Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use consistent config / extra_config across identity providers #523

Merged
merged 4 commits into from
May 3, 2021
Merged

fix: use consistent config / extra_config across identity providers #523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
20e5a90
fix extra_config usage for identity providers
mrparkers Apr 30, 2021
b0808fb
docs
mrparkers Apr 30, 2021
b58f691
fix tests
mrparkers Apr 30, 2021
92b472b
docs fixes
mrparkers May 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions docs/resources/oidc_google_identity_provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,10 @@ resource "keycloak_oidc_google_identity_provider" "google" {
client_secret = var.google_identity_provider_client_secret
trust_email = true
hosted_domain = "example.com"
sync_mode = "IMPORT"

extra_config = {
"syncMode" = "IMPORT"
"myCustomConfigKey" = "myValue"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would still give an example of extra config:

  extra_config = {
    "myCustomConfigKey" = "myValue"
  }

}
```
Expand All @@ -49,7 +50,9 @@ resource "keycloak_oidc_google_identity_provider" "google" {
- `accepts_prompt_none_forward_from_client` - (Optional) When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
- `disable_user_info` - (Optional) When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
- `hide_on_login_page` - (Optional) When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider.
- `sync_mode` - (Optional) The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
- `gui_order` - (Optional) A number defining the order of this identity provider in the GUI.
- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.

## Attribute Reference

Expand Down
4 changes: 3 additions & 1 deletion docs/resources/oidc_identity_provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
- `ui_locales` - (Optional) Pass current locale to identity provider. Defaults to `false`.
- `accepts_prompt_none_forward_from_client` (Optional) When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
- `default_scopes` - (Optional) The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider.
- `sync_mode` - (Optional) The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
- `gui_order` - (Optional) A number defining the order of this identity provider in the GUI.
- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
- `clientAuthMethod` (Optional) The client authentication method. Since Keycloak 8, this is a required attribute if OIDC provider is created using the Keycloak GUI. It accepts the values `client_secret_post` (Client secret sent as post), `client_secret_basic` (Client secret sent as basic auth), `client_secret_jwt` (Client secret as jwt) and `private_key_jwt ` (JTW signed with private key)

## Attribute Reference
Expand Down
3 changes: 3 additions & 0 deletions docs/resources/saml_identity_provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ resource "keycloak_saml_identity_provider" "realm_saml_identity_provider" {
- `signing_certificate` - (Optional) Signing Certificate.
- `signature_algorithm` - (Optional) Signing Algorithm. Defaults to empty.
- `xml_sign_key_info_key_name_transformer` - (Optional) Sign Key Transformer. Defaults to empty.
- `sync_mode` - (Optional) The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
- `gui_order` - (Optional) A number defining the order of this identity provider in the GUI.
- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.

## Import

Expand Down
131 changes: 71 additions & 60 deletions example/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ terraform {
}

provider "keycloak" {
client_id = "terraform"
client_secret = "884e0f95-0f42-4a63-9b1f-94274655669e"
url = "http://localhost:8080"
client_id = "terraform"
client_secret = "884e0f95-0f42-4a63-9b1f-94274655669e"
url = "http://localhost:8080"
additional_headers = {
foo = "bar"
}
Expand Down Expand Up @@ -76,20 +76,24 @@ resource "keycloak_realm" "test" {

ssl_required = "external"
password_policy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"
attributes = {
attributes = {
mycustomAttribute = "myCustomValue"
}

web_authn_policy {
relying_party_entity_name = "Example"
relying_party_id = "keycloak.example.com"
