ydb-platform · inoorinoor · Feb 1, 2026 · Feb 1, 2026 · Feb 4, 2026 · Feb 10, 2026
diff --git a/.github/workflows/ci-keycloak-ydb-extension.yaml b/.github/workflows/ci-keycloak-ydb-extension.yaml
@@ -0,0 +1,39 @@
+name: Keycloak YDB Extension CI with Maven
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'keycloak-ydb-extension/**'
+      - '.github/workflows/ci-keycloak-ydb-extension.yaml'
+  pull_request:
+    paths:
+      - 'keycloak-ydb-extension/**'
+      - '.github/workflows/ci-keycloak-ydb-extension.yaml'
+
+env:
+  MAVEN_ARGS: --batch-mode --update-snapshots -Dstyle.color=always
+
+jobs:
+  build:
+    name: Keycloak YDB Extension
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Download dependencies
+        working-directory: ./keycloak-ydb-extension
+        run: mvn $MAVEN_ARGS dependency:go-offline
+
+      - name: Build & test (unit + Keycloak model tests with YDB)
+        working-directory: ./keycloak-ydb-extension
+        run: mvn $MAVEN_ARGS verify
diff --git a/keycloak-ydb-extension/.gitignore b/keycloak-ydb-extension/.gitignore
@@ -0,0 +1,4 @@
+dependency-reduced-pom.xml
+
+# jar files of keycloak-ydb-extension
+docker/providers
diff --git a/keycloak-ydb-extension/README.md b/keycloak-ydb-extension/README.md
@@ -0,0 +1,51 @@
+# Keycloak YDB extension
+
+## Overview
+
+Keycloak extension to use [YDB](https://ydb.tech/) as the main database. Keycloak does not support YDB as a built-in database (see [Configuring the database](https://www.keycloak.org/server/db)); this extension provides the JDBC driver and Hibernate dialect.
+
+## Configuration
+
+When using YDB you must avoid giving the YDB URL to Keycloak’s default datasource (it would fail with “Driver does not support the provided URL”). Use:
+
+| Variable | Value | Purpose |
+|----------|--------|---------|
+| `KC_DB` | `dev-file` | Built-in datasource uses dev-file; it never sees the YDB URL. |
+| `KC_SPI_CONNECTIONS_JPA_DEFAULT_YDB_JDBC_URL` | `jdbc:ydb:grpc://host:2136/database` | JDBC URL used by this extension (required). |
+| `KC_SPI_CONNECTIONS_JPA_QUARKUS_ENABLED` | `false` | Disables the default Quarkus JPA provider so H2 is not used. |
+| `KC_SPI_CONNECTIONS_LIQUIBASE_QUARKUS_ENABLED` | `false` | Disables the default Quarkus Liquibase provider (migrations are run by this extension). |
+
+The extension is enabled when its JAR is in the `providers` directory and the YDB JDBC URL is configured. No separate “enable” flag is required.
+
+### Connection Pool (HikariCP)
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `KC_SPI_CONNECTIONS_JPA_YDB_POOL_SIZE` | `50` | Maximum pool size |
+| `KC_SPI_CONNECTIONS_JPA_YDB_MIN_IDLE` | `10` | Minimum idle connections |
+| `KC_SPI_CONNECTIONS_JPA_YDB_CONNECTION_TIMEOUT` | `30000` | Connection timeout (ms) |
+| `KC_SPI_CONNECTIONS_JPA_YDB_IDLE_TIMEOUT` | `600000` | Idle connection timeout (ms) |
+| `KC_SPI_CONNECTIONS_JPA_YDB_MAX_LIFETIME` | `1800000` | Max connection lifetime (ms) |
+
+Or in `keycloak.conf`:
+
+```properties
+spi-connections-jpa-ydb-pool-size=50
+spi-connections-jpa-ydb-min-idle=10
+```
+
+## Getting started
+
+1. Build and package the extension, then put the JAR in Keycloak’s `providers` directory (or use the Docker setup below).
+2. Set the environment variables above and start Keycloak.
+
+### Local development with Docker
+
+From the project root:
+
+```bash
+./run-keycloak-with-ydb.sh
+```
+
+This builds the extension, copies the JAR to `docker/providers/`, and starts Keycloak + YDB via `docker/docker-compose.yml`.
+All Keycloak options (YDB URL, admin user, etc.) are set in `docker/conf/keycloak.conf`; override with environment variables if needed.
diff --git a/keycloak-ydb-extension/core/pom.xml b/keycloak-ydb-extension/core/pom.xml
@@ -0,0 +1,212 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>tech.ydb</groupId>
+    <artifactId>keycloak-ydb-extension-parent</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+
+  <packaging>jar</packaging>
+  <name>keycloak-ydb-extension (core)</name>
+  <artifactId>keycloak-ydb-extension</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <build>
+    <sourceDirectory>src/main/kotlin</sourceDirectory>
+    <testSourceDirectory>src/test/kotlin</testSourceDirectory>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.13.0</version>
+        <configuration>
+          <source>21</source>
+          <target>21</target>
+        </configuration>
+        <executions>
+          <execution>
+            <id>default-compile</id>
+            <phase>none</phase>
+          </execution>
+          <execution>
+            <id>default-testCompile</id>
+            <phase>none</phase>
+          </execution>
+          <execution>
+            <id>java-compile</id>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+            <phase>compile</phase>
+          </execution>
+          <execution>
+            <id>java-test-compile</id>
+            <goals>
+              <goal>testCompile</goal>
+            </goals>
+            <phase>test-compile</phase>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-maven-plugin</artifactId>
+        <version>${kotlin.version}</version>
+        <executions>
+          <execution>
+            <id>compile</id>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+            <configuration>
+              <sourceDirs>
+                <sourceDir>${project.basedir}/src/main/kotlin</sourceDir>
+                <sourceDir>${project.basedir}/src/main/java</sourceDir>
+              </sourceDirs>
+            </configuration>
+          </execution>
+          <execution>
+            <id>test-compile</id>
+            <goals>
+              <goal>test-compile</goal>
+            </goals>
+            <configuration>
+              <sourceDirs>
+                <sourceDir>${project.basedir}/src/test/kotlin</sourceDir>
+                <sourceDir>${project.basedir}/src/test/java</sourceDir>
+              </sourceDirs>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.5.0</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <artifactSet>
+                <includes>
+                  <include>org.jetbrains.kotlin:kotlin-stdlib</include>
+                  <include>org.jetbrains.kotlin:kotlin-reflect</include>
+                  <include>org.jetbrains.kotlin:*</include>
+
+                  <include>tech.ydb.jdbc:*</include>
+                  <include>tech.ydb:*</include>
+                  <include>tech.ydb.dialects:*</include>
+                  <include>com.zaxxer:HikariCP</include>
+                  <include>io.r2dbc:*</include>
+                </includes>
+              </artifactSet>
+
+              <transformers>
+                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.keycloak</groupId>
+        <artifactId>keycloak-parent</artifactId>
+        <version>${keycloak.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.jetbrains.kotlin</groupId>
+      <artifactId>kotlin-stdlib</artifactId>
+      <version>${kotlin.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jetbrains.kotlin</groupId>
+      <artifactId>kotlin-reflect</artifactId>
+      <version>${kotlin.version}</version>
+    </dependency>
+
+    <!-- keycloak -->
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-server-spi</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-server-spi-private</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-model-jpa</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <!-- YDB -->
