Keycloak version 25 Custom SPIs giving error “NoClassDefFoundError: org/jose4j/langJoseException”.
These same SPIs were working fine with lower versions of keycloak.
Please help me on this issue
jose4j is a project used to construct and work with JWTs that was previously a dependency in Keycloak.
Jose4j was removed from the project due to vulnerabilities discovered; see the issue here High severity - Use of a Broken or Risky Cryptographic Algorithm vulnerability in org.bitbucket.b_c:jose4j · Issue #20631 · keycloak/keycloak · GitHub
Link to the jose.4.j homepage → b_c / jose4j / wiki / Home — Bitbucket
I do not know if the latest version of jose4j has fixed the vulnerability; you should either recompile your SPI with the latest SAFE version of jose4j and package it with your deployment or migrate the code to use a JWT solution already packaged with Keycloak.
@ben.overcash
we did upgrade to latest jose4j but still getting the error with dependency
run time errors of class not found
only workaround is by copying the depdendncy jar into providers folder as other SPI deployment.
But I need proper solution
The proper solution is to put it in the providers dir. Libraries that are no longer included in Keycloak need to be placed there in order to be loaded for extensions’ use.
1 Like
Alternative proper solutions:
- build a fat jar including your dependencies
- change your implementation to no rely on jose4j but using libraries also KC uses, so you don’t have to deploy it
3 Likes
Any jars added to the providers folder is added to the classpath, but it would be bad practice to just dump everything you need in there because it can create conflicts.
I would recommend shading it to make a fat jar so you can manage the dependency as part of your project work stream.