signature_algorithms = ["ES256", "RS256"]
relying_party_id = "keycloak.example.com"
signature_algorithms = [
"ES256",
"RS256"]
}

web_authn_passwordless_policy {
relying_party_entity_name = "Example"
relying_party_id = "keycloak.example.com"
signature_algorithms = ["ES256", "RS256"]
relying_party_id = "keycloak.example.com"
signature_algorithms = [
"ES256",
"RS256"]
}
}

Expand All @@ -111,10 +115,10 @@ resource "keycloak_required_action" "custom-configured_totp" {
}

resource "keycloak_required_action" "required_action" {
realm_id = keycloak_realm.test.realm
alias = "webauthn-register"
enabled = true
name = "Webauthn Register"
realm_id = keycloak_realm.test.realm
alias = "webauthn-register"
enabled = true
name = "Webauthn Register"
}

resource "keycloak_group" "foo" {
Expand Down Expand Up @@ -182,7 +186,8 @@ resource "keycloak_group" "baz" {

resource "keycloak_default_groups" "default" {
realm_id = keycloak_realm.test.id
group_ids = [keycloak_group.baz.id]
group_ids = [
keycloak_group.baz.id]
}

resource "keycloak_openid_client" "test_client" {
Expand Down Expand Up @@ -274,10 +279,10 @@ resource "keycloak_ldap_user_federation" "openldap" {
read_timeout = "10s"

kerberos {
server_principal = "HTTP/keycloak.local@FOO.LOCAL"
server_principal = "HTTP/keycloak.local@FOO.LOCAL"
use_kerberos_for_password_authentication = false
key_tab = "/etc/keycloak.keytab"
kerberos_realm = "FOO.LOCAL"
key_tab = "/etc/keycloak.keytab"
kerberos_realm = "FOO.LOCAL"
}

cache {
Expand Down Expand Up @@ -450,15 +455,15 @@ resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_cl
realm_id = keycloak_realm.test.id
client_id = keycloak_openid_client.test_client.id

claim_name = "foo"
claim_name = "foo"
multivalued = false

client_id_for_role_mappings = keycloak_openid_client.bearer_only_client.client_id
client_role_prefix = "prefixValue"
client_id_for_role_mappings = keycloak_openid_client.bearer_only_client.client_id
client_role_prefix = "prefixValue"

add_to_id_token = true
add_to_access_token = false
add_to_userinfo = false
add_to_userinfo = false
}

resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_client_scope" {
Expand All @@ -469,35 +474,35 @@ resource "keycloak_openid_user_client_role_protocol_mapper" "user_client_role_cl
claim_name = "foo"
multivalued = false

client_id_for_role_mappings = keycloak_openid_client.bearer_only_client.client_id
client_role_prefix = "prefixValue"
client_id_for_role_mappings = keycloak_openid_client.bearer_only_client.client_id
client_role_prefix = "prefixValue"

add_to_id_token = true
add_to_access_token = false
add_to_userinfo = false
add_to_userinfo = false
}

resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_client" {
name = "tf-test-open-id-user-session-note-protocol-mapper-client"
realm_id = keycloak_realm.test.id
client_id = keycloak_openid_client.test_client.id
name = "tf-test-open-id-user-session-note-protocol-mapper-client"
realm_id = keycloak_realm.test.id
client_id = keycloak_openid_client.test_client.id

claim_name = "foo"
claim_value_type = "String"
session_note = "bar"
claim_name = "foo"
claim_value_type = "String"
session_note = "bar"

add_to_id_token = true
add_to_access_token = false
}

resource "keycloak_openid_user_session_note_protocol_mapper" "user_session_note_client_scope" {
name = "tf-test-open-id-user-session-note-protocol-mapper-client-scope"
realm_id = keycloak_realm.test.id
client_scope_id = keycloak_openid_client_scope.test_default_client_scope.id
name = "tf-test-open-id-user-session-note-protocol-mapper-client-scope"
realm_id = keycloak_realm.test.id
client_scope_id = keycloak_openid_client_scope.test_default_client_scope.id

claim_name = "foo2"
claim_value_type = "String"
session_note = "bar2"
claim_name = "foo2"
claim_value_type = "String"
session_note = "bar2"

add_to_id_token = true
add_to_access_token = false
Expand Down Expand Up @@ -586,6 +591,8 @@ resource keycloak_oidc_identity_provider oidc {
client_id = "example_id"
client_secret = "example_token"
default_scopes = "openid random profile"
sync_mode = "FORCE"
gui_order = 1
}

resource keycloak_oidc_google_identity_provider google {
Expand All @@ -596,6 +603,8 @@ resource keycloak_oidc_google_identity_provider google {
request_refresh_token = true
default_scopes = "openid random profile"
accepts_prompt_none_forward_from_client = false
sync_mode = "FORCE"
gui_order = 2
}

//This example does not work in keycloak 10, because the interfaces that our customIdp implements, have changed in the keycloak latest version.
Expand Down Expand Up @@ -684,6 +693,8 @@ resource keycloak_saml_identity_provider saml {
alias = "saml"
entity_id = "https://example.com/entity_id"
single_sign_on_service_url = "https://example.com/auth"
sync_mode = "FORCE"
gui_order = 3
}

resource keycloak_attribute_importer_identity_provider_mapper saml {
Expand Down Expand Up @@ -852,61 +863,61 @@ resource "keycloak_openid_client_service_account_role" "read_token" {
}

resource "keycloak_authentication_flow" "browser-copy-flow" {
alias = "browserCopyFlow"
realm_id = keycloak_realm.test.id
alias = "browserCopyFlow"
realm_id = keycloak_realm.test.id
description = "browser based authentication"
}

resource "keycloak_authentication_execution" "browser-copy-cookie" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_flow.browser-copy-flow.alias
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
depends_on = [
authenticator = "auth-cookie"
requirement = "ALTERNATIVE"
depends_on = [
keycloak_authentication_execution.browser-copy-kerberos
]
}

resource "keycloak_authentication_execution" "browser-copy-kerberos" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_flow.browser-copy-flow.alias
authenticator = "auth-spnego"
requirement = "DISABLED"
authenticator = "auth-spnego"
requirement = "DISABLED"
}

resource "keycloak_authentication_execution" "browser-copy-idp-redirect" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_flow.browser-copy-flow.alias
authenticator = "identity-provider-redirector"
requirement = "ALTERNATIVE"
depends_on = [
authenticator = "identity-provider-redirector"
requirement = "ALTERNATIVE"
depends_on = [
keycloak_authentication_execution.browser-copy-cookie
]
}

resource "keycloak_authentication_subflow" "browser-copy-flow-forms" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_flow.browser-copy-flow.alias
alias = "browser-copy-flow-forms"
requirement = "ALTERNATIVE"
depends_on = [
alias = "browser-copy-flow-forms"
requirement = "ALTERNATIVE"
depends_on = [
keycloak_authentication_execution.browser-copy-idp-redirect
]
}

resource "keycloak_authentication_execution" "browser-copy-auth-username-password-form" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_subflow.browser-copy-flow-forms.alias
authenticator = "auth-username-password-form"
requirement = "REQUIRED"
authenticator = "auth-username-password-form"
requirement = "REQUIRED"
}

resource "keycloak_authentication_execution" "browser-copy-otp" {
realm_id = keycloak_realm.test.id
realm_id = keycloak_realm.test.id
parent_flow_alias = keycloak_authentication_subflow.browser-copy-flow-forms.alias
authenticator = "auth-otp-form"
requirement = "REQUIRED"
depends_on = [
authenticator = "auth-otp-form"
requirement = "REQUIRED"
depends_on = [
keycloak_authentication_execution.browser-copy-auth-username-password-form
]
}
Expand All @@ -915,7 +926,7 @@ resource "keycloak_authentication_execution_config" "config" {
realm_id = keycloak_realm.test.id
execution_id = keycloak_authentication_execution.browser-copy-idp-redirect.id
alias = "idp-XXX-config"
config = {
config = {
defaultProvider = "idp-XXX"
}
}
Expand Down
2 changes: 2 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ module github.com/mrparkers/terraform-provider-keycloak

require (
github.com/hashicorp/errwrap v1.0.0
github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
github.com/hashicorp/go-version v1.2.0
github.com/hashicorp/terraform-plugin-sdk/v2 v2.0.2-0.20200817173939-b72757e734f6
github.com/imdario/mergo v0.3.12
golang.org/x/net v0.0.0-20200707034311-ab3426394381
)

Expand Down
4 changes: 4 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,8 @@ github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKe
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE=
github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74=
github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8 h1:12VvqtR6Aowv3l/EQUlocDHW2Cp4G9WJVH7uyH8QFJE=
Expand Down Expand Up @@ -531,6 +533,8 @@ gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
Expand Down
Loading