search

keycloak / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
Apache License 2.0
648 stars 317 forks source link

Client Fine Grained permissions 'extra_config' only sometimes works. KC 24.0.5 #979

Open bradhead opened 4 months ago

bradhead commented 4 months ago

I was trying to add a client token exchange policy, and it would fail. I discovered I need to set the extra config:

  resource "keycloak_openid_client " "client_pas_rs" {
   ...
   service_accounts_enabled     = true

    extra_config = {
      "authorizationServicesEnabled" = true
      "fineGrainAuthorizationEnabled" = true
    }
  }

When I did then performed an apply the policy resource applied correctly and all good. Token exchange client poilcy setup correct.

then I tore down and rebuilt from scratch, and this time the extra configuration had no effect and the policy resource failed. I have to manually toggle the fine grained permissions then re-run the terraform.

Here's the policy that fails when the above toggle is not applied. Note that I have a depends_on set for this.>

resource "keycloak_openid_client_client_policy" "pas_client_policy" {
  realm_id           = data.keycloak_realm.realm.id
  resource_server_id = data.keycloak_openid_client.realm_management.id
  name               = "token-exchange-policy"
  logic              = "POSITIVE"
  decision_strategy  = "UNANIMOUS"
  clients = [
    keycloak_openid_client.client_pas_mulesoft.id
  ]
  depends_on = [keycloak_openid_client.client_pas_rs, keycloak_openid_client.client_pas_mulesoft ]
}

Not sure why it is so inconsistent.