search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
617 stars 303 forks source link

removing valid_redirect_uris doesnt yield changes #759

Open rd-robert-avram opened 1 year ago

rd-robert-avram commented 1 year ago

Version

mrparkers/keycloak 4.0.0

Issue

Once valid_redirect_uris are created and managed for a client, deleting them from a resources doesn't yield changes.

Steps to reproduce

  1. Define a client resource much like this one and apply the change:
resource "keycloak_openid_client" "test-client" {
  access_type                         = "PUBLIC"
  realm_id                            = "my-realm"
  client_id                           = "test-client"
  enabled                             = true
  full_scope_allowed                  = false
  direct_access_grants_enabled        = false
  service_accounts_enabled            = false
  standard_flow_enabled               = false
  implicit_flow_enabled               = false
  use_refresh_tokens                  = true
  backchannel_logout_session_required = false
  name                                = "test-client"
  extra_config                        = {
    "owner" = "robert"
  }
}
  1. Then provoke a change by making it standard_flow_enabled and giving it valid_redirect_uris. Apply the change.
resource "keycloak_openid_client" "test-client" {
  access_type                         = "PUBLIC"
  realm_id                            = "my-realm"
  client_id                           = "test-client"
  enabled                             = true
  full_scope_allowed                  = false
  direct_access_grants_enabled        = false
  service_accounts_enabled            = false
  standard_flow_enabled               = true
  implicit_flow_enabled               = false
  use_refresh_tokens                  = true
  backchannel_logout_session_required = false
  name                                = "test-client"
  extra_config                        = {
    "owner" = "robert"
  }
  valid_redirect_uris = ["http://redirect.com"]
  web_origins = ["+"]
}

The plan will state the following:

# keycloak_openid_client.test-client will be updated in-place
 ~ resource "keycloak_openid_client" "test-client" {
    id                                         = "7f071040-664c-4de9-bc5d-b5eb6602ad20"
    name                                       = "test-client"
  ~ standard_flow_enabled                      = false -> true
  ~ valid_redirect_uris                        = [
      + "http://redirect.com",
    ]
  ~ web_origins                                = [
      + "+",
    ]
    # (18 unchanged attributes hidden)
}
  1. Now revert that resource to how you've defined initially: 
    resource "keycloak_openid_client" "test-client" {
access_type                         = "PUBLIC"
realm_id                            = "my-realm"
client_id                           = "test-client"
enabled                             = true
full_scope_allowed                  = false
direct_access_grants_enabled        = false
service_accounts_enabled            = false
standard_flow_enabled               = false
implicit_flow_enabled               = false
use_refresh_tokens                  = true
backchannel_logout_session_required = false
name                                = "test-client"
extra_config                        = {
"owner" = "robert"
}
}

The only change the plan specifies is this:

 # keycloak_openid_client.test-client will be updated in-place
 ~ resource "keycloak_openid_client" "test-client" {
    id                                         = "7f071040-664c-4de9-bc5d-b5eb6602ad20"
    name                                       = "test-client"
  ~ standard_flow_enabled                      = true -> false
    # (20 unchanged attributes hidden)
}

Applying this will result in the following error:

Error: valid_redirect_uris cannot be set when standard or implicit flow is not enabled

As far as I can understand, completely removing the valid_redirect_uris, once created, is not possible. I was half expecting them to be defaulted to empty lists so I'm a bit concerned as this doesn't seem like intended behaviour.

One can of course go work around this by directly settings them to empty lists, but still, like I mentioned, doesn't seem like intended behaviour.

Thank you in advance!

sybereal commented 1 year ago

To add to this, the same issue also occurs when importing a client.

In my case, I have a perfectly fine and working client in Keycloak that only has service accounts enabled. Importing this client into Terraform results in valid_redirect_uris and web_origins being [""], i.e. a list containing an empty string, and any subsequent modification of the resource fails with the error message in the root comment.

Modifying the state manually to replace that with [] or null doesn't help, as the [""] is restored during the automatic refresh on the next apply before any changes are made.

To me, this seems like the provider enforces stricter constraints than Keycloak itself, which breaks valid client definitions and requires client recreation.