+    <dependency>
+      <groupId>tech.ydb.jdbc</groupId>
+      <artifactId>ydb-jdbc-driver</artifactId>
+      <version>${ydb-jdbc-driver.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>tech.ydb.dialects</groupId>
+      <artifactId>liquibase-ydb-dialect</artifactId>
+      <version>1.1.1</version>
+    </dependency>
+
+    <dependency>
+      <groupId>tech.ydb.dialects</groupId>
+      <artifactId>hibernate-ydb-dialect-v7</artifactId>
+      <version>${hibernate-v7.ydb.dialect.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.zaxxer</groupId>
+      <artifactId>HikariCP</artifactId>
+      <version>${hikaricp.version}</version>
+    </dependency>
+
+    <!-- tests -->
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>tech.ydb.test</groupId>
+      <artifactId>ydb-junit5-support</artifactId>
+      <version>2.3.27</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito.kotlin</groupId>
+      <artifactId>mockito-kotlin</artifactId>
+      <version>6.1.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.jboss.resteasy</groupId>
+      <artifactId>resteasy-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/...k-ydb-extension/core/src/main/kotlin/tech/ydb/keycloak/client/YdbClientProviderFactory.kt b/...k-ydb-extension/core/src/main/kotlin/tech/ydb/keycloak/client/YdbClientProviderFactory.kt
@@ -0,0 +1,71 @@
+package tech.ydb.keycloak.client
+
+import org.keycloak.Config
+import org.keycloak.authorization.fgap.AdminPermissionsSchema
+import org.keycloak.common.Profile
+import org.keycloak.connections.jpa.JpaConnectionProvider
+import org.keycloak.models.ClientProvider
+import org.keycloak.models.KeycloakSession
+import org.keycloak.models.KeycloakSessionFactory
+import org.keycloak.models.RealmModel.RealmAttributeUpdateEvent
+import org.keycloak.models.jpa.JpaClientProviderFactory
+import org.keycloak.models.jpa.entities.RealmAttributes
+import org.keycloak.protocol.saml.SamlConfigAttributes
+import org.keycloak.provider.ProviderEvent
+import tech.ydb.keycloak.config.ProviderConfig.PROVIDER_ID
+import tech.ydb.keycloak.config.ProviderConfig.PROVIDER_PRIORITY
+import tech.ydb.keycloak.realm.YdbRealmProvider
+
+class YdbClientProviderFactory : JpaClientProviderFactory() {
+
+  private lateinit var clientSearchableAttributes: Set<String>
+
+  override fun init(config: Config.Scope) {
+    var searchableAttrsArr = config.getArray("searchableAttributes")?.toList()
+    if (searchableAttrsArr == null) {
+      val s = System.getProperty("keycloak.client.searchableAttributes")
+      searchableAttrsArr = s?.split("\\s*,\\s*".toRegex())
+    }
+    val s = HashSet(REQUIRED_SEARCHABLE_ATTRIBUTES)
+    if (searchableAttrsArr != null) {
+      s.addAll(searchableAttrsArr)
+    }
+    clientSearchableAttributes = s.toSet()
+  }
+
+  override fun postInit(factory: KeycloakSessionFactory) {
+    if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
+      factory.register { event: ProviderEvent? ->
+        if (event is RealmAttributeUpdateEvent) {
+          if (event.attributeName == RealmAttributes.ADMIN_PERMISSIONS_ENABLED && event.attributeValue.toBoolean()) {
+            val keycloakSession = event.keycloakSession
+            val realm = event.realm
+            AdminPermissionsSchema.SCHEMA.init(keycloakSession, realm)
+          }
+        }
+      }
+    }
+  }
+
+  override fun create(session: KeycloakSession): ClientProvider {
+    val em = session.getProvider(JpaConnectionProvider::class.java).entityManager
+    return YdbRealmProvider(session, em, clientSearchableAttributes, null)
+  }
+
+  override fun close() {
+    // no operations
+  }
+
+  override fun order(): Int = PROVIDER_PRIORITY
+
+  override fun getId(): String = PROVIDER_ID
+
+  private companion object{
+    private val REQUIRED_SEARCHABLE_ATTRIBUTES = listOf(
+      "saml_idp_initiated_sso_url_name",
+      SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER,
+      "jwt.credential.issuer",
+      "jwt.credential.sub"
+    )
+  }
+}