Sharing a [non-keycloak] client between providers

I have a custom UserStorageProvider that creates a client instance (not a keycloak client) for communicating with a third party. I would like to be able to use this client in a custom provider.

I originally tried to get it by calling KeycloakSession.getProvider(). This doesn’t work as at some point, in the lookup process, it calls ProviderFactory.create(KeycloakSession) which my user provider does not implement so it returns null. My factory only implements UserStorageProviderFactory.create((KeycloakSession, ComponentModel).

I have circumvented this by having the factory store the client instance in a session attribute. My custom authenticator is now able to get the instance from the session attributes.

Do you see any issue with this approach or is there a better/preferred way?

You could implement your “client” as a separate, custom SPI and use it in your other providers.
https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_spi

That could work if I was able to configure it in the admin console. Is that possible?
From reading the docs, it looks like custom SPIs can only be configured when server starts.

There’s the experimental feature of the declarative admin ui extension, related GitHub discussion: Java based API for extending the UI · keycloak/keycloak · Discussion #24805 · GitHub and quickstarts example: keycloak-quickstarts/extension/extend-admin-console-spi at main · keycloak/keycloak-quickstarts · GitHub

Perhaps you can use this somehow to configure your custom spi. It’s not intended to be uses especially for this, but perhaps you’ll find a way… :man_shrugging: