In our system we have so far been using Keycloak 3.4.3 and the Script Authenticator authentication provider functionality as part of the browser based authentication. Now, after upgrading to Keycloak 4.6.0.Final, we noticed that the option for Script Authenticator has disappeared from the list.
This functionality was still there in Keycloak 4.5.0.Final. Due to functionality that's been fixed in Keycloak 4.6.0.Final, we don't have the option to use 4.5.0.
We used the Script Authenticator -functionality to "whitelist" our users based on LDAP attributes. Now since the script option was removed, we're no longer able to use Keycloak.
Any ideas why the Script Authenticator has been removed? Or could it be that it has been moved to another place within the Keycloak admin console?
Just to add some details:
- There has not been any mention about removing this functionality in the Keycloak release notes
- Script authenticator is still mentioned in the Keycloak documentation for Keycloak 4.6.0
- There is also now an issue reported for this in Keycloak issue tracker KEYCLOAK-8872.
In our system we have so far been using Keycloak 3.4.3 and the Script Authenticator authentication provider functionality as part of the browser based authentication. Now, after upgrading to Keycloak 4.6.0.Final, we noticed that the option for Script Authenticator has disappeared from the list.
This functionality was still there in Keycloak 4.5.0.Final. Due to functionality that's been fixed in Keycloak 4.6.0.Final, we don't have the option to use 4.5.0.
We used the Script Authenticator -functionality to "whitelist" our users based on LDAP attributes. Now since the script option was removed, we're no longer able to use Keycloak.
Any ideas why the Script Authenticator has been removed? Or could it be that it has been moved to another place within the Keycloak admin console?
Just to add some details:
- There has not been any mention about removing this functionality in the Keycloak release notes
- Script authenticator is still mentioned in the Keycloak documentation for Keycloak 4.6.0
- There is also now an issue reported for this in Keycloak issue tracker KEYCLOAK-8872.
4 Answers
Reset to default 14You can enable this feature by start the server with:
-Dkeycloak.profile.feature.scripts=enabled
or you can set this permanently in the profile.properties file (in configuration folder) by adding:
feature.scripts=enabled
you also need to enable upload_scripts as :
-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled
But this feature "upload_scripts" is deprecated since Keycloak 7.0.1.Final
For a best solution you have to use JavaScript Providers
First of all thanks to the guys with the profile.feature solution.
Second, I wanted to add some input - if you use keycloak with docker you will need to run the container with the java_opts argument so you can do this:
-e JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.scripts=enabled
-Dkeycloak.profile.feature.upload_scripts=enabled -server -Xms64m -Xmx512m
-XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"
Note that you will need also the other arguments like -server, -Xms64m, etc. (which you can adjust as it fits you).
Note: Starting with v16, v17 things may change as WildFly [JBoss] becomes deprecated (dev Roadmap 2021-2022).
For bitnami image, the env var should be KEYCLOAK_EXTRA_ARGS, instead of JAVA_OPTS_APPEND and also DO NOT ADD SINGLE/DOUBLE QUOTE around the argument! Here is a snippet in docker-compose.yaml
keycloak:
image: docker.io/bitnami/keycloak:16.1.0-debian-10-r0
environment:
- KEYCLOAK_EXTRA_ARGS=-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dnashorn.args=--no-deprecation-warning