keycloak_openid_client.authorization decision_strategy field doesn't work

javyen-xu commented 1 month ago

TF code

resource "keycloak_openid_client" "openid_client" {
  realm_id  = data.keycloak_realm.realm.id
  client_id = "xxxx"

  name    = "xxxx"
  enabled = true

  access_type                  = "CONFIDENTIAL"
  client_authenticator_type    = "client-secret"
  standard_flow_enabled        = false
  implicit_flow_enabled        = false
  direct_access_grants_enabled = false
  service_accounts_enabled     = true
  valid_redirect_uris          = []
  web_origins                  = []

  authorization {
    policy_enforcement_mode          = "ENFORCING"
    decision_strategy                = "AFFIRMATIVE"
    allow_remote_resource_management = "true"
  }
}

After it's applied, the Keycloak console still shows Decision strategy as UNANIMOUS.

Screenshot 2024-05-22 at 10 35 07 AM

The RPT authorization result matches the Decision strategy in the Keycloak console.

missedone commented 1 month ago

seems the issue also relate to this https://github.com/keycloak/keycloak/issues/16998

mustdiechik commented 1 month ago

the same issue keycloak:24.0.4 provider: 4.4.0

changing values via

resource "keycloak_openid_client" "some_client" {
...
  authorization {
    policy_enforcement_mode = "ENFORCING"
    decision_strategy = "UNANIMOUS"
    #policy_enforcement_mode = "PERMISSIVE"
    #decision_strategy = "AFFIRMATIVE"
  }

not work with both "policy_enforcement_mode" and "decision_strategy"

mrparkers / terraform-provider-keycloak

keycloak_openid_client.authorization decision_strategy field doesn't work #965