GitHubContribute in GitHub: Edit online

R40 Keycloak Based on Quarkus

In R40, we are migrating to a new generation of Keycloak. This new generation, starting with version 20 (for us, at least; the project migrated in v18), introduces several major changes compared with the older generation.

First, there is no longer a dedicated application server running the application itself. Everything is handled by the Quarkus engine directly. The idea is similar to the migration from Spring+Tomcat to the new generation of IBM Manta Data Lineage based on SpringBoot.

For Manta Data Lineage, those changes are quite small, fortunately. This new generation offers faster startup, simpler configuration, and new features that we will need, namely, support for running in FIPS environments.

Major Changes

New Application URL

The Keycloak team has decided to get rid of the /auth suffix in their URL. This means Keycloak, by default, will be available at http://localhost:9090/. During clean installations this is handled automatically.

During upgrades, any existing bookmarks, documentation, links, and most crucially, load-balancers and proxy servers need to be reconfigured.

If the proxy/load-balancer is not reconfigured, Keycloak will not be accessible from outside the machine, making it impossible to configure.

New Application Ports

The new Keycloak no longer uses two ports. From now on, Keycloak only needs the port the application is available on. The control port is no longer available.

New Directory Structure

The Keycloak directory structure has changed. The only relevant changes for Manta Data Lineage are the locations of the configuration files and the logs (see below). The data is available in Manta Launcher, if needed.

New Configuration

The configuration of Keycloak has been greatly simplified. The dreaded standalone.xml is gone, and the whole configuration uses simple properties like the configuration file.

All configuration options are documented in https://www.keycloak.org/server/all-config.

Theme Support Removed

Keycloak no longer supports custom themes (look-and-feel, design, colors) for the admin console available at http://localhost:9090/admin/manta/console/.

Everything still works the same; we just lost our branding there. The login page is still the same.

New HTTPS Configuration

To set up HTTPS for Keycloak Quarkus as of R40, edit <mantaflow>/keycloak/conf/manta.conf and apply the following changes.

Known Issues

Keycloak Is Not Starting

We have discovered that the current version of Keycloak contains a bug which prevents it from starting. This bug occurs almost exclusively on Windows with Java 18. Other OS types and lower JDK versions seem fine. This bug is tracked by the Keycloak team here.