keycloak_identity_provider: unusable in it's current state

[schewara]

Summary

Dear Maintainers

After trying to get the keycloak_identity_provider module to work with a current (Quarkus) Keycloak version I ran into the following issues which prevents us to use it in it's current state

1. defining clientSecret config parameter always results in a changed run
2. boolean config parameters are being returned as string and also keep changing on every run
3. there is no way to manually configure not yet supported parameters, as the whole Identity provider is completely re-written and all manual changes in the UI disappear after the task was run.
4. The Keycloak API version referenced in the Docs (15.0) is already End of Life since 2021-12 and the Link is also broken.

To keep up with the fast release cycles and the short support periods, maybe one of the following approaches could help to make the module work again with newer versions.

Which could be either

• to only define the IdentityProviderRepresentation but don't check explicitly for the content of the config dictionary and have the API fail on invalid entries, or
• keep manually and unsupported settings in place and only override/update the settings defined by the task.

Given that the API Docs also don't provide a list of supported config entries, the first option seems at least to me the currently preferred option, as it would allow greater flexibility on the config management side of things, without having to keep track of temporary UI changes until the collection supports the latest features of a new version.

This would then also solve

• keycloak_identity_provider: new config values for essential claim verification #8204 and
• config.gui_order parameter doesn't work in keycloak_identity_provider module #6614

as well.

Issue Type

Bug Report

Component Name

keycloak_identity_provider

Ansible Version

$ ansible --version
ansible [core 2.16.6]
  python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (~/.local/share/virtualenvs/project-P0UBDDPJ/bin/python)
  jinja version = 3.1.3
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 8.6.0  

Configuration

N/A

OS / Environment

Keycloak 24.0.3

Steps to Reproduce

Setting any of the config parameters below will trigger permanent change:

- name: Setup Identity provider
  community.general.keycloak_identity_provider:
    config:
      clientSecret: "testsecret"
      backchannelSupported: true
      hide_on_login_page: false
      useJwksUrl: true
      validateSignature: true

Expected Results

no changes

Actual Results

changed: [server] => changed=true 
  diff: {}
  end_state:
    addReadTokenRoleOnCreate: false
    alias: alias
    authenticateByDefault: false
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: 'true'
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: '**********'
      defaultScope: openid
      hide_on_login_page: 'false'
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: 'true'
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: 'true'
    displayName: My SSO
    enabled: true
    internalId: <UUID>
    linkOnly: false
    mappers: []
    providerId: oidc
    storeToken: false
    trustEmail: true
    updateProfileFirstLoginMode: 'on'
  existing:
    addReadTokenRoleOnCreate: false
    alias: mysso
    authenticateByDefault: false
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: 'true'
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: '**********'
      defaultScope: openid
      hide_on_login_page: 'false'
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: 'true'
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: 'true'
    displayName: My SSO
    enabled: true
    internalId: <UUID>
    linkOnly: false
    mappers: []
    providerId: oidc
    storeToken: false
    trustEmail: true
    updateProfileFirstLoginMode: 'on'
  invocation:
    module_args:
      add_read_token_role_on_create: null
      alias: mysso
      auth_client_id: admin-cli
      auth_client_secret: null
      auth_keycloak_url: https://broker.srv.tld
      auth_password: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      auth_realm: master
      auth_username: myusername
      authenticate_by_default: null
      config:
        authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
        backchannelSupported: true
        clientAuthMethod: client_secret_post
        clientId: client
        clientSecret: secret
        defaultScope: openid
        hide_on_login_page: false
        issuer: https://sso.srv.tld/realms/myrealm
        jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
        syncMode: FORCE
        tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
        useJwksUrl: true
        userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
        validateSignature: true
      connection_timeout: 10
      display_name: My SSO
      enabled: null
      first_broker_login_flow_alias: null
      http_agent: Ansible
      link_only: null
      mappers: null
      post_broker_login_flow_alias: null
      provider_id: oidc
      realm: met-admin
      state: present
      store_token: null
      token: null
      trust_email: true
      validate_certs: true
  msg: Identity provider mysso has been updated
  proposed:
    clientSecret: '**********'
    config:
      authorizationUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/auth
      backchannelSupported: true
      clientAuthMethod: client_secret_post
      clientId: client
      clientSecret: secret
      defaultScope: openid
      hide_on_login_page: false
      issuer: https://sso.srv.tld/realms/myrealm
      jwksUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/certs
      syncMode: FORCE
      tokenUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/token
      useJwksUrl: true
      userInfoUrl: https://sso.srv.tld/realms/myrealm/protocol/openid-connect/userinfo
      validateSignature: true

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/keycloak_identity_provider.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @eikef @laurpaum @mattock @ndclt
click here for bot help

[fgruenbauer]

Hey

i'm working on the keycloak user federation module at the moment and some of the issues i encountered there are similar. I am fairly new to ansible and the keycloak modules though.

1. the kc API returns ********** for (probably all) secrets. So when we compare the before state with the desired state we always get changed = true, because we always compare ********** with the actual secret. Dont know what the best solution is here. If we just ignore the secret, changes to it are obviously not detected, so it is only updated if there are other changes. We could just always send the desired config when updating, then we could safely ignore the secret when diffing or checking for changes.
2. The API seems to return string values for all idp specific parameters. So as a quickfix, putting those parameters in quotes should work.
3. As far as i understand: the module sends the idp specific config only with the parameters that are defined in the module config (the module has no defaults for the idp specific config parameter), so kc removes all parameters that are not present in this config, e.g. the ones only manually created in the UI. idp specific configs are not specified in the module, so you should be able to put anything in there though. What parameters did not work for you?

[felixfontein]

1. the kc API returns ********** for (probably all) secrets. So when we compare the before state with the desired state we always get changed = true, because we always compare ********** with the actual secret. Dont know what the best solution is here. If we just ignore the secret, changes to it are obviously not detected, so it is only updated if there are other changes. We could just always send the desired config when updating, then we could safely ignore the secret when diffing or checking for changes.

Generally the best solution for that is to make the behavior configurable, so that the user can decide which trade-off they prefer (too many API calls and changed status for something that didn't change, or no API call for data that might actually have changed) - assuming there is no way to detect changes of these secrets somehow.

I'm curious, did Keycloak's behavior here change over time? (In case anyone knows...)

[ansibullbot]

cc @thomasbach-dev
click here for bot help

[fgruenbauer]

I did some more digging. Seems like the secrets are only sometimes redacted. The cleartext clientSecrets for IDPs for example are included in the data when fetching the full realm info (http://localhost:8080/admin/realms/{realm}). So we should be able to get the secret from there. I will try to create a PR draft for it.