Trouble getting custom authentication script deployed - Docker 19.0.2

Hi all

I have a question to the feature “scripts” - I have enabled the feature in my Dockerfile and when I build it I found in logs “INFO [org.keycloak.common.Profile] (build-38) Preview feature enabled: scripts”

In the new Admin-GUI under enabled Feature I can see the Feature “scripts” is enabled.

But when I clone a Authentication Flow and want to add a “Authenticator Execution” I can not found in the provider List “Script” - not in the new or old admin GUI.

What I’ve done wrong?

Scripts have to be deployed to the server’s file system, packaged in a jar file:
https://www.keycloak.org/docs/latest/server_development/index.html#_script_providers
Then the authenticator appears with its name (the one you gave it in the keycloak-scripts.json file) in the provider list.

Hi @mbonn

get it.

Now I try to build a script - or better first want to import a script that I think was working with other - and used the Script here: https://keycloak.discourse.group/t/trouble-getting-custom-authentication-script-deployed/15664

Jar looks like:
jar tf my-role-based-authenticator.jar

  • META-INF/
  • META-INF/MANIFEST.MF
  • META-INF/keycloak-scripts.json
  • my-role-based-authenticator.js

I linked it in docker-container to providers and set the user (key cloak:keycloak). Than I also rebuild the image (./kc.sh build).

But can not found the the script on providers (nor under Server Information > Providers)

Could it be the script is not connect?
Or any other clever hint from you? :wink:

PS on “bin/kc.sh show-config” I can see:

kc.provider.file.my-role-based-authenticator.jar.last-modified = 1663758669402 (PersistedConfigSource)

So think in general the script should loaded.

Do you have any error or warning entires in your logs?
What is the content of keycloak-scripts.json?
Do you run a JDK version different from 11? (Script engine has to be manually added on newer Java versions…)?
Have you tried a maximal simple authenticator (just doing a context.success() within the authenticate(…) method)?
Or tried a primitive JS token mapper? Is that working?
If you try without docker on a bare metal setup, is it working then?

My failure -
I use a Dockerfile and build a custom docker Image.
When I import a script and rebuild it will affect in this.
When I import a script with the Dockerfile and build my container than it works.

Yeah, everything is so much easier with docker…

So you can’t use the base image from quay.io and you have to build your own dockerfile?

So if the server says this:

2022-10-20 09:02:37,845 INFO [io.quarkus] (Shutdown thread) Keycloak stopped in 0.177s
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2022-10-20 09:02:44,184 INFO [org.keycloak.common.Profile] (build-95) Preview feature enabled: scripts
2022-10-20 09:02:50,643 INFO [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 8888ms
Server configuration updated and persisted. Run the following command to review the configuration:

kc.sh show-config

Next time you run the server, just run:

kc.sh start --optimized

Then its actually not doing what it is supposed to do “Installing your custom providers” and it needs to be done in the dockerfile? Geez.


EDIT: Same here, I can see the custom_providers jar.

	kc.provider.file.custom_providers.jar.last-modified =  1666256440343 (PersistedConfigSource)

Weird, can’t seem to get it to work even with build…

FROM quay.io/keycloak/keycloak:19.0.3 as builder

WORKDIR /opt/keycloak
ENV KC_HEALTH_ENABLED=True
ENV KC_METRICS_ENABLED=True
ENV KC_FEATURES=authorization,account2,admin2,account-api,docker,impersonation,web-authn,client-policies,ciba,par,step-up-authentication,scripts,preview
ENV KC_DB=postgres
# Install providers
COPY ./deploy_custom_providers/*.jar providers/
RUN curl -sL https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.5.3/keycloak-metrics-spi-2.5.3.jar -o providers/keycloak-metrics-spi-2.5.3.jar
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:19.0.3
WORKDIR /opt/keycloak
COPY --from=builder /opt/keycloak .
# change these values to point to a running postgres instance
ENV KC_DB_URL=jdbc:postgresql://db/keycloak
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=REDACTED
ENV KC_HOSTNAME=REDACTED
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD [ "start", "--auto-build" ]

It should pop up here, if I am correct.

My .jar file had an extra folder in it /build_folder/META-INF

I generated the jar with ansible, so i needed to fix the ansible command it it created it the right way, and I can use the quay.io image and don’t have to build it myself.

Did you manage to make the final dockerfile? I’m having trouble how to make the dockerfile with keycloak image and my own scripts.

I used the quay.io image in the end.