28 May 2025
JBoss Blogs
Quarkus 3.23 - Named datasources for Hibernate Reactive, OIDC bearer step up authentication
Today, we released Quarkus 3.23. 3.23 comes with a lot of small improvements and some bugfixes together with a couple of new features: * - Enable named data sources for Hibernate Reactive * - OIDC: Add bearer token step up authentication UPDATE To update to Quarkus 3.23, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.23. For more information about the adjustments you need to make to your applications, please refer to the . WHAT'S NEW? NAMED DATA SOURCES FOR HIBERNATE REACTIVE With 3.22, we started the journey of bringing the Hibernate Reactive extension up to par with the Hibernate ORM one. In 3.23, it's now possible to point Hibernate Reactive to a named datasource. The next step will be to have support for multiple named persistence units for Hibernate Reactive and hopefully it will arrive in 3.24. OIDC BEARER STEP UP AUTHENTICATION Quarkus 3.23 introduces support for the OAuth 2.0 Step Up Authentication Challenge Protocol. You can learn more about it in the of the OIDC Bearer token authentication guide. PLATFORM COMPONENT UPGRADES QUARKUS CXF Quarkus CXF 3.23 was released and is now available in . Check the and release notes for more information about what is new in these releases. CAMEL QUARKUS Camel Quarkus has been upgraded to 3.23.0. FULL CHANGELOG You can get the full changelog of and on GitHub. CONTRIBUTORS The Quarkus community is growing and has now . Many many thanks to each and everyone of them. In particular for the 3.23 release, thanks to Aditya Thakur, Alexandre Dutra, Alexey Loubyansky, Andrii Denysenko, Andy Damevin, appiepollo14, ayagmar, Bruno Baptista, Clement Escoffier, Fedor Dudinsky, Foivos Zakkak, Fouad Almalki, George Gastaldi, Georgios Andrianakis, Guillaume Smet, Holly Cummins, iedo, Ladislav Thon, Luca Molteni, luca-bassoricci, Lucien Brule, Magnus Gustafsson, Marc Nuri, mariofusco, marko-bekhta, Martin Bartoš, Martin Kouba, Martin Panzer, Matej Novotny, Matheus Cruz, Max Rydahl Andersen, melloware, Michael Edgar, Michal Vavřík, Michiel Dockx, Mikhail Polivakha, Olivier V, Ozan Gunalp, Peter Palaga, Phillip Krüger, Robert Stupp, Roberto Cortez, Rolfe Dlugy-Hegwer, Rostislav Svoboda, Sebastian Vogl, Sergey Beryozkin, Severin Gehwolf, shjones, Steve Hawkins, Stuart Douglas, Tamas Cservenak, and Yoann Rodière. COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .
28 May 2025 12:00am GMT
Keycloak 26.2.5 released
To download the release go to . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Fix Securing Apps links to adapters docs * Email server credentials can be harvested through host/port manipulation admin/api * Fix doc link to FGAP v1 docs * Apply edits to Operators Guide docs * Edit Observability Guide docs * Fix callouts in Operator guide docs * Sessions from Infinispan should be mapped lazily for the Admin UI * Speed up Infinispan list of all sessions be more eagerly remove old client sessions * When logging in, all client sessions are loaded which is slow oidc BUGS * Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc * [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus * [OID4VCI] Documentation Errors docs * Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui * quarkus runtime options are treated as buildtime options dist/quarkus * [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui * UI does not show user's attributes after reentering the Attributes TAB admin/ui * Refreshed tokens are not persisted for IDP token exchange token-exchange * UI does not show organization's attributes after reentering the Attributes TAB account/ui * Autocomplete in Mapper type of user federation broken admin/ui * Forms IT tests breaks with Chrome 136.0.7103.59 ci * Unable to change the OTP hash algorithm admin/ui * Keycloak not using custom Infinispan config infinispan * Duplicate validation message "Please specify username." shown on login form login/ui * Clicking on the jump links removes the localization of the UI admin/ui * Authorization documentation shows the wrong view authorization-services * Recreate update is not scaling down the statefulset to zero operator * Hibernate LazyInitializationException when deleting client with CompositeRoles core * POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api * Documentation has outdated link to the "latest" branch of quickstarts docs * [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci
28 May 2025 12:00am GMT
26 May 2025
JBoss Blogs
Standard Token Exchange is now officially supported in Keycloak 26.2
The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of Keycloak 26.2, we're happy to share that Standard Token Exchange is now officially supported and fully compliant with . WHAT IS TOKEN EXCHANGE? 🔄 Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself. Token Exchange is especially helpful in these scenarios: 🎯 DIFFERENT AUDIENCE When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience. 🔐 SCOPED PERMISSIONS If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes. WHAT'S NEW? 🆕 * ✅ Official support (no longer a preview feature) * 📘 Compliance with RFC 8693 (OAuth 2.0 Token Exchange) * 🖱️ Simple configuration via the Admin Console (just a switch in client settings) * 🛡️ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes. HOW TO GET STARTED 🚀 If you're using Keycloak 26.2 or later, there's nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch. If you're still using the preview feature of token exchange, check the and the to understand the differences and plan your migration. 📄 For full setup instructions and configuration details, refer to the . WHAT'S NEXT? 🔍 We're continuing to expand Token Exchange support with future enhancements such as: * 🔄 Exchanging tokens issued by external identity providers * 👤 Using token exchange to impersonate users Stay tuned for updates in upcoming releases. -------------------------------------------------------------------------------- We'd love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.
