Does self-hosted C8 Identity support newer versions of Keycloak?

Hi,

I’m attempting to run C8 identity in K8s independently in its own helm release as I do not want to create a fresh keycloak service instance - but rather use the existing keycloak instance shared amongst the rest of our organisation.

By providing the KEYCLOAK_SETUP_USER, KEYCLOAK_SETUP_PASSWORD and KEYCLOAK_SETUP_CLIENT_ID environment variables, the identity service is able to log in successfully to keycloak with existing admin credentials. However, the set up is not successful - identity logs indicate the following

ERROR 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : 
javax.ws.rs.ProcessingException: 
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: 
Unrecognized field "readOnly" (class org.keycloak.representations.idm.ConfigPropertyRepresentation),
 not marked as ignorable (7 known properties: "defaultValue", "label", "type", "name", "helpText", "secret", "options"])
 at [Source: (org.jboss.resteasy.specimpl.AbstractBuiltResponse$InputStreamWrapper); line: 1, column:
 24778] (through reference chain:
 org.keycloak.representations.info.ServerInfoRepresentation["protocolMapperTypes"]
->java.util.LinkedHashMap["saml"]
->java.util.ArrayList[0]
->org.keycloak.representations.idm.ProtocolMapperTypeRepresentation["properties"]
->java.util.ArrayList[0]
->org.keycloak.representations.idm.ConfigPropertyRepresentation["readOnly"])

This error message has been observed in the keycloak-config-cli project

Potentially indicating a version incompatibility with this utility (assuming its used by the identity service) and keycloak versions >18. Its should be noted that my organisation’s keycloak instance is v19.

Does that mean C8 identity only supports running keycloak versions below 18, regardless of whether we deploy keycloak alongside C8 or independently? If so, will keycloak 19 be supported? It would be great to see C8 identity work against our existing keycloak solution.

Follow up question:

I’ve noticed that providing KEYCLOAK_SETUP_USER, KEYCLOAK_SETUP_PASSWORD and KEYCLOAK_SETUP_CLIENT_ID works only if the existing client has authentication disabled (i.e. no client secret is needed). Is there a plan to support authentication-enabled clients (e.g. something like KEYCLOAK_SETUP_CLIENT_SECRET)?

Thanks in advance!

1 Like

If have a very similar isse when trying to run Camunda 8.25 with Keycloak 21.0.0. Is there any statement regarding upwards compatibility of Camunda 8?

javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cryptoInfo" (class org.keycloak.rep
resentations.info.ServerInfoRepresentation), not marked as ignorable (14 known properties: "protocolMapperTypes", "providers", "identityProviders", "themes", "passwordPolicies", "clientInstallations", "memoryInfo", "enums", "socialProviders", "clientI
mporters", "profileInfo", "componentTypes", "systemInfo", "builtinProtocolMappers"])
 at [Source: (org.jboss.resteasy.specimpl.AbstractBuiltResponse$InputStreamWrapper); line: 1, column: 1246] (through reference chain: org.keycloak.representations.info.ServerInfoRepresentation["cryptoInfo"])

This error message is visible in camunda-identity shortly after it has sucessfully connected with Keycloak 21.0.0