Skip to content

Instantly share code, notes, and snippets.

@jrosser

jrosser/add_client.yml Secret

Created December 6, 2021 16:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jrosser/0444430988ee4d28788f2577c64712a9 to your computer and use it in GitHub Desktop.
Save jrosser/0444430988ee4d28788f2577c64712a9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
add_client.yml
---
- name: "Add Client {{ client.clientId }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 409 # Conflict - already exists
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ client }}"
register: keycloak_client_output
- name: "Update Client {{ client.clientId }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients/{{ item.id }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(client) }}"
with_items: "{{ keycloak_client_list.json | selectattr('clientId', 'eq', client.clientId )}}"
when:
- keycloak_client_output.status == 409
Raw
add_client_role.yml
---
- name: "Get list of Roles for Client: {{ client_role.key }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients/{{ keycloak_client_id }}/roles"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_client_roles
- name: "Add Roles {{ client_role.value }} from Client {{ client_role.key }} to User {{ user.username }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ keycloak_current_user_id }}/role-mappings/clients/{{ keycloak_client_id }}"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body:
- "{{ item }}"
with_items: "{{ keycloak_client_roles.json | selectattr('name', 'in', client_role.value) | list() }}"
Raw
add_client_scope.yml
---
#### CLIENT SCOPES ####
- name: "Add Client Scopes: {{ client_scope.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 409 # Conflict - already exists
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ client_scope }}"
register: client_scope_output
- name: "Get list of current Client Scopes"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: client_scope_list
- name: "Update Client Scopes: {{ client_scope.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ item.id }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(client_scope) }}"
with_items: "{{ client_scope_list.json | selectattr('name', 'eq', client_scope.name )}}"
when:
- client_scope_output.status == 409
#### PROTOCOL MAPPERS ####
- name: Add Protocol Mappers to Client Scope
include_tasks: add_protocol_mapper.yml
loop: "{{ client_scope.protocolMappers }}"
loop_control:
loop_var: protocol_mapper
vars:
keycloak_current_client_scope_id: "{{ (client_scope_list.json | selectattr('name', 'eq', client_scope.name))[0].id }}"
when: client_scope.protocolMappers is defined
Raw
add_event_listners.yml
- name: Get Admin Token from Master Realm of Keycloak
uri:
url: "https://{{ ansible_host }}:{{ keycloak_admin_port }}/auth/realms/master/protocol/openid-connect/token"
method: POST
validate_certs: no
body_format: form-urlencoded
body:
username: "{{ keycloak_admin_user_name }}"
password: "{{ keycloak_dashboard_password }}"
grant_type: password
client_id: admin-cli
register: keycloak_token
# All realms that are created should have this available
- name: "Get {{ realm.realm }} events config"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/events/config"
method: GET
validate_certs: no
status_code:
- 200
- 404
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: realm_events_config
- name: "Add metrics-listener"
set_fact:
new_events_listeners:
eventsListeners: "{{ (realm_events_config.json.eventsListeners + ['metrics-listener']) | unique }}"
when: realm_events_config.status != 404
- name: "Update {{ realm.realm }} events listeners"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/events/config"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ realm_events_config.json | combine(new_events_listeners) }}"
when: realm_events_config.status != 404
Raw
add_idp.yml
---
- name: "Add Identity Provider {{ idp.alias }} to BBC Login using ACR"
include_tasks: add_bbc_login_client.yml
when: idp.acr_add_bbc_client | default(false) | bool
- name: Remove ACR-prefixed Key Values from IdP Dict for Keycloak API request
set_fact:
filtered_idp: "{{ filtered_idp | default({}) | combine({item.key:item.value}) }}"
with_dict: "{{ idp }}"
when: item.key is not search('acr_')
