search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
597 stars 293 forks source link

Generic client for SAML and OIDC #813

Open Breee opened 1 year ago

Breee commented 1 year ago

Context

We are currently working with Crossplane and the tool upjet https://github.com/upbound/upjet This tool allows us to generate Crossplane providers from a terraform provider, the aim is to manage keycloak ressources in kubernetes using Crossplane. We successfully created a keycloak provider that allows us to manage ressources.

What it basically does is converting the CRUD methods (Create, Read, Update, Delete) of the terraform provider and generating go code out of it as well as CRDs

However, we now faced an issue:

  1. Currently there is a keycloak_openid_client and a keycloak_saml_client ressource
  2. The keycloak_role ressource is able to differentiate between client roles and realm roles
  3. If we create a client role using keycloak_role we need to reference a client by it's client ID.
  4. However, If we want to reference a client we would need to differentiate between a keycloak_openid_client and keycloak_saml_client
  5. In our current state that would not be possible, since the OIDC client and the SAML client are different Types of Objects.

Question

Would it be possible to create a keycloak_generic_client that unites both client types? example:

saml

resource "keycloak_generic_client" "saml_client" {
  type  = "saml"
  realm_id  = keycloak_realm.realm.id
  client_id = "saml-client"
  name      = "saml-client"

  sign_documents          = false
  sign_assertions         = true
  include_authn_statement = true

  signing_certificate = file("saml-cert.pem")
  signing_private_key = file("saml-key.pem")
}

oidc

resource "keycloak_generic_client" "openid_client" {
  type = "oidc"
  realm_id            = keycloak_realm.realm.id
  client_id           = "test-client"

  name                = "test client"
  enabled             = true

  access_type         = "CONFIDENTIAL"
  valid_redirect_uris = [
    "http://localhost:8080/openid-callback"
  ]

  login_theme = "keycloak"

  extra_config = {
    "key1" = "value1"
    "key2" = "value2"
  }
}

where type defines the type of client

Breee commented 1 month ago

Alright guys, I need this badly. Can someone with experience in this repo point me to the stuff I need to change? Then i'd love to hack a PR