search

pulumi / pulumi-keycloak

A KeyCloak Pulumi resource package, providing multi-language access to KeyCloak
Apache License 2.0
38 stars 6 forks source link

authentication executions and flows do not have priority so flows will always be off and unchangeable #563

Open drduker opened 2 months ago

drduker commented 2 months ago

Describe what happened

All executions and subflows have priority of zero if not settable and no way to set with current usage so it makes setting up authentication flows useless.

Sample program

na

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

pulumi creates, but what it creates is unusable

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

drduker commented 2 months ago

correction, authentications are only useful if you have a single execution per flow. But no one does that.

Example json of one that works my manually adding configuration:

      "authenticationExecutions": [
        {
          "authenticator": "auth-cookie",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 0,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        },
        {
          "authenticator": "auth-x509-client-username-form",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 1,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        },
        {
          "authenticatorFlow": true,
          "requirement": "ALTERNATIVE",
          "priority": 2,
          "autheticatorFlow": true,
          "flowAlias": "MFA Login",
          "userSetupAllowed": false
        }

What this provider creates configuration with brokecode:

        {
          "authenticatorFlow": true,
          "requirement": "ALTERNATIVE",
          "priority": 0,
          "autheticatorFlow": true,
          "flowAlias": "mfa_login",
          "userSetupAllowed": false
        },
        {
          "authenticator": "auth-x509-client-username-form",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 0,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        },
        {
          "authenticator": "auth-cookie",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 0,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        }
VenelinMartinov commented 2 months ago

Hi @drduker, thanks for reporting. Could you please provide an example pulumi program which shows the issue?

drduker commented 1 month ago

The problem is that execution and subflows have specific order. Within the GUI you can move them up and down and the order certainly matters. However there is no usage available to define priority within inputs which sets the order within keycloak - https://www.pulumi.com/registry/packages/keycloak/api-docs/authentication/execution/#inputs

https://www.keycloak.org/docs-api/latest/rest-api/index.html#AuthenticatorConfigRepresentation

drduker commented 1 month ago

terraform has a similar issue: https://github.com/mrparkers/terraform-provider-keycloak/issues/296

iwahbe commented 1 month ago

This provider is generated from mrparkers terraform provider, so we will pick up the fix to https://github.com/mrparkers/terraform-provider-keycloak/issues/296 as soon as the upstream provider fixes it.