search

keycloak / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
Apache License 2.0
648 stars 317 forks source link

Authentication Flow / Subflow / Executions priorities #973

Open Writtscher opened 5 months ago

Writtscher commented 5 months ago

Hi. I am trying to create a custom authentication flow. This is my terraform file:

resource "keycloak_authentication_flow" "vpp_authentication_flow" {
  realm_id = keycloak_realm.vpp.id
  alias    = "vpp browser"
}

resource "keycloak_authentication_bindings" "vpp_vpp_authentication_flow_authentication_binding" {
  realm_id     = keycloak_realm.vpp.id
  browser_flow = keycloak_authentication_flow.vpp_authentication_flow.alias
}

resource "keycloak_authentication_execution" "vpp_authentication_flow_cookie_authentication_execution" {
  realm_id          = keycloak_realm.vpp.id
  parent_flow_alias = keycloak_authentication_flow.vpp_authentication_flow.alias
  authenticator     = "auth-cookie"
  requirement       = "ALTERNATIVE"
  depends_on = []
}

resource "keycloak_authentication_execution" "vpp_authentication_flow_identity_provider_redirector_authentication_execution" {
  realm_id          = keycloak_realm.vpp.id
  parent_flow_alias = keycloak_authentication_flow.vpp_authentication_flow.alias
  authenticator     = "identity-provider-redirector"
  requirement       = "ALTERNATIVE"
  depends_on = [
    keycloak_authentication_execution.vpp_authentication_flow_cookie_authentication_execution
  ]
}

resource "keycloak_authentication_subflow" "vpp_browser_authentication_subflow" {
  realm_id          = keycloak_realm.vpp.id
  parent_flow_alias = keycloak_authentication_flow.vpp_authentication_flow.alias
  alias             = "browser forms"
  requirement       = "ALTERNATIVE"
  depends_on = [
    keycloak_authentication_execution.vpp_authentication_flow_identity_provider_redirector_authentication_execution
  ]
}

resource "keycloak_authentication_execution" "vpp_authentication_flow_username_password_form_authentication_execution" {
  realm_id          = keycloak_realm.vpp.id
  parent_flow_alias = keycloak_authentication_subflow.vpp_browser_authentication_subflow.alias
  authenticator     = "auth-username-password-form"
  requirement       = "REQUIRED"
}

resource "keycloak_authentication_execution" "vpp_authentication_flow_session_counter_authentication_execution" {
  realm_id          = keycloak_realm.vpp.id
  parent_flow_alias = keycloak_authentication_subflow.vpp_browser_authentication_subflow.alias
  authenticator     = "user-session-limits"
  requirement       = "REQUIRED"
  depends_on = [
    keycloak_authentication_execution.vpp_authentication_flow_username_password_form_authentication_execution
  ]
}

resource "keycloak_authentication_execution_config" "vpp_authentication_flow_session_counter_authentication_execution_config" {
  realm_id     = keycloak_realm.vpp.id
  execution_id = keycloak_authentication_execution.vpp_authentication_flow_session_counter_authentication_execution.id
  alias        = "vpp browser authentication flow session counter config"
  config = {
    "behavior"        = "Deny new sessions",
    "errorMessage"    = "You are already logged in. Please close the other session.,
    "userClientLimit" = "1",
    "userRealmLimit"  = "0",
  }
}

It works but the priority of the executions is wrong

The result of this is:

{
    "id": "0d7ca48f-7601-4c09-ba4d-79c1b38303d1",
    "alias": "vpp browser",
    "description": "",
    "providerId": "basic-flow",
    "topLevel": true,
    "builtIn": false,
    "authenticationExecutions": [
      {
        "authenticatorFlow": true,
        "requirement": "ALTERNATIVE",
        "priority": 1,
        "autheticatorFlow": true,
        "flowAlias": "browser forms",
        "userSetupAllowed": false
      },
      {
        "authenticator": "auth-cookie",
        "authenticatorFlow": false,
        "requirement": "ALTERNATIVE",
        "priority": 2,
        "autheticatorFlow": false,
        "userSetupAllowed": false
      },
      {
        "authenticator": "identity-provider-redirector",
        "authenticatorFlow": false,
        "requirement": "ALTERNATIVE",
        "priority": 2,
        "autheticatorFlow": false,
        "userSetupAllowed": false
      }
    ]
  }

The priority should be auth-cookie -> identity-provider-redirector -> forms subflow. I tried everything (depends_on). but no luck. What am I missing?

ofairfoul commented 4 months ago

Keycloak 25 introduced a new priority field on authenticationExecution and this provider has not implemented them yet