- name: Add Client ID and Client Secret to IdP Dict
set_fact:
filtered_idp: "{{ filtered_idp | combine({
'config': {
'clientId': keycloak_vault_client_id, 'clientSecret': keycloak_vault_client_secret
}}, recursive=True
) }}"
when: idp.acr_add_bbc_client | default(false) | bool
- name: "Add Identity Provider: {{ idp.alias }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 409 # Conflict - already exists
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ filtered_idp }}"
register: keycloak_idp_output
- name: "Update Identity Provider {{ idp.alias }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ item.alias }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(filtered_idp) }}"
with_items: "{{ keycloak_idp_list.json | selectattr('alias', 'eq', idp.alias) }}"
when:
- keycloak_idp_output.status == 409
Raw
add_idp_mapper.yml
---
- name: "Get IdP Mapper Info for {{ idp_mapper.identityProviderAlias }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_idp_mapper_list
- name: "Add IdP Mapper: {{ idp_mapper.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 400 # Trying to add a mapper with the same name as a current one returns a 400
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ idp_mapper }}"
register: keycloak_idp_mapper_output
- name: "Update IdP Mapper: {{ idp_mapper.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances/{{ idp_mapper.identityProviderAlias }}/mappers/{{ item.id }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(idp_mapper) }}"
with_items: "{{ keycloak_idp_mapper_list.json | selectattr('name', 'eq', idp_mapper.name) }}"
when:
- keycloak_idp_mapper_output.status == 400
Raw
add_protocol_mapper.yml
---
- name: "Get list of Protocol Mappers for Client Scope: {{ client_scope.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: protocol_mapper_list
- name: "Add Protocol Mapper: {{ protocol_mapper.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 409 # Conflict - already exists
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ protocol_mapper }}"
register: protocol_mapper_output
- name: "Update Protocol Mapper: {{ protocol_mapper.name }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/client-scopes/{{ keycloak_current_client_scope_id }}/protocol-mappers/models/{{ item.id }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(protocol_mapper) }}"
with_items: "{{ protocol_mapper_list.json | selectattr('name', 'eq', protocol_mapper.name) }}"
when:
- protocol_mapper_output.status == 409
Raw
add_realm.yml
---
- name: "Find out, if Realm {{ realm.realm }} for service Keycloak exists"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}"
method: GET
validate_certs: no
status_code:
- 200
- 404
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_realm_exists
- name: "Create Realm {{ realm.realm }}"
uri:
url: "{{ keycloak_base_url }}"
method: POST
validate_certs: no
status_code:
- 200
- 201
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: # Adding entire realm object appeared to wipe away default client scopes
realm: "{{ realm.realm }}"
enabled: "{{ realm.enabled }}"
ssoSessionIdleTimeout: "{{ realm.ssoSessionIdleTimeout | default(omit) }}"
when: "keycloak_realm_exists.status == 404"
# NOTE: Updating a realm doesn't add additonal resources (clients, IdP's, etc) - it just apears to update top-level information
- name: "Update Realm {{ realm.realm }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body:
realm: "{{ realm.realm }}"
enabled: "{{ realm.enabled }}"
ssoSessionIdleTimeout: "{{ realm.ssoSessionIdleTimeout | default(omit) }}"
register: keycloak_realm_create
when: "keycloak_realm_exists.status == 200"
#### CLIENT SCOPES ####
- name: Configure Client Scopes and Protocol Mappers
include_tasks: add_client_scope.yml
loop: "{{ realm.clientScopes }}"
loop_control:
loop_var: client_scope
when: realm.clientScopes is defined
#### CLIENTS ####
- name: "Get list of current Clients"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_client_list
- name: Configure each Client
include_tasks: add_client.yml
loop: "{{ realm.clients }}"
loop_control:
loop_var: client
when: realm.clients is defined
#### IDENTITY PROVIDERS ####
- name: "Get list of current Identity Providers"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/identity-provider/instances"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_idp_list
