Hi everyone,
I’m using Keycloak in production with multiple clients, and I need to add custom themes for specific clients without restarting the server or affecting the other clients.
Is there a way to add a new theme for a specific client dynamically, without having to restart the Keycloak instance or interrupting service for other clients?
Thanks for your help!
Adding themes without restarting the server is not supported.
If you run Keycloak in a cluster, you can do rolling restarts, so no clients/users should be affected.
We have an extension that allows hot loading/reloading of theme jars at runtime. We use this in our hosted system to allow per-realm themes without restarting Keycloak.
Cool, didn’t know about that.
Is caching also properly supported with hot reload?
Caching isn’t implemented yet. This was due to the DefaultThemeManagerFactory not being overridable, and its clearCache method clearing the whole Map, rather than giving fine-grained control over which cache to remove. There’s a dead PR somewhere that I started for Keycloak to expose a proper SPI for ThemeManagerFactory (doesn’t exist), but it’s not a priority right now.
However, one point to make on this is that we did a test ages ago when we were building another theme extension on the actual performance improvement of caching, and it was pretty negligible. That, and we front the resource paths with a CDN in our hosted service, which makes caching in Keycloak even less relevant. Have you experienced a different performance profile?
So, to clarify further, the above mentioned extension needs to be run with KC_SPI_THEME_CACHE_THEMES=false in order for hot reloading to work properly.
Thanks for clarifying.
I once made some bad experience with disabled caching, also some time ago. This was noticed under high load. With only a few users, Keycloak has enough resources to load and deliver the resource files without caching and you won’t take note of it.
The option with a CDN seems to be good fit and works around the most caching issues. But also the message resources are cached, so a CDN will only solve the things partly.
I think it’s worthwhile for us to do the test again. We don’t see an issue with our hosted customers that have large load, but it would be better to quantify the difference,
Also, created an enhancement request here Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden · Issue #38433 · keycloak/keycloak · GitHub I’ll dust off the PR and add it later this week.
Update: I PR’ed that idea and got it merged. It’s tagged to be released in 26.3.0. Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden · Issue #38433 · keycloak/keycloak · GitHub
Once that’s released, I’ll update the ThemeProvider implementations in our keycloak-themes project so that they clear the cache when runtime updates are made to the theme. This will eliminate the need to have theme caching turned off when using these extensions.