February 04 2022 by Stian Thorgersen
Way back in 2013 when we started work on the Keycloak project there was a lack of client libraries that would help developers secure their applications with Keycloak. Fast forward to today and this situation has changed drastically with wide-spread availability of OAuth 2.0 and OpenID Connect libraries.
In addition, Keycloak adapters has not received the love and attention they require, and are now significantly lagging behind the server on what features they supported. While Keycloak can be used to secure any application no matter the programming language and frameworks, we’ve only had adapters for a limited set of Java developers.
Rather than continue to spreading ourselves thin we are going to deprecate the adapters, and focus more on the Keycloak server. In addition we are aiming to provide help and guidance on how to secure various applications with getting started guides, and advocating what we believe are better alternative options to Keycloak adapters.
What is being deprecated:
OpenID Connect Java adapters
OpenID Connect Node.js adapters
SAML Tomcat and Jetty adapters
What is not being deprecated:
SAML WildFly and servlet filter
WildFly 25 introduced native support for OpenID Connect with all the features from the Keycloak adapter and more. Migration to the WildFly native OpenID Connect is very easy as the WildFly team has taken great care to make this as simple as a move as possible.
Check out this great blog post from Farah Juma for more details.
Spring Security has for a long time provided great support for OAuth 2.0 and OpenID Connect. We appreciate that migrating from the Keycloak adapters to Spring Security is not trivial, but in the exchange you get more features, a better maintained library, and better integration with Spring.
Check out this great blog post from Ger Roza for more details.
Although not a direct replacement for existing Keycloak adapters it is worth highlighting that Quarkus has very extensive built-in support for OpenID Connect and Keycloak, with a lot of additional benefit on top.
Check out Quarkus security guides for more details.
We are still looking around for the best candidate for Node.js applications, but it looks like openid-client is a good alternative, that is a lot more feature rich than the Keycloak adapter.
February 2022: Adapters deprecated
September 2022: No more major/minor releases of adapters
December 2022: No more micro releases of adapters
If you have questions, concerns, or suggestions, please join us to discuss this topic through GitHub Discussions.
If anyone from the community would like to step-up and continue to maintain the deprecated Keycloak adapters get in touch with us through the developer mailing list.
We would also love suggestions and help in finding the best alternatives for everyone, as well as providing getting started guides, migration guides, etc. To help us in this regard please join the discussions on GitHub Discussions.
If you are not able to migrate away from Keycloak adapters by the end of 2022 an alternative option to consider is getting support from Red Hat.
Red Hat offers supported adapters through Red Hat Single Sign-On 7.x, which is currently in support until 30 June 2024.
The adapters supported by Red Hat Single Sign-On includes:
Java Servlet Filter