- name: Configure each Identity Provider
include_tasks: add_idp.yml
loop: "{{ realm.identityProviders }}"
loop_control:
loop_var: idp
when: realm.identityProviders is defined
- name: Configure each Identity Provider Mapper
include_tasks: add_idp_mapper.yml
loop: "{{ realm.identityProviderMappers }}"
loop_control:
loop_var: idp_mapper
when: realm.identityProviderMappers is defined
#### USERS AND ROLES ####
- name: Add Users and Roles to Users
include_tasks: add_user.yml
loop: "{{ realm.users }}"
loop_control:
loop_var: user
when: realm.users is defined
no_log: true
Raw
add_user.yml
---
#### USERS ####
- name: "Add User: {{ user.username }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users"
method: POST
validate_certs: no
status_code:
- 200
- 201
- 409 # Conflict - already exists
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ user | del_by_list(['password']) }}"
register: keycloak_user_output
- name: "Get list of Users"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users?briefRepresentation=true"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_user_list
- debug:
var: keycloak_user_list
- name: "Update User: {{ user.username }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ item.id }}"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body: "{{ item | combine(user) | del_by_list(['password']) }}"
with_items: "{{ keycloak_user_list.json | selectattr('username', 'eq', user.username) }}"
when:
- keycloak_user_output.status == 409
- name: "Set password for: {{ user.username }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/users/{{ item.id }}/reset-password"
method: PUT
validate_certs: no
status_code:
- 200
- 201
- 204
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
body_format: json
body:
type: "password"
value: "{{ user.password }}"
with_items: "{{ keycloak_user_list.json | selectattr('username', 'eq', user.username) }}"
when:
- user.password is defined
- keycloak_user_output.status == 409
no_log: true
#### CLIENT ROLES ####
- name: "Get list of Clients for realm {{ realm.realm }}"
uri:
url: "{{ keycloak_base_url }}/{{ realm.realm }}/clients"
method: GET
validate_certs: no
status_code:
- 200
headers:
Accept: "application/json"
Authorization: "Bearer {{ keycloak_token.json.access_token }}"
register: keycloak_client_list
- name: Add Client Role {{ client_role.key }} to user {{ user.username }}
include_tasks: add_client_role.yml
loop: "{{ user.clientRoles | default({}) | dict2items }}"
loop_control:
loop_var: client_role
vars:
keycloak_client_id: "{{ (keycloak_client_list.json | selectattr('clientId', 'eq', client_role.key))[0].id }}"
keycloak_current_user_id: "{{ (keycloak_user_list.json | selectattr('username', 'eq', user.username))[0].id }}"
when: user.clientRoles is defined
Raw
configure_realms.yml
- name: Configure Master Keycloak Instance with Resources using API
when: keycloak_node_type == "master"
block:
- name: Get Admin Token from Master Realm of Keycloak
uri:
url: "https://{{ ansible_host }}:{{ keycloak_admin_port }}/auth/realms/master/protocol/openid-connect/token"
method: POST
validate_certs: no
body_format: form-urlencoded
body:
username: "{{ keycloak_admin_user_name }}"
password: "{{ keycloak_dashboard_password }}"
grant_type: password
client_id: admin-cli
register: keycloak_token
- name: Configure each realm
include_tasks: add_realm.yml
loop: "{{ keycloak_realms }}"
loop_control:
loop_var: realm
- name: Add metrics-listener to event listeners for realms with metrics_enabled
include_tasks: add_event_listeners.yml
loop: "{{ keycloak_realms }}"
loop_control:
loop_var: realm
when: (realm.metrics_enabled | default(omit)) | bool
