search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
612 stars 300 forks source link

Missing resource "Role Name Mapper" within "Dedicated Scopes" section of an OIDC client #819

Closed quambel closed 1 year ago

quambel commented 1 year ago

Hello, thanks for this good provider. I'm missing only one important resource. How to configure a "Role Name Mapper" in the "Dedicated Scopes" section of an OIDC client?

way in the UI: "Clients" -> "argocd" -> Tab "Client scopes" -> "argocd-dedicated" -> Tab "Mappers" -> "Configure new mapper" -> "Role Name Mapper"

url within keycloak: https://MY-KEYCLOAK-URL/admin/master/console/#/MY-REALM/clients/MY-CLIENT-UUID/clientScopes/dedicated/mappers/oidc-role-name-mapper

This function is often used to create a realm role, e.g. "argocd_admin", which is mapped to the "admin" role within the client. The role (group within argocd) admin is default and does not have to be created. So you can login directly. However, the mapping does not lose the fine-grained control of rights. There are many applications with the default role admin. Only an admin role would mean that you can no longer separate the rights between applications.

Does the resource already exist? Unfortunately I couldn't find them.

I use keycloak version 19.0.3 and 4.2.0 of this terraform provider.

Thanks in advance. Jan

james-callahan commented 1 year ago

You'll need to use a keycloak_generic_protocol_mapper.

quambel commented 1 year ago

Many thanks for the quick response. Unfortunately, it's not clear to me how to control the "New Role Name" field (from the UI) via terraform. Could you give me an example please? qoute: "The supported keys depends on the protocol mapper" How do I know the keys?

Thanks in advance.

james-callahan commented 1 year ago

@quambel I figure out the field names by "inspect element" in my web browser. I don't know if they're officially documented anywhere.

quambel commented 1 year ago

@james-callahan Thanks for the hint. I was able to find out the name for the "New Role Name" input field. For the Dropdowns I could not find the name.

The issue was useful: https://github.com/mrparkers/terraform-provider-keycloak/issues/811

Just use the values from the Java class: https://github.com/carlosthe19916/repeidtest/tree/7e956f55ee30cf7d4e9086d6760246773dfb044d/manager/services/src/main/java/org/keycloak/protocol/oidc/mappers

example: resource "keycloak_generic_protocol_mapper" "argocd_rolemapped_role_mapping" { realm_id = keycloak_realm.myrealm.id client_id = keycloak_openid_client.myclient.id protocol = "openid-connect" protocol_mapper = "oidc-role-name-mapper" name = "to-admin-role-rolemapper" config = { "role" = "argocd_admin" "new.role.name" = "admin" } }