You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have prepared this exception request at the request of the Keycloak maintainers.
The Keycloak Project needs license exceptions for a number of Java libraries included as build-time dependencies of Keycloak. These are not licenses that are on the CNCF Allowlist nor libraries on the existing License Exceptions list.
As is common with Java libraries, most of them are multi-licensed; for example, available under the EDL 1.0, the EPL 2.0, or the GPL. None of the licenses below prevent the Keycloak project's own code from being Apache 2.0 licensed, but they are present in the container images and Java packages shipped by the project.
Base on the choice of license while multilicensing, here are the licenses on libraries that we are asking for exceptions for in order to ship them in images/packages:
In a few cases, it would be possible for the project to omit specific libraries from the shipped packages. In most cases, though, that's not practical and would amount to forcing all users to build from source.
Angus Mail project is a compatible implementation of the Jakarta Mail Specification providing a platform-independent and protocol-independent framework to build mail and messaging applications. That is used for purposes like sending verification emails, password reset links, and other notifications related to user account management.
Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
The Jakarta Mail API (formerly known as JavaMail) provides a set of abstract classes and interfaces that define how email functionality should be implemented in Java. That is used for purposes like sending verification emails, password reset links, and other notifications related to user account management.
JAX-RS is a key component used in Keycloak to build its main features. These features include controlling who can access different parts of an app and managing user identities. JAX-RS helps Keycloak set up web services that handle things like checking if a user is allowed to log in, giving permissions, and handling various security tasks.
Jakarta Servlet, formerly known as Java Servlet, is a fundamental component of the Jakarta EE platform used for building web applications. It is a key component in Authorization services, both OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) adapters. Added to that it is part of quarkus-micrometer for collecting metrics.
Jakarta SOAP is centered around integrating different web service technologies for secure authentication and authorization. It's usage come into play for scenarios with legacy systems or specific enterprise scenarios.
Jakarta Transaction plays an essential role in managing transactions, particularly in scenarios involving database operations and user session management on Keycloak.
The javax.annotation API in Java is a collection of annotations (metadata) used for adding additional information to Java code. Annotations can replace complex configuration code, making the codebase cleaner and more readable. In the context of Keycloak is used in the REST endpoints, persistence layer, code documentation and validation.
The mariadb-java-client is a JDBC driver that enables Java applications to connect to MariaDB databases. This JDBC driver comes bundled with the Keycloak distribution to eliminate the need for manual processes such as downloading and placing the driver manually. This is part of the Keycloak design to streamline the user experience and ensure that setting up Keycloak with a MariaDB database is as seamless and trouble-free as possible.
The `mysql-connector-java` is a Java database connectivity (JDBC) driver that links Java applications to MySQL databases. In Keycloak, this driver is essential for connecting the Keycloak server to a MySQL database to manage user identities and access permissions. This JDBC driver comes bundled with the Keycloak distribution to eliminate the need for manual processes such as downloading and placing the driver manually. This is part of the Keycloak design to streamline the user experience and ensure that setting up Keycloak with a MySQL database is as seamless and trouble-free as possible.
Nashorn is used for integrating JavaScript execution capabilities within a Java application. In the context of Keycloak it is included to support the usage of JavaScript providers.
Backport of JSR 166 is a project that makes the java.util.concurrent API, initially introduced in Java 5.0 and refined in Java 6.0, available to older Java versions. Currently it is used by testsuite and our distribution.
Keycloak uses X.509 certificates for SSL/TLS communication and for securing tokens. The Bouncy Castle ASN.1 APIs provide the necessary functionality to parse, validate, and generate X.509 certificates, which are crucial for establishing secure channels and for the cryptographic signing of tokens.
Bouncy Castle offers a FIPS-compliant cryptographic provider for Java applications, ensuring cryptographic operations conform to FIPS 140 standards. This provider is essential for configuring Keycloak in FIPS-compliant environments, handle cryptographic operations in a manner that adheres to FIPS 140 requirements.
Graal SDK is a transitive dependency coming from quarkus-core-deployment a key component of Quarkus. This module plays a crucial role during the build process, ensuring that applications are optimized for performance and ready for deployment in cloud environments. The GraalVM SDK is essential for producing native executables. It offers AOT (Ahead-of-Time) compilation, which converts Java bytecode into native code, resulting in applications with smaller footprints and faster startup times.
Used by Infinispan Hot Rod Server Jakarta EE and quarkus-micrometer. In the context of Infinispan HdrHistogram is used for monitoring, analyzing, and optimizing the performance and scalability of the data store. In quarkus-micrometer it plays a crucial role in enabling high-precision performance monitoring and analysis, essential for optimizing the performance and reliability of microservices and cloud-native applications. The HdrHistogram repository is licensed under CC0-1.0, as indicated by the COPYING.txt file present in the repository. https://github.com/HdrHistogram/HdrHistogram
Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
Transitive dependency required by infinispan-server-hotrod-jakarta, this is an Infinispan component tailored to work within the Jakarta EE environment. In the context of Keycloak, its usage is required for caching and session storage in clustered environments, ensuring high availability of services. This setup is necessary for deployments demanding high performance and fault tolerance.
Transitive dependency part of Keycloak SAML module. Keycloak supports SAML 2.0, providing capabilities for single sign-on (SSO) with SAML identity providers. This allows integration with various external identity providers, offering secure authentication and authorization services.
Transitive dependency coming from quarkus-vertx-http-dev-ui-resources, a component necessary for proper execution of IDELauncher used by developers. If necessary, it should be possible to remove.
Please put this request ON HOLD for the time being; we've had some discussion with the license committee and the request needs updating before it can be voted on.
Note that EDL 1.0 is just an Eclipse-branded license that matches SPDX BSD-3-Clause and therefore it should be treated equivalently to that license (including for purposes of the allowlist policy).
I have prepared this exception request at the request of the Keycloak maintainers.
The Keycloak Project needs license exceptions for a number of Java libraries included as build-time dependencies of Keycloak. These are not licenses that are on the CNCF Allowlist nor libraries on the existing License Exceptions list.
As is common with Java libraries, most of them are multi-licensed; for example, available under the EDL 1.0, the EPL 2.0, or the GPL. None of the licenses below prevent the Keycloak project's own code from being Apache 2.0 licensed, but they are present in the container images and Java packages shipped by the project.
Base on the choice of license while multilicensing, here are the licenses on libraries that we are asking for exceptions for in order to ship them in images/packages:
EDL 1.0
EPL 2.0
CDDL 1.1
LGPL 2.1
LGPL 3.0
GPL2-with-classpath-exception
GPL2-with-FOSS-exception
BSD-2-Clause
BSD-3-Clause
MIT
UPL 1.0
In a few cases, it would be possible for the project to omit specific libraries from the shipped packages. In most cases, though, that's not practical and would amount to forcing all users to build from source.
We've listed the individual libraries below.
@abstractj
The text was updated successfully, but these errors were encountered: