keycloak · mrparkers · Jul 6, 2020 · May 13, 2020 · May 13, 2020 · May 13, 2020
diff --git a/example/main.tf b/example/main.tf
@@ -567,6 +567,11 @@ resource keycloak_attribute_importer_identity_provider_mapper oidc {
   claim_name              = "upn"
   identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
   user_attribute          = "email"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }
 }
 
 resource keycloak_attribute_to_role_identity_provider_mapper oidc {
@@ -576,20 +581,35 @@ resource keycloak_attribute_to_role_identity_provider_mapper oidc {
   identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
   claim_value             = "value"
   role                    = "testRole"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_user_template_importer_identity_provider_mapper oidc {
   realm                   = keycloak_realm.test.id
   name                    = "userTemplate"
   identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
   template                = "$${ALIAS}/$${CLAIM.upn}"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_hardcoded_role_identity_provider_mapper oidc {
   realm                   = keycloak_realm.test.id
   name                    = "hardcodedRole"
   identity_provider_alias = keycloak_oidc_identity_provider.oidc.alias
   role                    = "testrole"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_hardcoded_attribute_identity_provider_mapper oidc {
@@ -599,6 +619,11 @@ resource keycloak_hardcoded_attribute_identity_provider_mapper oidc {
   attribute_name          = "attribute"
   attribute_value         = "value"
   user_session            = true
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_saml_identity_provider saml {
@@ -613,6 +638,11 @@ resource keycloak_attribute_importer_identity_provider_mapper saml {
   attribute_name          = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
   identity_provider_alias = keycloak_saml_identity_provider.saml.alias
   user_attribute          = "email"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }
 }
 
 resource keycloak_attribute_to_role_identity_provider_mapper saml {
@@ -622,20 +652,35 @@ resource keycloak_attribute_to_role_identity_provider_mapper saml {
   identity_provider_alias = keycloak_saml_identity_provider.saml.alias
   attribute_value         = "value"
   role                    = "testRole"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }
 }
 
 resource keycloak_user_template_importer_identity_provider_mapper saml {
   realm                   = keycloak_realm.test.id
   name                    = "userTemplate"
   identity_provider_alias = keycloak_saml_identity_provider.saml.alias
   template                = "$${ALIAS}/$${NAMEID}"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_hardcoded_role_identity_provider_mapper saml {
   realm                   = keycloak_realm.test.id
   name                    = "hardcodedRole"
   identity_provider_alias = keycloak_saml_identity_provider.saml.alias
   role                    = "testrole"
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 resource keycloak_hardcoded_attribute_identity_provider_mapper saml {
@@ -645,6 +690,11 @@ resource keycloak_hardcoded_attribute_identity_provider_mapper saml {
   attribute_name          = "attribute"
   attribute_value         = "value"
   user_session            = false
+
+  #KC10 support
+  extra_config = {
+    syncMode = "INHERIT"    
+  }  
 }
 
 data "keycloak_openid_client" "broker" {

diff --git a/example/roles.tf b/example/roles.tf
@@ -160,6 +160,44 @@ resource "keycloak_generic_client_role_mapper" "pet_app_pet_api_admin_role_mappi
   role_id   = keycloak_role.pet_api_admin.id
 }
 
+// Realm roles
+
+resource "keycloak_role" "realm_reader" {  
+  realm_id  = keycloak_realm.roles_example.id
+  name        = "realm_reader"
+  description = "Reader realm role"
+}
+
+resource "keycloak_role" "realm_writer" {
+  realm_id  = keycloak_realm.roles_example.id
+  name        = "realm_writer"
+  description = "Writer realm role"
+}
+
+resource "keycloak_role" "realm_admin" {
+  realm_id  = keycloak_realm.roles_example.id
+  name        = "realm_admin"
+  description = "Admin realm composite role"
+  composite_roles = [
+    keycloak_role.realm_reader.id,
+    keycloak_role.realm_writer.id
+  ]
+}
+
+// Client scope for realm roles mapping 
+
+resource "keycloak_openid_client_scope" "petstore_api_access_scope" {
+  realm_id  = keycloak_realm.roles_example.id
+  name        = "petstore-api-access"
+  description = "Optional scope offering additional information for petstore api access"
+}
+
+resource "keycloak_generic_client_role_mapper" "petstore_api_access_scope_admin" {
+    realm_id  = keycloak_realm.roles_example.id
+    client_scope_id =  keycloak_openid_client_scope.petstore_api_access_scope.id
+    role_id         = keycloak_role.realm_admin.id
+}
+
 // Users and groups
 
 resource "keycloak_group" "pet_api_base" {

diff --git a/keycloak/identity_provider_mapper.go b/keycloak/identity_provider_mapper.go
@@ -1,20 +1,25 @@
 package keycloak
 
 import (
+	"encoding/json"
 	"fmt"
 	"log"
+	"reflect"
+	"strconv"
+	"strings"
 )
 
 type IdentityProviderMapperConfig struct {
-	UserAttribute         string `json:"user.attribute,omitempty"`
-	Claim                 string `json:"claim,omitempty"`
-	ClaimValue            string `json:"claim.value,omitempty"`
-	HardcodedAttribute    string `json:"attribute,omitempty"`
-	Attribute             string `json:"attribute.name,omitempty"`
-	AttributeValue        string `json:"attribute.value,omitempty"`
-	AttributeFriendlyName string `json:"attribute.friendly.name,omitempty"`
-	Template              string `json:"template,omitempty"`
-	Role                  string `json:"role,omitempty"`
+	UserAttribute         string                 `json:"user.attribute,omitempty"`
+	Claim                 string                 `json:"claim,omitempty"`
+	ClaimValue            string                 `json:"claim.value,omitempty"`
+	HardcodedAttribute    string                 `json:"attribute,omitempty"`
+	Attribute             string                 `json:"attribute.name,omitempty"`
+	AttributeValue        string                 `json:"attribute.value,omitempty"`
+	AttributeFriendlyName string                 `json:"attribute.friendly.name,omitempty"`
+	Template              string                 `json:"template,omitempty"`
+	Role                  string                 `json:"role,omitempty"`
+	ExtraConfig           map[string]interface{} `json:"-"`
 }
 
 type IdentityProviderMapper struct {
@@ -59,3 +64,57 @@ func (keycloakClient *KeycloakClient) UpdateIdentityProviderMapper(identityProvi
 func (keycloakClient *KeycloakClient) DeleteIdentityProviderMapper(realm, alias, id string) error {
 	return keycloakClient.delete(fmt.Sprintf("/realms/%s/identity-provider/instances/%s/mappers/%s", realm, alias, id), nil)
 }
+
+func (f *IdentityProviderMapperConfig) UnmarshalJSON(data []byte) error {
+	f.ExtraConfig = map[string]interface{}{}
+	err := json.Unmarshal(data, &f.ExtraConfig)
+	if err != nil {
+		return err
+	}
+	v := reflect.ValueOf(f).Elem()
+	for i := 0; i < v.NumField(); i++ {
+		structField := v.Type().Field(i)
+		jsonKey := strings.Split(structField.Tag.Get("json"), ",")[0]
+		if jsonKey != "-" {
+			value, ok := f.ExtraConfig[jsonKey]
+			if ok {
+				field := v.FieldByName(structField.Name)
+				if field.IsValid() && field.CanSet() {
+					if field.Kind() == reflect.String {
+						field.SetString(value.(string))
+					} else if field.Kind() == reflect.Bool {
+						boolVal, err := strconv.ParseBool(value.(string))
+						if err == nil {
+							field.Set(reflect.ValueOf(KeycloakBoolQuoted(boolVal)))
+						}
+					}
+					delete(f.ExtraConfig, jsonKey)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (f *IdentityProviderMapperConfig) MarshalJSON() ([]byte, error) {
+	out := map[string]interface{}{}
+
+	for k, v := range f.ExtraConfig {
+		out[k] = v
+	}
+	v := reflect.ValueOf(f).Elem()
+	for i := 0; i < v.NumField(); i++ {
+		jsonKey := strings.Split(v.Type().Field(i).Tag.Get("json"), ",")[0]
+		if jsonKey != "-" {
+			field := v.Field(i)
+			if field.IsValid() && field.CanSet() {
+				if field.Kind() == reflect.String {
+					out[jsonKey] = field.String()
+				} else if field.Kind() == reflect.Bool {
+					out[jsonKey] = KeycloakBoolQuoted(field.Bool())
+				}
+			}
+		}
+	}
+	return json.Marshal(out)
+}
diff --git a/keycloak/role_scope_mapping.go b/keycloak/role_scope_mapping.go
@@ -5,10 +5,19 @@ import (
 )
 
 func roleScopeMappingUrl(realmId, clientId string, clientScopeId string, role *Role) string {
+
 	if clientId != "" {
-		return fmt.Sprintf("/realms/%s/clients/%s/scope-mappings/clients/%s", realmId, clientId, role.ClientId)
-	} else {
+		if role.ClientRole {
+			return fmt.Sprintf("/realms/%s/clients/%s/scope-mappings/clients/%s", realmId, clientId, role.ClientId)
+		} else {
+			return fmt.Sprintf("/realms/%s/clients/%s/scope-mappings/realm", realmId, clientId)
+		}
+	}
+
+	if role.ClientRole {
 		return fmt.Sprintf("/realms/%s/client-scopes/%s/scope-mappings/clients/%s", realmId, clientScopeId, role.ClientId)
+	} else {
+		return fmt.Sprintf("/realms/%s/client-scopes/%s/scope-mappings/realm", realmId, clientScopeId)
 	}
 }
 

diff --git a/provider/generic_keycloak_identity_provider_mapper.go b/provider/generic_keycloak_identity_provider_mapper.go
@@ -2,9 +2,10 @@ package provider
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/mrparkers/terraform-provider-keycloak/keycloak"
-	"strings"
 )
 
 type identityProviderMapperDataGetterFunc func(data *schema.ResourceData, meta interface{}) (*keycloak.IdentityProviderMapper, error)
@@ -35,6 +36,10 @@ func resourceKeycloakIdentityProviderMapper() *schema.Resource {
 				ForceNew:    true,
 				Description: "IDP Alias",
 			},
+			"extra_config": {
+				Type:     schema.TypeMap,
+				Optional: true,
+			},
 		},
 	}
 }

diff --git a/provider/resource_keycloak_attribute_importer_identity_provider_mapper.go b/provider/resource_keycloak_attribute_importer_identity_provider_mapper.go
@@ -2,6 +2,7 @@ package provider
 
 import (
 	"fmt"
+
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/mrparkers/terraform-provider-keycloak/keycloak"
 )
@@ -42,13 +43,20 @@ func resourceKeycloakAttributeImporterIdentityProviderMapper() *schema.Resource
 func getAttributeImporterIdentityProviderMapperFromData(data *schema.ResourceData, meta interface{}) (*keycloak.IdentityProviderMapper, error) {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
 	rec, _ := getIdentityProviderMapperFromData(data)
+	extraConfig := map[string]interface{}{}
+	if v, ok := data.GetOk("extra_config"); ok {
+		for key, value := range v.(map[string]interface{}) {
+			extraConfig[key] = value
+		}
+	}
 	identityProvider, err := keycloakClient.GetIdentityProvider(rec.Realm, rec.IdentityProviderAlias)
 	if err != nil {
 		return nil, handleNotFoundError(err, data)
 	}
 	rec.IdentityProviderMapper = fmt.Sprintf("%s-user-attribute-idp-mapper", identityProvider.ProviderId)
 	rec.Config = &keycloak.IdentityProviderMapperConfig{
 		UserAttribute: data.Get("user_attribute").(string),
+		ExtraConfig:   extraConfig,
 	}
 	if identityProvider.ProviderId == "saml" {
 		if attr, ok := data.GetOk("attribute_friendly_name"); ok {
@@ -75,5 +83,6 @@ func setAttributeImporterIdentityProviderMapperData(data *schema.ResourceData, i
 	data.Set("user_attribute", identityProviderMapper.Config.UserAttribute)
 	data.Set("attribute_friendly_name", identityProviderMapper.Config.AttributeFriendlyName)
 	data.Set("claim_name", identityProviderMapper.Config.Claim)
+	data.Set("extra_config", identityProviderMapper.Config.ExtraConfig)
 	return nil
 }