# API configuration is the preferred method of Keycloak configuration but below are
# examples of using both the Keycloak CLI and keycloak_client ansible module for configuration
# - name: Get client info using CLI Command
# command: "./kcadm.sh get clients/ --fields id,clientId,redirectUris --no-config --server http://localhost:8080/auth --realm master --user admin --password {{ keycloak_dashboard_password }}"
# args:
# chdir: "{{ keycloak_root_dir }}/bin/"
# register: cli_output
#
# - name: Print output of CLI command
# debug:
# msg: "{{ cli_output.stdout }}"
# - name: Create new realm
# tags:
# - realm
# command: "./kcadm.sh create realms -s realm={{ keycloak_realm_name }} -s enabled=true -o --no-config
# --server http://localhost:8080/auth --realm master --user {{ keycloak_admin_user_name }} --password {{ keycloak_dashboard_password }}"
# args:
# chdir: "{{ keycloak_root_dir }}/bin/"
# ignore_errors: true # Returns error if realm already exists
# - name: Update realm using templated config (this doesn't seem to work as expected)
# tags:
# - realm
# command: "./kcadm.sh update realms/{{ keycloak_realm_name }} -f {{ keycloak_root_dir }}/{{ keycloak_realm_name }}-realm.json --no-config
# --server http://localhost:8080/auth --realm master --user {{ keycloak_admin_user_name }} --password {{ keycloak_dashboard_password }}"
# args:
# chdir: "{{ keycloak_root_dir }}/bin/"
# - name: Add clients to Keycloak
# keycloak_client:
# auth_keycloak_url: "http://{{ ansible_host }}:8080/auth"
# auth_username: "{{ keycloak_admin_user_name }}"
# auth_password: "{{ keycloak_dashboard_password }}"
# auth_realm: master
# validate_certs: no
# realm: "{{ keycloak_realm_name }}"
# name: "{{ item.name | default(omit) }}"
# client_id: "{{ item.client_id }}"
# redirect_uris: "{{ item.redirect_uris }}"
# protocol: openid-connect
# standard_flow_enabled: yes
# enabled: yes
# public_client : no
# loop: "{{ keycloak_clients }}"
Raw
defaults.yml
---
keycloak_user_group: keycloak
keycloak_admin_user_name: admin
keycloak_jboss_admin_username: jboss-admin # Note: jboss usernames have a restricted characterset.
# Resource names and locations
keycloak_mirror_url: https://github.com/keycloak/keycloak/releases/download/12.0.4
keycloak_version_number: 12.0.4
keycloak_filename: keycloak-{{keycloak_version_number}}.tar.gz
keycloak_download_dir: /tmp/
keycloak_install_dir: /opt/
#directory to install into
keycloak_root_dir: "{{ keycloak_install_dir }}{{ keycloak_filename | replace('.tar.gz', '') }}"
# Node and Group Identifiers
keycloak_node_type: slave # Change to 'master' on selected master node
keycloak_master_node: "" # inventory_hostname / IP address of master keycloak instance - only used by slaves
keycloak_group_name: "" # Group corresponding to the keycloak cluster - for use in TCP clustering setup
# IP and Port Variables
keycloak_public_bind_address: "0.0.0.0"
keycloak_private_bind_address: "{{ ansible_host }}"
keycloak_management_bind_address: "{{ ansible_host }}"
# Enable a dedicated port for the admin console, or when disabled serve the admin console on the main http port
keyclock_admin_port_enabled: True
keycloak_admin_port: "{{ keycloak_admin_port_enabled | ternary('8444', '8443') }}"
keycloak_admin_redirect_uris: [] # URL's to permit access to admin panel, such as rproxy
# Systemd Arguments
keycloak_master_extra_args: []
keycloak_slave_extra_args: []
# Keycloak Proxy Mapping Variables
keycloak_proxy: ""
keycloak_proxy_mappings: []
# Database and DB Driver Variables
keycloak_db_external: true # Change to false to use Keycloak's embedded java db (testing)
keycloak_db_host: "" # inventory_hostname of database host - must be set if external db is true
keycloak_db_name: keycloak
keycloak_db_user_name: keycloak
keycloak_jdbc_provider: mariadb
keycloak_jdbc_filename: mariadb-java-client-2.5.4.jar
keycloak_jdbc_driver_class: org.mariadb.jdbc.Driver
keycloak_jdbc_xa_datasource_class: org.mariadb.jdbc.MariaDbDataSource
keycloak_jdbc_haproxy_vip: 192.168.100.1
keycloak_jdbc_db_port: 3306
keycloak_jdbc_valid_connection_checker: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker
keycloak_jdbc_valid_connection_exception_sorter: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
# Password Variables
keycloak_dashboard_password: dashboard_password
keycloak_db_user_password: user_password
keycloak_jboss_admin_password: jboss_password
# ACR API Variables (for adding clients to BBC login)
keycloak_domain: keycloak.example.com # without protocol
keycloak_contact_email: "email.address@example.com"
keycloak_acr_cert_path: '~/.certs/forge_cert.pem'
# Aerogear Keycloak Metrics SPI for Prometheus
keycloak_metrics_spi_filename: "keycloak-metrics-spi-2.0.1.jar"
keycloak_metrics_spi_jar_url: "{{ keycloak_mirror_url }}{{ keycloak_metrics_spi_filename }}"
