keycloak_identity_provider: unusable in it's current state

[schewara]

Summary

Dear Maintainers

After trying to get the keycloak_identity_provider module to work with a current (Quarkus) Keycloak version I ran into the following issues which prevents us to use it in it's current state

1. defining clientSecret config parameter always results in a changed run
2. boolean config parameters are being returned as string and also keep changing on every run
3. there is no way to manually configure not yet supported parameters, as the whole Identity provider is completely re-written and all manual changes in the UI disappear after the task was run.
4. The Keycloak API version referenced in the Docs (15.0) is already End of Life since 2021-12 and the Link is also broken.

To keep up with the fast release cycles and the short support periods, maybe one of the following approaches could help to make the module work again with newer versions.

Which could be either

• to only define the IdentityProviderRepresentation but don't check explicitly for the content of the config dictionary and have the API fail on invalid entries, or
• keep manually and unsupported settings in place and only override/update the settings defined by the task.

Given that the API Docs also don't provide a list of supported config entries, the first option seems at least to me the currently preferred option, as it would allow greater flexibility on the config management side of things, without having to keep track of temporary UI changes until the collection supports the latest features of a new version.

This would then also solve

• https://github.com/ansible-collections/community.general/issues/8204 and
• https://github.com/ansible-collections/community.general/issues/6614

as well.

Issue Type

Bug Report

Component Name

keycloak_identity_provider

Ansible Version

$ ansible --version
ansible [core 2.16.6]
  python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (~/.local/share/virtualenvs/project-P0UBDDPJ/bin/python)
  jinja version = 3.1.3
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 8.6.0  

Configuration

N/A

OS / Environment

Keycloak 24.0.3

Steps to Reproduce

Setting any of the config parameters below will trigger permanent change:

- name: Setup Identity provider
  community.general.keycloak_identity_provider:
    config:
      clientSecret: "testsecret"
      backchannelSupported: true
      hide_on_login_page: false
      useJwksUrl: true
      validateSignature: true

Expected Results

no changes

Actual Results

changed: [server] => changed=true 
  diff: {}
  end_state:
    addReadTokenRoleOnCreate: false
    alias: alias
    authenticateByDefault: false
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: 'true'
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: '**********'
      defaultScope: openid
      hide_on_login_page: 'false'
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: 'true'
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: 'true'
    displayName: My SSO
    enabled: true
    internalId: <UUID>
    linkOnly: false
    mappers: []
    providerId: oidc
    storeToken: false
    trustEmail: true
    updateProfileFirstLoginMode: 'on'
  existing:
    addReadTokenRoleOnCreate: false
    alias: mysso
    authenticateByDefault: false
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: 'true'
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: '**********'
      defaultScope: openid
      hide_on_login_page: 'false'
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: 'true'
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: 'true'
    displayName: My SSO
    enabled: true
    internalId: <UUID>
    linkOnly: false
    mappers: []
    providerId: oidc
    storeToken: false
    trustEmail: true
    updateProfileFirstLoginMode: 'on'
  invocation:
    module_args:
      add_read_token_role_on_create: null
      alias: mysso
      auth_client_id: admin-cli
      auth_client_secret: null
      auth_keycloak_url: https://broker.srv.tld
      auth_password: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      auth_realm: master
      auth_username: myusername
      authenticate_by_default: null
      config:
        authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
        backchannelSupported: true
        clientAuthMethod: client_secret_post
        clientId: client
        clientSecret: secret
        defaultScope: openid
        hide_on_login_page: false
        issuer: https://sso.srv.tld/realms/myrealm
        jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
        syncMode: FORCE
        tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
        useJwksUrl: true
        userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
        validateSignature: true
      connection_timeout: 10
      display_name: My SSO
      enabled: null
      first_broker_login_flow_alias: null
      http_agent: Ansible
      link_only: null
      mappers: null
      post_broker_login_flow_alias: null
      provider_id: oidc
      realm: met-admin
      state: present
      store_token: null
      token: null
      trust_email: true
      validate_certs: true
  msg: Identity provider mysso has been updated
  proposed:
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: true
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: secret
      defaultScope: openid
      hide_on_login_page: false
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: true
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: true

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/keycloak_identity_provider.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @eikef @laurpaum @mattock @ndclt click here for bot help