Adds Shared Signals Framework support to Keycloak in the **SSF Transmitter** role: Keycloak signs Security Event Tokens (SETs, RFC 8417) describing realm/user/session/credential events and delivers them to OAuth clients
registered as **SSF Receivers**, either by HTTP PUSH (RFC 8935) or HTTP POLL (RFC 8936).
Targets the OpenID Shared Signals Framework 1.0 (Final) specification plus the CAEP Interoperability Profile 1.0. Ships the legacy SSE CAEP profile alongside for Apple Business Manager / Apple School Manager interop, since Apple device-fleet enrolment is a concrete drive-use case.
Gated behind \`Profile.Feature.SSF\` experimental, opt-in.
Issue #43614 originally proposed SSF *Receiver* support (Keycloak ingesting SETs from upstream IdPs / risk engines). After exploring both sides, we're shipping the **Transmitter** first (see #48254) because it covers the strongest community asks (federate Keycloak events to downstream SaaS, Apple device fleet revoke flow) and lets us validate the SSF data-plane against real receivers before designing the harder "action mapping" question on the Receiver side. Receiver support remains on the roadmap and is tracked separately via #43614.
**In:**
- Compliance with SSF 1.0, CAEP 1.0, RISC 1.0, RFC 8935, RFC 8936, RFC 9493, RFC 8417
- SSF Transmitter support (Keycloak Realm can act as a SSF Transmitter)
- SSF Stream management (CRUD, status, verification)
- SSF Subjects management (subjects)
- SET delivery via HTTP PUSH (RFC 8935) and HTTP POLL (RFC 8936) with POLL in a return-immediately form
- SSF events temporarily stored in durable outbox with cluster-aware drainer and exponential backoff
- SSF Receivers managed as OIDC Clients with client credentials grant or auth code grant (currently only one stream per client)
- Support for SSF Stream, CAEP 1.0 and RISC 1.0 events (custom events via SPI)
- CAEP credential-change / session-revoked / (device-compliance-change) event mapping from native Keycloak events
- Support for RFC 9493 Subject Identifiers for Security Event Tokens
- Support for SSF Receiver subject event subscription with subject selection (per-user / per-orgssf.notify.<clientId>attribute, support fordefault_subjectspolicy (ALL, NONE))
- Support for Synthetic event emittance via REST endpoint for non-Keycloak-native event sources (external IAM solution)
- Per-receiver "Emit-only events" gate to suppress auto-emit per event type per receiver
- Support for legacy SSE CAEP profile for Apple Business Manager / Apple School Manager interop (verified)
- Per-realm SSF admin REST + Admin UI for SSF-enabled clients (Receiver / Stream / Subjects / Events)
- Prometheus metrics (dispatcher, drainer, poll, verification, outbox depth, delivery metrics)
**Out (tracked as separate follow-up issues):**
- SSF Receiver role for Keycloak (ingestion of SETs)
- POLL long-polling (\`returnImmediately=false\` honoured)
- Dedicated SSF signing key (separate from realm OIDC signing key)
- Chunked HELD release for very large backlogs
- Performance characterization + security review
- Formal interop matrix (caep.dev, ABM)
- [X] All code gated behind \`Profile.Feature.SSF\` (experimental, off by default)
- [X] Per-realm \`ssf.transmitterEnabled\` toggle; per-client \`ssf.enabled\` toggle
- [X] SSF event listener registered as global (not user-toggleable per realm)
- [X] Receiver-facing endpoints conformant with SSF 1.0
- [X] CAEP credential-change / session-revoked / device-compliance mapping pass interop testing against \`caep.dev\`
- [X] SSE CAEP profile narrowed shape works with Apple Business Manager
- [X] Integration test coverage for the dispatch / outbox / push / poll pipeline (100+ tests)
- [X] Prometheus metrics exposed under \`keycloak_ssf_*\`
- [X] Design notes published
Fixes#48901
This PR was partially co-authored with Claude AI
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* Stop using jboss-parent
Closes: #40125
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
* Add Maven plugins version from jboss-parent
Should match the versions from jboss-parent to
prevent conflicting versions.
Signed-off-by: Badiuzzaman Iskhandar <badiskhand@ibm.com>
---------
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Signed-off-by: Badiuzzaman Iskhandar <badiskhand@ibm.com>
Co-authored-by: Badiuzzaman Iskhandar <badiskhand@ibm.com>
* fix: minimizing the dependencies for the rest module
closes: #48114
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* renaming the modules
also remove jsonnode logic from the oas filter and the databind
dependency
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* addressing review comments
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: updating to quarkus 3.31.0.CR1
closes: #45576
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* updating test containers for 3.31.0.CR1
also adding a managed version for microprofile-metrics-api
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* excluding quarkus-bootstrap-runner to prevent trace logging
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* changing to new logging context for hibernate jpa
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* switching to 3.31.0 release
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* switching to 3.31.1 release
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Follow upgrading guide for Quarkus 3.31.0
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* turning of specific hibernate logging
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* removing quarkus-bootstrap-runner from the model test classpath
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Closes#45341
- Remove query modules
- Remove unused config file
- Update config file versions
- Update jgroups attributes
- Remove ISPN-16595 workaround
- Call HotRodServer#postStart in HotRodServerRule to start caches as well as the server
- Simplify cluster-ha.xml
- Utilise org.infinispan.commons.util.TimeQuantity in CacheConfiguration
- Cleanup when InfinispanContainer startup fails
- RemoteUserSessionProvider remote query calls must not use negative values for offsets and maxResults
- Remove use of deprecated org.infinispan.server.test.core.InfinispanContainer class
- Use testcontainers-infinispan dependency
- Explicitly utilise "legacy" metrics
- Remove explicit `name-as-tags` configuration as Infinispan 16 defaults to true
- Remove test configuration not required since #31807
Signed-off-by: Ryan Emerson <remerson@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Michal Vavřík
Václav Muzikář
Thomas Darimont
rmartinc
Jean-Francois Denise
Jean-Francois Denise
Pedro Ruivo
Peter Zaoral
Martin Bartoš
Ryan Emerson
Steven Hawkins
dependabot[bot]
Peter Skopek
Thomas Diesler
Tomáš Kyjovský
Pedro Igor
Stian Thorgersen
Rahul Jain
Carlos Rodríguez Hernández