search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
612 stars 300 forks source link

Unable to create microsoft identity provider with `keycloak_oidc_identity_provider` #796

Open landorg opened 1 year ago

landorg commented 1 year ago

Hi. I am trying to use your provider to setup microsoft as identity provider with that code:

resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
  realm        = keycloak_realm.onlim.id
  alias        = "microsoft"
  provider_id  = "microsoft"
  display_name = ""

  client_id     = nonsensitive(var.ms_identity_provider.client_id)
  client_secret = nonsensitive(var.ms_identity_provider.client_secret)

  authorization_url = ""
  token_url         = ""
  trust_email       = true
  store_token       = false
  default_scopes    = ""
  sync_mode         = "IMPORT"

  backchannel_supported = false
}

At first everything seemed to work but then I found out that there is a problem if the account already exists and I want to link them. But only when I use the automatically created idp, the manually created one work fine. In the interface they look identical.

I tried to manually create the idp and import it. On the next apply it shows me that diff:

  # module.keycloak.keycloak_oidc_identity_provider.realm_identity_provider will be updated in-place
  ~ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
      + accepts_prompt_none_forward_from_client = false
      + client_secret                           = (sensitive value)
        id                                      = "microsoft"
      + provider_id                             = "microsoft"
        # (18 unchanged attributes hidden)
    }

But after the apply the link accounts function is broken again. These are the two idp resources from the keycloak api: autogenerated:

{
  "alias": "microsoft",
  "displayName": "",
  "internalId": "bd8e3e29-c435-46b9-a05b-46d0d4940055",
  "providerId": "microsoft",
  "enabled": true,
  "updateProfileFirstLoginMode": "on",
  "trustEmail": true,
  "storeToken": false,
  "addReadTokenRoleOnCreate": false,
  "authenticateByDefault": false,
  "linkOnly": false,
  "firstBrokerLoginFlowAlias": "first broker login",
  "config": {
    "offlineAccess": "false",
    "hideOnLoginPage": "false",
    "validateSignature": "false",
    "acceptsPromptNoneForwardFromClient": "false",
    "clientId": "6d12187d-c5e9-4379-9076-8cd6878d2edb",
    "uiLocales": "false",
    "postBindingLogout": "false",
    "postBindingResponse": "false",
    "backchannelSupported": "false",
    "wantAssertionsEncrypted": "false",
    "useJwksUrl": "false",
    "wantAssertionsSigned": "false",
    "disableUserInfo": "false",
    "syncMode": "IMPORT",
    "postBindingAuthnRequest": "false",
    "forceAuthn": "false",
    "userIp": "false",
    "clientSecret": "**********",
    "wantAuthnRequestsSigned": "false"
  }
}

manually created:

{
  "alias": "microsoft",
  "internalId": "bd8e3e29-c435-46b9-a05b-46d0d4940055",
  "providerId": "microsoft",
  "enabled": true,
  "updateProfileFirstLoginMode": "on",
  "trustEmail": true,
  "storeToken": false,
  "addReadTokenRoleOnCreate": false,
  "authenticateByDefault": false,
  "linkOnly": false,
  "firstBrokerLoginFlowAlias": "first broker login",
  "config": {
    "syncMode": "IMPORT",
    "clientSecret": "**********",
    "clientId": "6d12187d-c5e9-4379-9076-8cd6878d2edb",
    "useJwksUrl": "true"
  }
}

looks like only defaults to me but something seems to break. I'm using keycloak 15.1.1. I'll append also the keycloak error. Any help is very much appreciated.

15:50:34,043 WARN  [org.keycloak.services] (default task-35) KC-SERVICES0013: Failed authentication: java.lang.StringIndexOutOfBoundsException: begin 0, end 1, length 0
    at java.base/java.lang.String.checkBoundsBeginEnd(String.java:3319)
    at java.base/java.lang.String.substring(String.java:1874)
    at org.keycloak.keycloak-common@15.1.1//org.keycloak.common.util.ObjectUtil.capitalize(ObjectUtil.java:47)
    at org.keycloak.keycloak-services@15.1.1//org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendConfirmIdentityBrokerLink(FreeMarkerEmailTemplateProvider.java:152)
    at org.keycloak.keycloak-services@15.1.1//org.keycloak.authentication.authenticators.broker.IdpEmailVerificationAuthenticator.sendVerifyEmail(IdpEmailVerificationAuthenticator.java:148)
....

15:50:34,053 WARN  [org.keycloak.events] (default task-35) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=onlim, clientId=onlim, userId=null, ipAddress=2a01:4f8:1c17:80e5::, error=invalid_user_credentials, identity_provider=microsoft, auth_method=openid-connect, redirect_uri=https://app-playground3.onlim.com/cb, identity_provider_identity=roland.gritzer@onlim.com, code_id=s2s3q-
bSSOC9Jpridzen9hHCGQeTzfl8kIheLS0J3F4, authSessionParentId=c0d3a78c-1a62-407d-9232-2cf8dcd865d1, authSessionTabId=SlfbrmTyTHs