26 May 2025 12:00am GMT
23 May 2025
JBoss Blogs
Quarkus MCP Server: The First Java Server SDK to Support Streamable HTTP!
The Model Context Protocol (MCP) is taking the developer world by storm, and now, with its latest spec update: Streamable HTTP support has arrived! We're thrilled to announce that Quarkus MCP Server is the very first Java-based MCP server SDK to embrace this innovation, making it easier than ever for you to build, experiment, and deploy MCP-powered solutions-wherever you need them. now supports Streamable HTTP alongside stdio and SSE transports. This enables new possibilities for connecting your MCP servers to mobile apps and cloud services. While the implementation is fully functional, some advanced features like are planned for future releases. WHY STREAMABLE HTTP MATTERS Streamable HTTP is the approach MCP spec have taken for real-time, efficient, and scalable communication between clients and servers. It opens the door to new integrations and user experiences, especially for platforms and devices where traditional transports like SSE or stdio aren't ideal. And now, thanks to Quarkus MCP Server, Java developers are at the forefront of this evolution. Whether you're building AI assistants, developer tools, or next-gen chatbots, Streamable HTTP gives you the flexibility to reach more users, faster. EASY UPGRADE Ready to try it out? Just update your Maven dependency to the latest Quarkus MCP Server SSE transport: io.quarkiverse.mcp quarkus-mcp-servers-sse 1.2.0 That's it! You're now equipped to serve Streamable HTTP from your Java MCP server. Want to see how to write your own MCP server? Check out our previous post: . QUARKUS MCP SERVERS: POWER AND SIMPLICITY Thehttps://github.com/quarkiverse/quarkus-mcp-servers[Quarkus MCP Servers project] brings a suite of ready-to-use MCP servers, all built on Quarkus. With version 1.0.0.CR4, streamable HTTP support is baked in-no extra configuration required. We just updated the dependency, and it was ready to go! To enable Streamable HTTP, simply launch any server in Quarkus MCP Servers with the --sse flag: jbang jvminsight@mcp-java --sse CONNECTING CLIENTS The default URL for Streamable HTTP is: http://:8080/mcp/ (For SSE, use as before.) While Streamable HTTP is still new, some pioneering clients already support it. Notably, the open source iOS app (available on ) and a non-open source version on the both work seamlessly with MCP and support or even require Streamable HTTP. Here's a quick demo of ChatMCP in action with the jvminsight server: KOTLIN: LIGHTWEIGHT AND FUN Quarkus supports both Java and Kotlin, giving you flexibility in how you build your MCP servers. Want to experiment? Here's a playful example of a Kotlin MCP server you can run instantly with JBang. It fetches a random image from and returns it as a base64-encoded image, as the MCP spec requires. ///usr/bin/env jbang "$0" "$@" ; exit $? //KOTLIN //DEPS io.quarkus:quarkus-bom:${quarkus.version:3.20.0}@pom //DEPS io.quarkiverse.mcp.servers:mcp-server-shared:1.0.0.CR4 import io.quarkiverse.mcp.server.* import java.net.URL import java.util.Base64.getEncoder import kotlin.io.readBytes class demo { @Tool(description = "Get a random picture") fun randomimage(@ToolArg(description = "seed for randomness") seed: String, @ToolArg(description = "width", defaultValue = "300") width: Int, @ToolArg(description = "height", defaultValue = "300") height : Int): ImageContent { val image = URL("https://picsum.photos/seed/$seed/$width/$height").readBytes() return ImageContent( getEncoder().encodeToString(image), "image/jpeg" ) } } Save this as demo.kt and run it with: jbang demo.kt --sse You can now use the randomimage tool in ChatMCP or any other MCP client that supports Streamable HTTP. It's that easy-and a great way to start experimenting! CONCLUSION Streamable HTTP is an important step for the MCP ecosystem, and Quarkus MCP Server is putting Java developers in the driver's seat. Whether you're building tools, bots, or entirely new experiences, now's the perfect time to dive in and see what you can create. We can't wait to see what you build. Try it out, share your feedback, and help shape the future of MCP - powered by Quarkus! Have fun!
