Keycloak override Provider

We are currently running keycloak 19 having migrated from older version of keycloak (v4).
Everything is going well, however, we noticed that due to some changes in the use of Base64Url decode v/s legacy Base64 decode (down to certain chars - + and /) we get illegal base64 string.

We want to extend or overwrite ClientIdAndSecretCredentialsProvider in which we can make relevant changes to handle base64 encode decode for backward compatibility.

Is there a way to do this via SPI mechanism ? If so, how we can go about doing it ?
I did read in keycloak document about doing custom provider, but here we want to overwrite certain behavior for one of the provider classes keycloak comes with.

Would really appreciate some advice/suggestions

Never overwrite an existing provider, instead, write your own provider or extend an existing provider with a custom provider and then set this new provider as default.
This guide tells you how you configure providers as default: Configuring providers - Keycloak

Thank you for the response, so I did go through that but I guess part where I am not entirely sure is this.

1. I can extend the authenticator in my case: ClientIdAndSecretAuthenticator
   This class already extends AbstractClientAuthenticator which internally implements ClientAuthenticator, ClientAuthenticatorFactory

image759×224 17.2 KB

image911×65 5.67 KB

so custom class: CustomClientSecretAuthenticator extends ClientIdAndSecretAuthenticator

2. So would it then be okay to say I can just override method (authenticateClient) where I want to change the behavior for actual authentication
3. Package the jar file with META-INF/services/ having the file
4. Install this provider ? -spi-client-secret-provider=“client-secret”

Ah, in case of the client-authenticator provider, there’s no default to set, you have to choose the one you want to use in your settings.

I’d strongly suggest to use a custom provider id, not re-using the client-secret id. This might work, but could also go wrong.

When deploying your custom provider, you should be able to see it in the “Provider Info” tab in master realm of admin ui:

You have to create a custom authentication flow for client authentication and bind it to the client flow:

image 2023-02-24 um 11.12.08924×722 25.1 KB

Then, in client settings, you should be able to choose the proper one:

image 2023-02-24 um 11.11.301178×673 35.9 KB

That should basically be the steps to do.

Thank you so much all the help and advice. Will try it out and revert back, but it does clarify lot of doubts around it. Thank you so much :).