Keycloak 16.1.1 with JDK 17 and Nashorn

I have created certain keycloak extensions that have JDK 17 dependencies. Therefore I need to run keycloak JDK 17. All works well apart from ABAC/Javascript Based Access Control where Nashorn is a dependency.
Can anyone suggest a workaround, and alternative either to JBAC or would adding standalone Nashorn as a module work?

OpenJDK Nashorn supports Java 17 starting with version 15.3. You can install it as a module.

Thanks for the reply, I have tried to install it as a module but I’m not sure what I’m doing is correct.
I have created in /opt/jboss/keycloak/modules the diectory org/openjdk/nashorn/nashorn-core/main where I have the .jar and the modules.xml. This doesn’t seep to help.

Is there some other step I must do?

Can you share your module.xml and which jar you are using?

Yes sure here it is:

<?xml version="1.0" encoding="UTF-8"?>
  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
<module name="org.openjdk.nashorn.nashorn-core" xmlns="urn:jboss:module:1.3">

        <resource-root path="nashorn-core.jar"/>


And I’m using the .jar from
I have renamed it to nashorn-core.jar for convenience.

How are you referencing the module in your extension?

And how are you packaging the org.ow2.asm dependencies that nashorn depends on?

Also, might want to try some code in the init of your extension to validate that the ScriptEngineFactory is getting loaded. E.g.

ScriptEngineManager mgr = new ScriptEngineManager();
List<ScriptEngineFactory> factories = mgr.getEngineFactories();
for (ScriptEngineFactory factory : factories) {
  System.err.println("Engine name: " + factory.getEngineName());

The only other thing I can think of is that the DefaultScriptingProvider is getting instantiated with a ScriptEngineManager that doesn’t know about your engine, because it wasn’t there at load time.

Tbh I haven’t provisioned for including org.ow2.asm dependencies. I have been using a jboss-deployment-structure.xml for my extensions as follows:

<?xml version="1.0" encoding="UTF-8"?>
            <module name="org.openjdk.nashorn.nashorn-core" export="true"/>

However, I have done some debugging, and it looks like the DefaultScriptingProvider on line 118 Thread.currentThread().setContextClassLoader(DefaultScriptingProvider.class.getClassLoader())
is actually getting the classloader of the keycloak-services module. Therefore I assume I need to somehow make keycloak-services reference the nashorn module rather than my own plugins?