# List of Keycloak Realms defining Clients, IdPs, Scopes, etc.
# For full API details see:
# https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_overview
# For Keycloak config examples to give a clue what to put in the API requests see:
# https://github.com/keycloak/keycloak/tree/master/examples
keycloak_realms: []
# keycloak_realms:
# - realm: test
# enabled: true
# clients:
# - clientId: identifier_of_client
# rootUrl: https://example.co.uk/auth/login/
# secret: shhhhhhhh
# redirectUris:
# - https://example.co.uk/auth/logout/
# - https://example.co.uk/auth/callback/
# identityProviders:
# - alias: test_idp # IdP's use the alias in place of an ID for updates
# displayName: test IDP
# enabled: true
# providerId: oidc
# acr_add_bbc_client: true # Add IdP as BBC client to ACR API. Default: False
# acr_env: production # ACR environment - 'production' or 'staging'. Default: Production
# acr_group_id: bbc-rd # Group ID to add client to within ACR API. Default: bbc-rd
# config:
# clientId: identifier_of_client
# clientSecret: shhhhhhh
# userInfoUrl: https://example.co.uk/oauth2/userinfo
# authorizationUrl: https://example.co.uk/oauth2/authorize
# tokenUrl: https://example.co.uk/oauth2/token
# clientAuthMethod: client_secret_post
# defaultScope: openid email profile
# forwardParameters: some_special_param
# - alias: another_test_idp # IdP's use the alias in place of an ID for updates
# displayName: another test IDP
# enabled: true
# providerId: oidc
# config:
# clientId: identifier_of_client
# clientSecret: shhhhhhh
# userInfoUrl: https://example.co.uk/oauth2/userinfo
# authorizationUrl: https://example.co.uk/oauth2/authorize
# tokenUrl: https://example.co.uk/oauth2/token
# clientAuthMethod: client_secret_post
# defaultScope: openid email profile
# forwardParameters: some_special_param
# identityProviderMappers:
# - name: department_mapper
# identityProviderAlias: test_idp # this connects the mapper to the specified IdP
# identityProviderMapper: oidc-user-attribute-idp-mapper
# config:
# claim: department
# user.attribute: department
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT
# - name: mark_mapper
# identityProviderAlias: test_idp
# identityProviderMapper: oidc-user-attribute-idp-mapper
# config:
# claim: mark
# user.attribute: mark
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT
# - name: issuer_hardcoded_mapper
# identityProviderAlias: test_idp
# identityProviderMapper: hardcoded-attribute-idp-mapper
# config:
# attribute: my_iss
# attribute.value: https://gateway.example.co.uk:443/eiam/oauth2
# syncMode: INHERIT # Only required in v11 - can be INHERIT, FORCE, LEGACY or IMPORT
# clientScopes:
# - name: my_scopes # this is the requested scope name and so cannot contain spaces
# protocol: openid-connect
# protocolMappers:
# - name: Code Code
# protocol: openid-connect
# protocolMapper: oidc-usermodel-attribute-mapper
# config:
# claim.name: cost_code
# user.attribute: cost_code
# jsonType.label: String
# id.token.claim: true
# userinfo.token.claim: true
# users:
# - username: userone
# email: user1@example.com
# firstName: user
# lastName: one
# enabled: true
# clientRoles: # client roles are added by add_client_role.yml
# realm-management: [ "realm-admin" ]
# broker: [ "read-token" ]
# - username: test-admin
# password: test-admin
# - realm: another_test_realm
# enabled: true
Raw
install_prometheus_exporter.yml
---
- name: Ensure providers keycloak folder exists
file:
path: "{{ keycloak_root_dir }}/providers"
state: directory
owner: "{{ keycloak_user_group }}"
group: "{{ keycloak_user_group }}"
mode: 0750
- name: Download keycloak metrics spi server from mirror
get_url:
url: "{{ keycloak_metrics_spi_jar_url }}"
dest: "{{ keycloak_root_dir }}/providers/"
notify: restart keycloak server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment