search

crossplane-contrib / provider-keycloak

Apache License 2.0
21 stars 11 forks source link

ProtocolMapper is missing clientScopeIdRef and/or clientScopeIdSelector #89

Closed vladimirblahoz closed 4 months ago

vladimirblahoz commented 4 months ago

ProtocolMapper resource can be quite easily bound to a Client using clientIdRef or clientIdSelector. We are in a need of binding protocol mappers to client scopes and in this case the only way of referencing the client scope is by its Keycloak ID which is unknown at the time the mappers are created.

I was unfortunately unable to workaround this not even using composite resource and creating both clientScope and protolMappers in different steps of the same XRD pipeline or by using function-extra-resources.

Breee commented 4 months ago

v0.19.0 should fix that, please test that: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.19.0

vladimirblahoz commented 4 months ago

Works like a charm. Considering I have spent almost 2 days trying to figure out a workaround and the fix was released in less than 3 hours, that's impressive. 🙇‍♂️

Since I've got you here I don't want to open other issues for what may be only my misunderstanging - I would have a couple of questions:

Thanks a bunch for the fix and for the potential answers

Breee commented 4 months ago

Q: "Is there a way to assign a role directly to a user or can that be achieved only through groups at the moment?" A: There is https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs/resources/user_roles which is currently not in this provider but it would be no problem to add this. (opened an issue #97 to track that)

Q: If I create a ClientScope, can I assign it to a Client anyhow? A: Either we implement https://registry.terraform.io/providers/edflex-tech/keycloak/latest/docs/resources/openid_client_default_scopes and https://registry.terraform.io/providers/edflex-tech/keycloak/latest/docs/resources/saml_client_default_scopes - it does not look like that there is mapper that would allow us to use a ProtocolMapper https://github.com/keycloak/keycloak/tree/cd2451d58b5c6e167415117dc2a72a7f28878588/services/src/main/java/org/keycloak/protocol/oidc/mappers

default scopes are already available: oidc: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.20.0/resources/openidclient.keycloak.crossplane.io/ClientDefaultScopes/v1alpha1 saml: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.20.0/resources/samlclient.keycloak.crossplane.io/ClientDefaultScopes/v1alpha1