search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
812 stars 1.49k forks source link

community.general.keycloak_client default_role adding doesn't work #7972

Open hillout opened 6 months ago

hillout commented 6 months ago

Summary

Using ansible task trying to create a Keycloak client with some predefined client's roles. Client is being created, but there are no roles in there.

Issue Type

Bug Report

Component Name

plugins/modules/keycloak_client.py

Ansible Version

$ ansible --version

ansible [core 2.15.1]
  config file = None
  configured module search path = ['/home/yser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

community.general

# /home/user/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 8.1.0  

# /usr/lib/python3/dist-packages/ansible_collections
Collection        Version
----------------- -------
community.general 1.3.6

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None

OS / Environment

Ubuntu 22.04 LTS Keycloak 23.0.3

Steps to Reproduce

---
- hosts: localhost
  connection: local 

  vars:
    password:  password

  tasks:
    - name: Add a new business client to test realm
      community.general.keycloak_client:
        auth_keycloak_url: https://keycloak.domain.org
        auth_realm: test
        auth_username: supervisor
        auth_password: "{{ password }}"
        client_id: test-ansible-add-client
        realm: test
        name: this_is_a_test
        description: Name of the Client
        root_url: https://www.example.com/
        admin_url: https://www.example.com/admin_url
        base_url: https://www.example.com/
        enabled: true
        redirect_uris:
          - https://www.example.com/*
          - http://localhost:8888/
        web_origins:
          - https://www.example.com/* 
        standard_flow_enabled: true
        bearer_only: false
        consent_required: false
        direct_access_grants_enabled: false
        service_accounts_enabled: false
        authorization_services_enabled: false
        public_client: true
        frontchannel_logout: true   
        protocol: openid-connect
        full_scope_allowed: false
        always_display_in_console: false
        default_roles:
          - role_1
          - role_2
        protocol_mappers:
          - config:
                consentRequired: false        
                access.token.claim: true
                id.token.claim: false
                userinfo.token.claim: true
                introspection.token.claim: false                     
                claim.name: personal_id
                jsonType.label: String
                user.attribute: personal_id
            name: client-name-environment-personal-id-mapper
            protocol: openid-connect
            protocolMapper: oidc-usermodel-attribute-mapper
        state: present            
      delegate_to: localhost

Where adding roles is: 

...
        default_roles:
          - role_1
          - role_2

Expected Results

Client test-ansible-add-client is being created with roles in it:

Actual Results

Client test-ansible-add-client is being created with no roles in it. But mapper is there. 

changed: [localhost] => {
    "changed": true,
    "diff": {},
    "end_state": {
        "access": {
            "configure": true,
            "manage": true,
            "view": true
        },
        "adminUrl": "https://www.example.com/admin_url",
        "alwaysDisplayInConsole": false,
        "attributes": [
            "backchannel.logout.revoke.offline.tokens",
            "backchannel.logout.session.required"
        ],
        "authenticationFlowBindingOverrides": {},
        "baseUrl": "https://www.example.com/",
        "bearerOnly": false,
        "clientAuthenticatorType": "client-secret",
        "clientId": "test-ansible-add-client",
        "consentRequired": false,
        "defaultClientScopes": [
            "web-origins",
            "acr",
            "profile",
            "email"
        ],
        "description": "Name of the Client",
        "directAccessGrantsEnabled": false,
        "enabled": true,
        "frontchannelLogout": true,
        "fullScopeAllowed": false,
        "id": "735de845-209c-4a71-af61-2839a1f8f93d",
        "implicitFlowEnabled": false,
        "name": "this_is_a_test",
        "nodeReRegistrationTimeout": -1,
        "notBefore": 0,
        "optionalClientScopes": [
            "address",
            "phone",
            "offline_access",
            "roles",
            "microprofile-jwt"
        ],
        "protocol": "openid-connect",
        "protocolMappers": [
            {
                "config": {
                    "access.token.claim": "true",
                    "claim.name": "personal_id",
                    "consentRequired": "false",
                    "id.token.claim": "false",
                    "introspection.token.claim": "false",
                    "jsonType.label": "String",
                    "user.attribute": "personal_id",
                    "userinfo.token.claim": "true"
                },
                "consentRequired": false,
                "id": "45eaddf6-db22-4fb7-b874-56a31a4f7251",
                "name": "client-name-environment-personal-id-mapper",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-usermodel-attribute-mapper"
            }
        ],
        "publicClient": true,
        "redirectUris": [
            "http://localhost:8888/",
            "https://www.example.com/*"
        ],
        "rootUrl": "https://www.example.com/",
        "serviceAccountsEnabled": false,
        "standardFlowEnabled": true,
        "surrogateAuthRequired": false,
        "webOrigins": [
            "https://www.example.com/*"
        ]
    },
    "existing": {},
    "invocation": {
        "module_args": {
            "admin_url": "https://www.example.com/admin_url",
            "always_display_in_console": false,
            "attributes": null,
            "auth_client_id": "admin-cli",
            "auth_client_secret": null,
            "auth_keycloak_url": "https://keycloak.domain.org",
            "auth_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "auth_realm": "test",
            "auth_username": "supervisor",
            "authentication_flow_binding_overrides": null,
            "authorization_services_enabled": false,
            "authorization_settings": null,
            "base_url": "https://www.example.com/",
            "bearer_only": false,
            "client_authenticator_type": null,
            "client_id": "test-ansible-add-client",
            "client_template": null,
            "connection_timeout": 10,
            "consent_required": false,
            "default_client_scopes": null,
            "default_roles": [
                "role_1",
                "role_2"
            ],
            "description": "Name of the Client",
            "direct_access_grants_enabled": false,
            "enabled": true,
            "frontchannel_logout": true,
            "full_scope_allowed": false,
            "http_agent": "Ansible",
            "id": null,
            "implicit_flow_enabled": null,
            "name": "this_is_a_test",
            "node_re_registration_timeout": null,
            "not_before": null,
            "optional_client_scopes": null,
            "protocol": "openid-connect",
            "protocol_mappers": [
                {
                    "config": {
                        "access.token.claim": true,
                        "claim.name": "personal_id",
                        "consentRequired": false,
                        "id.token.claim": false,
                        "introspection.token.claim": false,
                        "jsonType.label": "String",
                        "user.attribute": "personal_id",
                        "userinfo.token.claim": true
                    },
                    "consentRequired": null,
                    "consentText": null,
                    "id": null,
                    "name": "client-name-environment-personal-id-mapper",
                    "protocol": "openid-connect",
                    "protocolMapper": "oidc-usermodel-attribute-mapper"
                }
            ],
            "public_client": true,
            "realm": "test",
            "redirect_uris": [
                "https://www.example.com/*",
                "http://localhost:8888/"
            ],
            "registered_nodes": null,
            "registration_access_token": null,
            "root_url": "https://www.example.com/",
            "secret": null,
            "service_accounts_enabled": false,
            "standard_flow_enabled": true,
            "state": "present",
            "surrogate_auth_required": null,
            "token": null,
            "use_template_config": null,
            "use_template_mappers": null,
            "use_template_scope": null,
            "validate_certs": true,
            "web_origins": [
                "https://www.example.com/*"
            ]
        }
    },
    "msg": "Client test-ansible-add-client has been created.",
    "proposed": {
        "adminUrl": "https://www.example.com/admin_url",
        "alwaysDisplayInConsole": false,
        "authorizationServicesEnabled": false,
        "baseUrl": "https://www.example.com/",
        "bearerOnly": false,
        "clientId": "test-ansible-add-client",
        "consentRequired": false,
        "defaultRoles": [
            "role_1",
            "role_2"
        ],
        "description": "Name of the Client",
        "directAccessGrantsEnabled": false,
        "enabled": true,
        "frontchannelLogout": true,
        "fullScopeAllowed": false,
        "name": "this_is_a_test",
        "protocol": "openid-connect",
        "protocolMappers": [
            {
                "config": {
                    "access.token.claim": true,
                    "claim.name": "personal_id",
                    "consentRequired": false,
                    "id.token.claim": false,
                    "introspection.token.claim": false,
                    "jsonType.label": "String",
                    "user.attribute": "personal_id",
                    "userinfo.token.claim": true
                },
                "consentRequired": false,
                "name": "client-name-environment-personal-id-mapper",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-usermodel-attribute-mapper"
            }
        ],
        "publicClient": true,
        "redirectUris": [
            "http://localhost:8888/",
            "https://www.example.com/*"
        ],
        "rootUrl": "https://www.example.com/",
        "serviceAccountsEnabled": false,
        "standardFlowEnabled": true,
        "webOrigins": [
            "https://www.example.com/*"
        ]
    }
}

Code of Conduct

ansibullbot commented 6 months ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 6 months ago

cc @eikef @mattock @ndclt click here for bot help

ansibullbot commented 1 month ago

cc @thomasbach-dev click here for bot help