keycloak_realm doesn't pass attributes to keycloak_client

Question

keycloak_realm doesn't pass attributes to keycloak_client

Closed this issue a year ago · 2 comments

SUMMARY

When provisioning a Keycloak client, sometimes attributes need to be set. The keycloak_realm role fails to pass attributes to the keycloak_client plugin.

ISSUE TYPE

Bug Report

ANSIBLE VERSION

ansible [core 2.14.1]
  config file = None
  configured module search path = ['/home/***/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/***/.local/lib/python3.11/site-packages/ansible
  ansible collection location = /home/***/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/***/.local/bin/ansible
  python version = 3.11.2 (main, Feb  8 2023, 00:00:00) [GCC 12.2.1 20221121 (Red Hat 12.2.1-4)] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

COLLECTION VERSION

[a very long list; if you really need it, let me know]

STEPS TO REPRODUCE

- name: Create Realm
  include_role:
    name: middleware_automation.keycloak.keycloak_realm
  vars:
    keycloak_realm: "{{ keycloak_realm }}"
    keycloak_host: localhost
    keycloak_admin_user: "{{ keycloak_quarkus_admin_user }}"
    keycloak_admin_password: "{{ keycloak_quarkus_admin_pass }}"
    keycloak_clients:
      - name: "Public Client"
        realm: "{{ keycloak_realm }}"
        client_id: Client-public
        public_client: True
        web_origins: '+'
        root_url: "https://{{ keycloak_public_fqhn }}"
        base_url: /
        redirect_uris:
          - "https://{{ keycloak_public_fqhn }}/*"
        attributes:
          post.logout.redirect.uris: "{{ keycloak_logout_uri }}"

[Where keycloak_logout_uri could be '+' to allow all valid redirect uris, or a specific value '/public/logout', or multiple values (since it is a list in the admin UI) as '/somewhere/logout1##/somewhereElse/logout2' — yes, really, separated by two # 😺 ]

EXPECTED RESULTS

That the Valid post logout redirect URIs would have been set in this realm's client.

ACTUAL RESULTS

The attributes weren't set at all, as the attributes aren't passed down. The problem can be fixed simply with:

diff --git a/roles/keycloak_realm/tasks/main.yml b/roles/keycloak_realm/tasks/main.yml
index 9233080..c137270 100644
--- a/roles/keycloak_realm/tasks/main.yml
+++ b/roles/keycloak_realm/tasks/main.yml
@@ -90,6 +90,7 @@
     service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
     public_client: "{{ item.public_client | default(False) }}"
     protocol: "{{ item.protocol | default(omit) }}"
+    attributes: "{{ item.attributes | default(omit) }}"
     state: present
   no_log: "{{ keycloak_no_log | default('True') }}"
   register: create_client_result

Answer 1 · 2023-03-30T15:46:14.000Z

Thanks for the detailed reporting! Will be taken care of 1.2.1

Answer 2 · 2023-04-12T08:27:48.000Z

I can confirm that release 1.2.1 resolves this issue. Thanks @guidograzioli !