23 May 2025 12:00am GMT
21 May 2025
JBoss Blogs
Use Quarkus MCP client to access secure MCP HTTP servers
INTRODUCTION MCP servers that use the Streamable HTTP or HTTP/SSE transports may require MCP client authentication. In the blog post, we explained how to enforce MCP client authentication with the and demonstrated how can use Keycloak access tokens to access the MCP server in dev mode and how and can use GitHub access tokens to access the MCP server in prod mode. In this blog post, we will explain how can use access tokens to access secure MCP servers. We will show how to log in to Quarkus LangChain4j AI Poem Service application with GitHub OAuth2 and have Google AI Gemini use tools with the help from Quarkus MCP Client that can propagate the GitHub access token to the secure Quarkus MCP Server. DEMO ARCHITECTURE As you can see in the diagram above, the user logs in into the Quarkus REST Poem Service application endpoint. To support the user request to create a poem, the Poem Service uses AI Gemini and requests MCP Client to complete a tool call to help AI Gemini to find out the name of the logged-in user. An essential point is that both Poem Service and MCP Client are part of the same single Quarkus REST application that only users who logged in with GitHub can access. The users do not login to MCP Client, they login to the Poem Service application, using the MCP client is an implementation detail of how this application completes the user request. Therefore, this demo does not demonstrate an implementation of the flow which is primarily of interest to public MCP clients implemented as Single-page applications (SPA), such as as Anthropic Claude, that will be able to initiate a user login into an imported MCP server. This demo shows a typical OAuth2 authorization code flow where a user logs-in to a REST endpoint and authorizes it to access another service on the user's behalf. It also strengthens the message about the . For example, let's temporarily update the diagram by removing the AI Gemini, replacing MCP Client with REST Client, MCP Server with Poem Creator service and GitHub with OAuth2: You will very likely find similarities between this diagram and what you do in your projects. It is the OAuth2 authorization code flow in action: the user logs in to the application and authorizes it to access another service offering a poem creation on the user's behalf. The demo shows that Quarkus MCP Client can work effectively in such architectures by being able to use access tokens acquired during the user login, without you having to write any custom code. We are now ready to start working on the Secure MCP Client Server demo. You can find the complete project source in the . STEP 1 - CREATE AND START MCP SERVER First, let's create a secure Quarkus MCP SSE server. If you already created the MCP server in the the blog post, then you will find instructions below familiar and should be able to reuse the project you created earlier with minor updates. MCP server requires authentication to establish Server-Sent Events (SSE) connection and also when invoking the tools. Additionally, the MCP server endpoint that provides access to tools requires that the security identity has a read:name permission. MCP SERVER MAVEN DEPENDENCIES Add the following dependencies: io.quarkiverse.mcp quarkus-mcp-server-sse (1) 1.1.1 io.quarkus quarkus-oidc (2) io.quarkus quarkus-hibernate-orm-panache (3) io.quarkus quarkus-jdbc-postgresql (3) 1 quarkus-mcp-server-sse is required to support MCP SSE transport. 2 quarkus-oidc is required to secure access to MCP SSE endpoints. Its version is defined in the Quarkus BOM. 3 quarkus-hibernate-orm-panache and quarkus-jdbc-postgresql are required to support the . Their versions are defined in the Quarkus BOM. MCP SERVER TOOL Let's create a tool that can return the name of the currently logged-in user. It can be invoked only if the current MCP request is authenticated but also if the security identity has a read:name permission: package io.quarkiverse.langchain4j.sample; import io.quarkiverse.mcp.server.TextContent; import io.quarkiverse.mcp.server.Tool; import io.quarkus.security.PermissionsAllowed; import io.quarkus.security.identity.SecurityIdentity; import jakarta.inject.Inject; public class UserNameProvider { @Inject SecurityIdentity securityIdentity; @Tool(name = "user-name-provider", description = "Provides a name of the currently logged-in user") (1) @PermissionsAllowed("read:name") (2) TextContent provideUserName() { return new TextContent(securityIdentity.getPrincipal().getName()); (3) } } 1 Provide a tool that can return the name of the current user. 2 Require authenticated tool access with an additional authorization read:name permission constraint - yes, the only difference with an unauthenticated MCP server tool is @PermissionsAllowed("read:name"), that's it! See also how the main MCP SSE endpoint is secured in the section below. 3 Use the injected SecurityIdentity to return the current user's name. Alternatively, it can be acquired from the injected quarkus.oidc.UserInfo. SECURITY IDENTITY AUGMENTATION To meet the @PermissionsAllowed("read:name") authorization constraint, the security identity created after verifying the GitHub access token must be augmented to have a read:name permission. The demo expects that a database has a record with a GitHub account name and the assigned permission. The security identity augmentor uses the identity name to retrieve this record and enhance the identity with the discovered permission. Let's see how this rather complex task can be easily achieved in Quarkus. First, we create a Panache entity that keeps the account name and permission values: package io.quarkiverse.langchain4j.sample; import io.quarkus.hibernate.orm.panache.PanacheEntity; import jakarta.persistence.Column; import jakarta.persistence.Entity; @Entity public class Identity extends PanacheEntity { @Column(unique = true) public String name; public String permission; public static Identity findByName(String name) { (1) return find("name", name).firstResult(); } } 1 Utility method to find an identity record with a matching GitHub account name. Second, we create an import.sql script to have a demo record added to the database: INSERT INTO identity(id, name, permission) VALUES (1, '${user.name}', 'read:name'); (1) 1 Insert a demo record. You will provide your GitHub account name when starting MCP server. Finally, we create a security identity augmentor: package io.quarkiverse.langchain4j.sample; import io.quarkus.security.identity.AuthenticationRequestContext; import io.quarkus.security.identity.SecurityIdentity; import io.quarkus.security.identity.SecurityIdentityAugmentor; import io.quarkus.security.runtime.QuarkusSecurityIdentity; import io.smallrye.mutiny.Uni; import jakarta.enterprise.context.ApplicationScoped; import jakarta.enterprise.context.control.ActivateRequestContext; import jakarta.inject.Inject; @ApplicationScoped public class SecurityIdentityPermissionAugmentor implements SecurityIdentityAugmentor { (1) @Inject HibernateBlockingAugmentor hibernateBlockingAugmentor; @Override public Uni augment(SecurityIdentity identity, AuthenticationRequestContext context) { return context.runBlocking(() -> hibernateBlockingAugmentor.augment(identity)); (2) } @ApplicationScoped static class HibernateBlockingAugmentor { @ActivateRequestContext public SecurityIdentity augment(SecurityIdentity securityIdentity) { Identity identity = Identity.findByName(securityIdentity.getPrincipal().getName()); (3) QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(securityIdentity); (4) return builder.addPermissionAsString(identity.permission).build(); (5) } } } 1 Custom SecurityIdentityAugmentor can augment the already verified security identity. 2 Run the augmentation in a blocking mode because it requires access to the database. 3 Find the recorded Identity matching the current user's name. 4 Initialize a security identity builder from the current identity. 5 Add the permission allocated to this user and create an updated SecurityIdentity. This is all, the augmentation step is done with a few lines of code only. MCP SERVER CONFIGURATION Let's configure our secure MCP server: quarkus.mcp.server.traffic-logging.enabled=true (1) quarkus.mcp.server.traffic-logging.text-limit=1000 quarkus.http.auth.permission.authenticated.paths=/mcp/sse (2) quarkus.http.auth.permission.authenticated.policy=authenticated quarkus.oidc.provider=github (3) quarkus.oidc.application-type=service (4) quarkus.hibernate-orm.database.generation=drop-and-create (5) quarkus.hibernate-orm.log.sql=true quarkus.hibernate-orm.sql-load-script=import.sql quarkus.http.port=8081 (6) 1 Enable MCP server traffic logging 2 Enforce an authenticated access to the main MCP SSE endpoint during the initial handshake. See also how the tool is secured with an annotation in the section above, though you can also secure access to the tool by listing both main and tools endpoints in the configuration, for example: quarkus.http.auth.permission.authenticated.paths=/mcp/sse,/mcp/messages/*. 3 Requires that only GitHub access tokens can be used to access MCP server. 4 By default, quarkus.oidc.provider=github supports an authorization code flow only. quarkus.oidc.application-type=service overrides it and requires the use of bearer tokens. 5 Database that keeps the identity records is supported by the PostgreSQL DevService. 6 Start MCP server on port 8081 - this is done for the Quarkus LangChain4j Poem Service application that uses an MCP client to be able to start on the default 8080 port. START THE MCP SERVER IN DEV MODE mvn quarkus:dev -Duser.name="Your GitHub account name" (1) 1 Use your GitHub account name, for example, mvn quarkus:dev -Duser.name="John Doe". It is required to correctly import the user name and permission data to the database. The MCP server's security-related configuration remains exactly the same in prod mode, therefore we are not going to talk about running the MCP server in prod to save some blog post space. Please check the if you would like to run MCP server in prod mode - you will only need to make sure PostresSQL is available in prod mode too. STEP 2 - CREATE AND START POEM SERVICE THAT USES AI GEMINI AND MCP CLIENT The MCP server is now running and ready to accept tool calls. Let's create an AI Poem Service that will work with AI Gemini and use an MCP client to complete tool calls. POEM SERVICE MAVEN DEPENDENCIES Add the following dependencies: io.quarkiverse.langchain4j quarkus-langchain4j-ai-gemini (1) io.quarkiverse.langchain4j quarkus-langchain4j-mcp (2) io.quarkiverse.langchain4j quarkus-langchain4j-oidc-mcp-auth-provider (3) io.quarkus quarkus-oidc (4) io.quarkus quarkus-rest-qute (5) 1 quarkus-langchain4j-ai-gemini brings support for AI Gemini. 