Client Mapper Type: Javascript Mapper

melancholia · January 13, 2023, 2:07am

Hi All:

2 hopefully quick questions:

Is the Client Protocol Mapper Type ‘Javascript Mapper’ on deprecation path?
Is the Client Protocol Mapper Type ‘Javascript Mapper’ available for both client protocols SAML and OpenID-Connect?

Thank you.

xgp · January 13, 2023, 9:23am

I don’t know for sure, but I’m operating on the assumption that javascript mappers are NOT deprecated. in KC18, they deprecated the upload-scripts feature, but made no mention of a long-term plan to deprecate scripts altogether. Here’s the relevant snippet in the release notes: Keycloak 18.0.0 released - Keycloak

For this question, I think it’s probably better to ask on the Keycloak Github Discussions, as the maintainers sometimes answer questions there, but rarely here.

Regarding #2, they work with both types.

melancholia · February 16, 2023, 6:28pm

Hi @xgp

FYI - upgraded to v20.0.3 – the JavaScript Mapper for the Client is no longer available. I had read elsewhere that it was deprecated and option is to write code (will like here when I re-find the article).

xgp · February 16, 2023, 6:34pm

Thanks. Please post when you find the article. Have you included the nashorn jar in your providers dir? I haven’t tested it yet, but I’m assuming you can probably keep this functionality by including the nashorn jar, and maybe the deprecated mapper code.

melancholia · February 16, 2023, 6:51pm

Will do – w.r.t the article.

Meanwhile thje following could be reason why the JavaScript Mapper deprecated:

github.com/keycloak/keycloak

Script providers not working on OpenJDK 17 due to Nashorn being deprecated

opened 02:24PM - 02 Feb 22 UTC

closed 10:28AM - 27 May 22 UTC

kami619

kind/bug area/core team/core

### Describe the bug Hitting this below exception when I run the `org.keycloak.…testsuite.authz.*` module tests and here is the reference for the deprecation notice in openjdk - https://openjdk.java.net/jeps/372 I was able to confirm the same runs just fine with JDK11 runtime for the authserver. This would be a blocker for the Java 17 certification tests. ```Caused by: java.lang.IllegalStateException: Could not find ScriptEngine for script: Script{id='null', realmId='0cfba609-5d40-404f-a3eb-769cf46dcff8', name='Grant Policy', type='text/javascript', code='$evaluation.grant();', description='null'}``` This is also was previously discussed in [KEYCLOAK-12755](https://issues.redhat.com/browse/KEYCLOAK-12755) ### Version 17.0.0-SNAPSHOT, OpenJDK17 ### Expected behavior We would like the javascript engine to initialize and not fail on the authorization work flows ### Actual behavior The suspicion is that because of the deprecated Nashorn js engine in jdk17, we are getting a `Could not find ScriptEngine for script` IllegalStateExceptions. I think we also want a proper exception to bubble up the stack trace, as currently we get a generic exception which is `Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions` even though we get the actual problem the stack trace down the line. ### How to Reproduce? run the authz module testsuite using the below mvn command set the right binary path for the JDK17_HOME and MVN_SETTINGS_PATH before you run it. ``` mvn -f testsuite/integration-arquillian/tests/base/pom.xml clean install -Dauth.server.java.home=${JDK17_HOME} -Dauth.server.memory.settings="-Xms128m -Xmx512m -XX:MetaspaceSize=96m -XX:MaxMetaspaceSize=256m" -Dapp.server.memory.settings="-Xms128m -Xmx512m -XX:MetaspaceSize=96m -XX:MaxMetaspaceSize=256m" -B -s ${MVN_SETTINGS_PATH} -Dsettings.path=${MVN_SETTINGS_PATH} -Dsurefire.memory.Xms=512m -Dsurefire.memory.Xmx=1536m -Dinsecure.repositories=WARN -Pauth-server-wildfly -Pjava11-auth-server -Dtest=org.keycloak.testsuite.authz.AuthorizationTest ``` ### Anything else? Issue full stack trace: ``` 2022-02-01 20:07:38,427 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-1) Unexpected error while evaluating permissions: java.lang.RuntimeException: Failed to evaluate permissions at org.keycloak.keycloak-server-spi-private@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onError(DecisionPermissionCollector.java:182) at org.keycloak.keycloak-server-spi-private@17.0.0-SNAPSHOT//org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:71) at org.keycloak.keycloak-server-spi-private@17.0.0-SNAPSHOT//org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:87) at org.keycloak.keycloak-services@17.0.0-SNAPSHOT//org.keycloak.authorization.authorization.AuthorizationTokenService.evaluatePermissions(AuthorizationTokenService.java:285) at org.keycloak.keycloak-services@17.0.0-SNAPSHOT//org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:222) . . . . Caused by: java.lang.IllegalStateException: Could not find ScriptEngine for script: Script{id='null', realmId='0cfba609-5d40-404f-a3eb-769cf46dcff8', name='Grant Policy', type='text/javascript', code='$evaluation.grant();', description='null'} at org.keycloak.keycloak-services@17.0.0-SNAPSHOT//org.keycloak.scripting.DefaultScriptingProvider.createPreparedScriptEngine(DefaultScriptingProvider.java:106) at org.keycloak.keycloak-services@17.0.0-SNAPSHOT//org.keycloak.scripting.DefaultScriptingProvider.prepareEvaluatableScript(DefaultScriptingProvider.java:72) at org.keycloak.keycloak-services@17.0.0-SNAPSHOT//org.keycloak.scripting.DefaultScriptingProvider.prepareEvaluatableScript(DefaultScriptingProvider.java:33) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.lambda$getEvaluatableScript$0(JSPolicyProviderFactory.java:109) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.js.ScriptCache.lambda$computeIfAbsent$0(ScriptCache.java:80) at java.base/java.util.HashMap.computeIfAbsent(HashMap.java:1220) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.js.ScriptCache.computeIfAbsent(ScriptCache.java:80) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.js.JSPolicyProviderFactory.getEvaluatableScript(JSPolicyProviderFactory.java:106) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:46) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:56) at org.keycloak.keycloak-authz-policy-common@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.provider.permission.ResourcePolicyProvider.evaluate(ResourcePolicyProvider.java:47) at org.keycloak.keycloak-server-spi-private@17.0.0-SNAPSHOT//org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:116) ```

melancholia · February 16, 2023, 7:09pm

@xgp https://github.com/keycloak/keycloak/pull/11322 seems to point that was added to the release – however can’t find any release notes on it or why was removed.

melancholia · February 17, 2023, 3:31pm

@xgp FYI - a kind poster provided the link on the GitHub forum: Server Developer Guide

Topic		Replies	Views
KeyCloak 19: oidc-script-based-protocol-mapper (OpenID Connect Script Mapper) Extending the server	4	4580	September 8, 2022
Alternative to Nashorn engine for Scripts? Configuring the server	2	3508	October 20, 2020
Client Mapper for Calling External APIs	1	459	September 14, 2022
Protocol Mappers alternative for Keycloak 19 Configuring the server	2	1874	October 20, 2022
Script mapper confusion	5	5605	August 13, 2020

Client Mapper Type: Javascript Mapper

Related topics