[License Exception Request] [KeyCloak] [Multiple Licenses]

[jberkus]

I have prepared this exception request at the request of the Keycloak maintainers.

The Keycloak Project needs license exceptions for a number of Java libraries included as build-time dependencies of Keycloak. These are not licenses that are on the CNCF Allowlist nor libraries on the existing License Exceptions list.

As is common with Java libraries, most of them are multi-licensed; for example, available under the EDL 1.0, the EPL 2.0, or the GPL. None of the licenses below prevent the Keycloak project's own code from being Apache 2.0 licensed, but they are present in the container images and Java packages shipped by the project.

Base on the choice of license while multilicensing, here are the licenses on libraries that we are asking for exceptions for in order to ship them in images/packages:

EDL 1.0
EPL 2.0
CDDL 1.1
LGPL 2.1
LGPL 3.0
GPL2-with-classpath-exception
GPL2-with-FOSS-exception
BSD-2-Clause
BSD-3-Clause
MIT
UPL 1.0

In a few cases, it would be possible for the project to omit specific libraries from the shipped packages. In most cases, though, that's not practical and would amount to forcing all users to build from source.

We've listed the individual libraries below.

Direct Dependencies
Title	License	Notes
Angus Mail Provider	EPL v2.0, GPL v2 with Classpath Exception, and EDL v1.0	Angus Mail project is a compatible implementation of the Jakarta Mail Specification providing a platform-independent and protocol-independent framework to build mail and messaging applications. That is used for purposes like sending verification emails, password reset links, and other notifications related to user account management.
Hibernate ORM - hibernate-core	LGPL 2.1	Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
Jakarta Mail API	EDL 1.0, EPL 2.0, GPL	The Jakarta Mail API (formerly known as JavaMail) provides a set of abstract classes and interfaces that define how email functionality should be implemented in Java. That is used for purposes like sending verification emails, password reset links, and other notifications related to user account management.
Jakarta Persistence API	EDL 1.0, EPL 2.0	Jakarta Persistence API (formerly known as Java Persistence API or JPA) is used by Hibernate
Jakarta RESTful WS API	EPL 2.0, GPL 2.0	JAX-RS is a key component used in Keycloak to build its main features. These features include controlling who can access different parts of an app and managing user identities. JAX-RS helps Keycloak set up web services that handle things like checking if a user is allowed to log in, giving permissions, and handling various security tasks.
Jakarta Servlet	EPL 2.0, GPL	Jakarta Servlet, formerly known as Java Servlet, is a fundamental component of the Jakarta EE platform used for building web applications. It is a key component in Authorization services, both OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) adapters. Added to that it is part of quarkus-micrometer for collecting metrics.
Jakarta SOAP with Attachments API	EDL 1.0	Jakarta SOAP is centered around integrating different web service technologies for secure authentication and authorization. It's usage come into play for scenarios with legacy systems or specific enterprise scenarios.
jakarta.transaction API	EPL 2.0 and GPL	Jakarta Transaction plays an essential role in managing transactions, particularly in scenarios involving database operations and user session management on Keycloak.
javax.annotation API	CDDL-1.1, GPL 2.0	The javax.annotation API in Java is a collection of annotations (metadata) used for adding additional information to Java code. Annotations can replace complex configuration code, making the codebase cleaner and more readable. In the context of Keycloak is used in the REST endpoints, persistence layer, code documentation and validation.
jaxb-api	CDDL-1.1	Used by the admin-client
mariadb-java-client	LGPL 2.1	The mariadb-java-client is a JDBC driver that enables Java applications to connect to MariaDB databases. This JDBC driver comes bundled with the Keycloak distribution to eliminate the need for manual processes such as downloading and placing the driver manually. This is part of the Keycloak design to streamline the user experience and ensure that setting up Keycloak with a MariaDB database is as seamless and trouble-free as possible.
mysql-connector-java	The GNU General Public License, v2 with Universal FOSS Exception, v1.0	The `mysql-connector-java` is a Java database connectivity (JDBC) driver that links Java applications to MySQL databases. In Keycloak, this driver is essential for connecting the Keycloak server to a MySQL database to manage user identities and access permissions. This JDBC driver comes bundled with the Keycloak distribution to eliminate the need for manual processes such as downloading and placing the driver manually. This is part of the Keycloak design to streamline the user experience and ensure that setting up Keycloak with a MySQL database is as seamless and trouble-free as possible.
OpenJDK Nashorn	GPL v2 with the Classpath exception	Nashorn is used for integrating JavaScript execution capabilities within a Java application. In the context of Keycloak it is included to support the usage of JavaScript providers.
Transitive Dependencies
Title	License(s)