2 quarkus-langchain4j-mcp provides core MCP Client support. 3 quarkus-langchain4j-oidc-mcp-auth-provider provides an implementation of that can supply access tokens acquired during the GitHub OAuth2 authorization code flow. 4 quarkus-oidc supports GitHub OAuth2 login to secure access to Poem Service. Its version is defined in the Quarkus BOM. 5 quarkus-rest-qute generates an HTML page to welcome the logged-in user. Its version is defined in the Quarkus BOM. REGISTER GITHUB OAUTH2 APPLICATION Register a GitHub OAuth2 application that you will authorize when logging in to the Poem Service application. Follow the process, and make sure to register the callback URL. Use the generated GitHub client id and secret to either set GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment properties or update the quarkus.oidc.client-id=${github_client_id} and quarkus.oidc.credentials.secret=${github_client_secret} properties in application.properties by replacing ${github_client_id} with the generated client id and ${github_client_secret} with the generated client secret. By default, Quarkus GitHub provider submits the client id and secret in the HTTP Authorization header. However, GitHub may require that both client id and secret are submitted as form parameters instead. If you get HTTP 401 error after logging in to GitHub and being redirected back to Quarkus MCP server, try to replace quarkus.oidc.credentials.secret=${github.client.secret} property with the following two properties instead: quarkus.oidc.credentials.client-secret.method=post quarkus.oidc.credentials.client-secret.value=${github.client.secret} AI GEMINI API KEY Poem Service relies on AI Gemini to create a poem for the logged-in user. Get and either set an AI_GEMINI_API_KEY environment property or update the quarkus.langchain4j.ai.gemini.api-key=${ai_gemini_api_key} property in application.properties by replacing ${ai_gemini_api_key} with the API key value. GITHUB LOGIN ENDPOINT The Poem Service needs to have an endpoint that manages a GitHub OAuth2 login. Typically, such an endpoint welcomes the logged-in user and offers links for the user to navigate to the rest of the secured application. Let's implement this login endpoint: package io.quarkiverse.langchain4j.sample; import io.quarkus.qute.Template; import io.quarkus.qute.TemplateInstance; import io.quarkus.oidc.UserInfo; import io.quarkus.security.Authenticated; import jakarta.inject.Inject; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.PathParam; import jakarta.ws.rs.Produces; /** * Login resource which returns a poem welcome page to the authenticated user */ @Path("/login") @Authenticated (1) public class LoginResource { @Inject UserInfo userInfo; (2) @Inject Template poem; @GET @Produces("text/html") public TemplateInstance poem() { return poem.data("name", userInfo.getName()); (3) } } 1 Require an authenticated access. It forces an authorization code flow for users who did not login with GitHub yet and a session verification for the already authenticated users. 2 GitHub access tokens are binary and Quarkus OIDC indirectly verifies them by using them to request GitHub specific UserInfo representation. 3 After the user logs in to GitHub and is redirected to this endpoint, an HTML page with a user name and a link to the is generated with a simple and returned to the user. CREATE POEM RESOURCE ENDPOINT The Poem Resource endpoint accepts poem requests from authenticated users and delegates these requests to AI Poem Service that uses AI Gemini. AI Gemini relies on the MCP client to get the name of the logged-in user. package io.quarkiverse.langchain4j.sample; import dev.langchain4j.agent.tool.Tool; import dev.langchain4j.service.UserMessage; import io.quarkiverse.langchain4j.RegisterAiService; import io.quarkiverse.langchain4j.mcp.runtime.McpToolBox; import io.quarkus.security.Authenticated; import jakarta.inject.Inject; import jakarta.inject.Singleton; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; @Path("/poem") @Authenticated (1) public class PoemResource { static final String USER_MESSAGE = """ Write a short 1 paragraph poem about a Java programming language. Please start by greeting the currently logged in user by name and asking to enjoy reading the poem."""; @RegisterAiService public interface PoemService { (2) @UserMessage(USER_MESSAGE) @McpToolBox("user-name") (3) String writePoem(); } @Inject PoemService poemService; @GET public String getPoem() { return poemService.writePoem(); (4) } } 1 Require authenticated poem requests. 2 AI Poem Service interface. 3 Refer to the MCP client user-name configuration, see the section below. POEM SERVICE CONFIGURATION Let's see how the Poem Service configuration looks like: quarkus.langchain4j.mcp.user-name.transport-type=http (1) quarkus.langchain4j.mcp.user-name.url=http://localhost:8081/mcp/sse/ (2) quarkus.oidc.provider=github (3) quarkus.oidc.client-id=${github_client_id} (4) quarkus.oidc.credentials.secret=${github_client_secret} (4) quarkus.langchain4j.ai.gemini.api-key=${ai_gemini_api_key} (5) quarkus.langchain4j.ai.gemini.log-requests=true (6) quarkus.langchain4j.ai.gemini.log-responses=true 1 Enable MCP client HTTP transport. In this demo we use SSE, with Streamable HTTP to be supported in the future. 2 Point to the Quarkus MCP server endpoint that you started in the step. 3 Require GitHub OAuth2 login. 4 GitHub client id and secret that were generated during the step. 5 AI Gemini key that you acquired during the step. 6 Enable AI Gemini request and response logging Please pay attention to the fact that the MCP client configuration has a user-name name. You referred to this configuration with the @McpToolBox("user-name") annotation in the step. START POEM SERVICE IN DEV MODE mvn quarkus:dev All the Poem Service configuration remains exactly the same in prod mode, therefore we are not going to talk about running it in prod to save some blog post space. Please check the if you would like to run it in prod mode. We are ready to test our AI Poem Service application. STEP 3 - TEST POEM SERVICE Access and login to Poem Service: You should get a response with your name and a link to the Poem Service endpoint: At this point, Quarkus MCP Client was not involved in getting your name produced, it was done by the . Click on the link to get a poem created and have AI Gemini producing a poem about Java for you: This time, Quarkus MCP Client helped AI Gemini to get your name from the secure Quarkus MCP server. ACCESS TOKEN DELEGATION CONSIDERATIONS In general, access tokens issued by social providers such as GitHub are not designed to be used in your distributed application architecture, with a service such as Poem Service accessing GitHub API indirectly through another service such as Quarkus MCP server. Quarkus REST service that has users logged in with GitHub can access GitHub API directly. For example, Poem Service can use a great Quarkus LangChain4j capability to mark REST Clients as tools to access GitHub API. See how . In this demo, we show the 's capability to interoperate with MCP servers and use access tokens to access secure MCP servers. We use GitHub OAuth2 because it is easily accessible to most developers. Providers such as Keycloak and Auth0 can create access tokens that are meant to be propagated from one service to another one. You will quite likely have your Quarkus MCP server implementations dealing with such tokens in the enterprise. Alternatively, when possible, the AI service application which accepts an authenticated user can request the token issuer to exchange its access token for another token that will be used to access the downstream MCP Server instead. Quarkus AI Service applications may have to and can support a delegation flow such as GitHub access token → Poem Service → MCP Client → MCP Server tool → GitHub API with additional security measures that the Quarkus team wil discuss in the future blog posts and the identity augmentation like the one shown in this demo. CONCLUSION In this blog post, we demonstrated how can access secure MCP servers by propagating access tokens available to the Quarkus LangChain4j AI Service application after the OAuth2 authorization code flow is complete. Stay tuned for more upcoming blog posts about using MCP securely with Quarkus MCP client and MCP Server. Enjoy !
21 May 2025 12:00am GMT
20 May 2025
JBoss Blogs
Quarkus 3.20.1 released - LTS maintenance release
Today, we released Quarkus 3.20.1, our first maintenance release for the 3.20 LTS stream. This release contains bugfixes and documentation improvements. It should be a safe upgrade for anyone already using 3.20. UPDATE To update to Quarkus 3.20, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update --stream=3.20 Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.20. FULL CHANGELOG You can get . COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .
20 May 2025 12:00am GMT
Quarkus 3.15.5 released - LTS maintenance release
Today, we released Quarkus 3.15.5, our next maintenance release for the 3.15 LTS stream. This release contains bugfixes and documentation improvements. It should be a safe upgrade for anyone already using 3.15. UPDATE To update to Quarkus 3.15, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update --stream=3.15 Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.15. FULL CHANGELOG You can get . COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .
20 May 2025 12:00am GMT
19 May 2025
JBoss Blogs
Hitachi Keycloak case study published
Hitachi Ltd. uses Keycloak to make financial grade security easier. They are providing an API management cloud service for Japanese banks. Banks can open their APIs (like accessing bank accounts) to third-party fintech companies securely by using the service. One of the biggest challenges in the development phase was authorizing APIs for financial grade security. For API authorization in the financial sector, Financial-grade API (FAPI) is specified by the OpenID Foundation and widely adopted. By using Keycloak as an authorization server of the API management cloud service, they can provide a fully FAPI conformant API authorization for their customers. Read more on their challenges and the solution in this ! We are now starting to collect all case studies at . If you want to share your case study with the Keycloak community, to sort out the details.
19 May 2025 12:00am GMT
Eclipse Vert.x 4.5.15 released!
19 May 2025 12:00am GMT
18 May 2025
JBoss Blogs
Secure email delivery with XOAUTH2
Keycloak relies on email functionality for tasks like password resets, user verifications, and notifications. A common setup is for Keycloak to authenticate to the SMTP server with a username and password. With issue , the Keycloak community raised the need for token-based authentication with XOAUTH2, as some providers deprecated the authentication for SMTP with passwords. With Keycloak 26.2, the SMTP AUTH configuration now supports XOAUTH2. As Keycloak's role is that of an application, it uses the client credentials grant to fetch the token. The SMTP AUTH configuration in Keycloak now supports all required fields to fetch such a token with client id and client secret. When implementing this functionality, I found that while it works with Microsoft Azure and Office365, it would need a different mechanism for providers like Google. So let's follow through this example, and then discuss if we need something different from SMTP altogether. CONFIGURING KEYCLOAK TO SEND EMAILS WITH XOAUTH2 The following assumes that you are working with Keycloak 26.2. In a realm, navigate to Realm Settings → Email and fill in the fields. To see the new XOAUTH2 feature, enable Authentication via the radio-button and switch the Authentication Type from Password to Token. You can find further details in the documentation on . Once you fill all the settings for gathering an access token and the username, you can test the configuration via the built-in "Test connection" button. CHALLENGES WITH REAL WORLD CLOUD PROVIDERS Testing Microsoft Azure, I found it supports fetching an XOAUTH2 token through a client credentials grant using a client secret. It needs several configuration changes in several places on Microsoft Azure to make it work, which is annoying, but eventually it all works in Keycloak 26.2. Google does not support the client credentials grant with a client secret, but requires sending a JWT token. Therefore, it does not work with Keycloak 26.2 yet, as that would need additional functionality and even more configuration options for Keycloak. Please vote on issue to add Google with SMTP and XOAUTH2 to a future Keycloak release. When analyzing the Google APIs, we found that a Google Enterprise account seems to have no possibility of restricting the sender email address. So any email address, even the CEO's email address, could be as a sender with Google and XOAUTH2 authentication, which feels wrong. Looking at the different capabilities of those two cloud providers, it raises the question of how to support scenarios for additional providers: Should Keycloak show provider-specific configuration screens, or would we need to make the UI even more generic and complex? RE-THINKING SENDING MESSAGES TO USERS While implementing XOAUTH2, I learned a lot more details on a modern cloud-provider's perspective handle sending of emails. Another big impulse came from discussions during the Hackathon. Let's break apart what happens when we talk about the current email functionality of Keycloak: * Keycloak is sending a message to an identity. This message could be any format, and building a message could be separated from the actual delivery of that message. * An identity could have all kinds of message handles and email just one of them. Also, the way to send an email in a cloud world might no longer be the Simple Mail Transfer Protocol (SMTP), but an HTTP- and JSON-based API. To me, working with SMTP and XOAUTH2 feels like working on something quite ancient. So what might be other steps for the bright future of Keycloak regarding sending messages to identities? Providers offer HTTP-based messaging APIs to send email without using SMTP. Looking at these and remembering the discussions from the Keycloak DevDay 2025 Hackathon: * Why use email addresses at all? * All kinds of handles could reach an identity. * In some parts of the planet, only mobile phones are used to reach out to somebody. * In development scenarios, even a chat-message to, for example, Slack might be enough. I started a discussion about the . Please join the discussion and let me know what you think.
18 May 2025 12:00am GMT
15 May 2025
JBoss Blogs
WildFly 36.0.1 is released!
WildFly 36.0.1.Final is now available . I am pleased to announce that the WildFly 36.0.1.Final release is now available for download. The following issues were resolved in 36.0.1: BUGS * [] - Jakarta MVC from Wildfly 34 built with Galleon on stability level preview cannot find custom template engines in an EAR * [] - Deploying postgresql-42.7.5.jar causes NPE when upgrading from wildfly 35→36 * [] - Deployment fails due to NullPointerException in ExpirationMetaData.getLastAccessTime() COMPONENT UPGRADES * [] - Upgrade SmallRye Fault Tolerance from 6.9.0 to 6.9.1 * [] - Upgrade Velocity Engine to 2.4.1 * [] - Upgrade wildfly-clustering to 6.0.4.Final * [] - [36.0.1.Final] Upgrade HAL to 3.7.11.Final * [] - Upgrade WildFly Core to 28.0.1.Final TASKS * [] - Correct the release version to 36.0.1.Final-SNAPSHOT in various pom.xml The following issues were also resolved in the version of WildFly Core contained within this release: BUGS * [WFCORE-7210] - Unescaped characters throw a NPE although allowed in settings COMPONENT UPGRADES * [] - Upgrade WildFly Elytron to 2.6.3.Final * [] - Upgrade Elytron Web to 4.1.2.Final * [] - Upgrade WildFly Elytron to 2.6.4.Final Enjoy!
15 May 2025 12:00am GMT
Quarkus 3.22.3 - Maintenance release
We released Quarkus 3.22.3, the second (we skipped 3.22.0) maintenance release for our 3.22 release train. UPDATE To update to Quarkus 3.22, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.22. For more information about the adjustments you need to make to your applications, please refer to the . FULL CHANGELOG You can get the full changelog of on GitHub. COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .
15 May 2025 12:00am GMT
OpenTalk Keycloak case study published
, a videoconferencing solution, needed a secure and scalable Identity and Access Management (IAM) solution to authenticate users across various services. Keycloak meets OpenTalk's goals for security, user sovereignty, data privacy and regulatory requirements, so they use it in their architecture. Read more on their challenges and the solution in the first ! We are now starting to collect all case studies at . If you want to share your case study with the Keycloak community, to sort out the details.
15 May 2025 12:00am GMT
Eclipse Vert.x 5 released!
15 May 2025 12:00am GMT
14 May 2025
JBoss Blogs
Achieving Fine-Grained Admin Permissions with Keycloak 26.2
For years, Role-Based Access Control (RBAC) has been the cornerstone of authorization in many applications. Assigning users to roles provides a simple and effective way to manage access for common use cases. However, as applications become more complex and security requirements more demanding, RBAC alone often falls short. Keycloak is leveling up administrative access control with the release of Fine Grained Admin Permissions V2 a major step towards introducing delegated administration to Keycloak so that server administrators can assign management privileges to other users in a realm. By doing that, you should be able to reduce management costs and effort, and improve the overall efficiency and security of your deployments by authorizing access to specific resources in a realm. WHY FINE-GRAINED ADMIN PERMISSIONS (FGAP) V2? In previous Keycloak versions, administrative access was largely driven by broad roles such as realm-admin or manage-users. While effective for simple setups, these roles often granted more access than necessary and lacked clarity around which actions they allowed. FGAP V2 introduces a cleaner, more deliberate permission model that enables: * Granular access control over users, clients, groups, and roles * Clear boundaries between operations-no more implicit permissions * Easier management of the permissions and policies * Better evaluation mechanism to allow authorization administrators audit the model ✨ KEY HIGHLIGHTS 🧭 CENTRALIZED PERMISSIONS MANAGEMENT A new Permissions section in the Admin Console provides a single place to view and manage all fine-grained permissions for a realm. This simplifies navigation and makes it easier to design and audit your permission model. 🔍 IMPROVED MANAGEABILITY AND EVALUATION Permissions are now easier to discover, filter, and evaluate. You can inspect which scopes are assigned to which identities-making it more transparent and manageable to build tailored administrative roles. 🎯 RESOURCE-SPECIFIC AND GLOBAL PERMISSIONS Define permissions either at the individual resource level (e.g., a single or set of users or clients), or across all resources of a given type (e.g., all groups). This dual mode offers flexibility for both tightly scoped delegation and broader administrative policies. ✂️ EXPLICIT OPERATION SCOPING Gone are the days of hidden dependencies between permissions. FGAP V2 makes every scope explicit-such as view-members, manage-members, map-roles, or impersonate. This reduces confusion and gives you full visibility into what's granted and why. 🛠️ PER-REALM ENABLEMENT FGAP V2 can be enabled independently for each realm. This allows administrators to adopt the new model incrementally, experiment safely, and customize permission boundaries realm-by-realm. 🔧 HOW TO ENABLE IT 1. Start Keycloak. The feature is enabled by default. 2. Go to Realm Settings → Admin Permissions and enable FGAP for the realm. 3. Use the new Permissions section to define permissions and policies for users, clients, groups, and roles. For full configuration details, refer to the . 🔄 MIGRATION AND COMPATIBILITY FGAP V2 provides the same level of access control over realm resources as the previous version, while improving manageability and clarity. Automatic migration is not available, but if you're upgrading from an earlier Keycloak version, see the for important key changes and migration notes. WHAT'S NEXT? This is just the beginning. Upcoming Keycloak releases will continue to expand FGAP support to additional resource types (such as Organizations) and more fine grained actions for existing resources. -------------------------------------------------------------------------------- Try it out, experiment with permissions and policies and let us know what you think. Fine-Grained Admin Permissions V2 is here to help you run Keycloak with confidence, clarity, and control.
14 May 2025 12:00am GMT
13 May 2025
JBoss Blogs
Quarkus Newsletter #56 - May
Read "AI-Powered Form Wizards: Chat, Click, Done" By Loïc Magnette to discover how Conversational AI Forms transform static forms into dynamic, guided experiences that boost data quality and ease of use. Learn how MCP clients can access Quarkus MCP SSE servers with access tokens in "Getting ready for secure MCP with Quarkus MCP Server" by Sergey Beryozkin. Markus Eisele's "Deploy Java Like a Pro: Your First Quarkus App on OpenShift in Minutes" is a fun, hands-on guide for Java developers to build a REST API with Quarkus, PostgreSQL, and deploy it to OpenShift Developer Sandbox with no Kubernetes expertise required. Check out "Quarkus 3 application on AWS Lambda- Part 1" by Vadym Kazulkin for an introduction to the sample application and first Lambda performance measurements. Take a look back to see the way forward in "Why Standards Matter More Today: From Fear of Lock-In to Foundations for Choice" by Markus Eisele. You will also see the latest Quarkus Insights episodes, top tweets/discussions and upcoming Quarkus attended events. Check out ! Want to get newsletters in your inbox? using the on page form.
13 May 2025 12:00am GMT