCredentialManager credentialManager() {
    return keycloakSession.users().getUserCredentialManager(this);
}

in their UserModel implementations. This means that if they update their code now, they will not need to update the code again once switching from 26.5 to 27. WDYT?

keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 29, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected AppPage but was PushTheButton (https://localhost:8543/auth/realms/test/login-actions/authenticate?execution=0b5cf183-110c-4477-90a0-3f4beb7da6ed&client_id=test-app&tab_id=IyL8IrAXVZs&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:38)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 29, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected AppPage but was PushTheButton (https://localhost:8543/auth/realms/test/login-actions/authenticate?execution=0b5cf183-110c-4477-90a0-3f4beb7da6ed&client_id=test-app&tab_id=IyL8IrAXVZs&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:38)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
...

Report flaky test

@mposolda mposolda marked this pull request as ready for review October 29, 2025 15:26
@mposolda mposolda requested review from a team as code owners October 29, 2025 15:26
@mposolda
Copy link
Contributor Author

@pedroigor Thanks!

@mposolda mposolda merged commit 2fc5419 into keycloak:main Oct 29, 2025
127 of 129 checks passed
@mposolda mposolda mentioned this pull request Oct 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedroigor pedroigor pedroigor approved these changes

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/sre

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Avoid using UserCredentialManager from user storage extensions

2 participants

@mposolda @pedroigor