Backport of JSR 166	GPLv2+CPE	Backport of JSR 166 is a project that makes the java.util.concurrent API, initially introduced in Java 5.0 and refined in Java 6.0, available to older Java versions. Currently it is used by testsuite and our distribution.
Bouncy Castle ASN.1 Extension and Utility APIs	MIT	Keycloak uses X.509 certificates for SSL/TLS communication and for securing tokens. The Bouncy Castle ASN.1 APIs provide the necessary functionality to parse, validate, and generate X.509 certificates, which are crucial for establishing secure channels and for the cryptographic signing of tokens.
Bouncy Castle Provider	MIT	Bouncy Castle offers a FIPS-compliant cryptographic provider for Java applications, ensuring cryptographic operations conform to FIPS 140 standards. This provider is essential for configuring Keycloak in FIPS-compliant environments, handle cryptographic operations in a manner that adheres to FIPS 140 requirements.
btf	LGPL-3.0 or later; Apache-2.0	Transitive dependency coming from resteasy-jackson2-provider
Graal SDK	UPL 1.0	Graal SDK is a transitive dependency coming from quarkus-core-deployment a key component of Quarkus. This module plays a crucial role during the build process, ensuring that applications are optimized for performance and ready for deployment in cloud environments. The GraalVM SDK is essential for producing native executables. It offers AOT (Ahead-of-Time) compilation, which converts Java bytecode into native code, resulting in applications with smaller footprints and faster startup times.
HdrHistogram	BSD-2-Clause OR CC0-1.0	Used by Infinispan Hot Rod Server Jakarta EE and quarkus-micrometer. In the context of Infinispan HdrHistogram is used for monitoring, analyzing, and optimizing the performance and scalability of the data store. In quarkus-micrometer it plays a crucial role in enabling high-precision performance monitoring and analysis, essential for optimizing the performance and reliability of microservices and cloud-native applications. The HdrHistogram repository is licensed under CC0-1.0, as indicated by the COPYING.txt file present in the repository. https://github.com/HdrHistogram/HdrHistogram
Hibernate Commons Annotations	LGPL	Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
Hibernate ORM - hibernate-graalvm	LGPL 2.1	Hibernate is an object-relational mapping (ORM) tool that Keycloak uses to interact with relational databases via Java Persistence API (JPA). It is an important part of the Keycloak persistence layer that lets you define the schema of the database, manage entities, and handle transactions in a JPA-compliant way. Hibernate is also part of Keycloak's migration strategies, which determine how database schema changes are managed during the deployment of new versions of Keycloak.
Jakarta Annotations API	EPL-2.0; GPL-2.0-with-classpath-exception
Jakarta Authentication	EPL-2.0; GPL-2.0-with-classpath-exception
Jakarta Authorization	EPL-2.0; GPL-2.0-with-classpath-exception
Jakarta Bean Validation API	Apache 2.0; optionally EPL-2.0 and Javadoc
Jakarta Enterprise Beans API	EPL-2.0; GPL-2.0-with-classpath-exception
Jakarta Expression Language API	EPL-2.0; GPL-2.0-with-classpath-exception
Jakarta Interceptors	EPL-2.0;GPL-2.0-with-classpath-exception
Jakarta JSON Processing API	EPL-2.0;GPL-2.0-with-classpath-exception
Jakarta Mail API	EPL-2.0;GPL-2.0-with-classpath-exception
jakarta.resource-api	EPL-2.0;GPL-2.0-with-classpath-exception
JBoss Jakarta Annotations API	EPL-2.0;GPL-2.0-with-classpath-exception	Used by wildfly-web-common, spring-boot-starter-web, spring-boot-starter-thymeleaf, resteasy-multipart-provider, resteasy-core, resteasy-client
jts-core	BSD-3-Clause; EPL-1.0
LatencyUtils	CC0-1.0; BSD-2-Clause	Transitive dependency required by infinispan-server-hotrod-jakarta, this is an Infinispan component tailored to work within the Jakarta EE environment. In the context of Keycloak, its usage is required for caching and session storage in clustered environments, ensuring high availability of services. This setup is necessary for deployments demanding high performance and fault tolerance.
lit-element-state	LGPL-3.0	Transitive dependency coming from quarkus-vertx-http-dev-ui-resources, a component necessary for proper execution of IDELauncher used by developers.
If necessary, it should be possible to remove.
Streaming API for XML (StAX)	BSD 2-Clause	Transitive dependency part of Keycloak SAML module. Keycloak supports SAML 2.0, providing capabilities for single sign-on (SSO) with SAML identity providers. This allows integration with various external identity providers, offering secure authentication and authorization services.
tslib	0BSD based on the GitHub repository Apache-2.0 based on NPM	Transitive dependency coming from quarkus-vertx-http-dev-ui-resources, a component necessary for proper execution of IDELauncher used by developers. If necessary, it should be possible to remove.

@abstractj

[jberkus]

Please put this request ON HOLD for the time being; we've had some discussion with the license committee and the request needs updating before it can be voted on.

[richardfontana]

EDL 1.0

Note that EDL 1.0 is just an Eclipse-branded license that matches SPDX BSD-3-Clause and therefore it should be treated equivalently to that license (including for purposes of the allowlist policy).