community.general.keycloak_realm – Allows administration of Keycloak realm via Keycloak API

Note

This plugin is part of the community.general collection (version 3.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.keycloak_realm.

New in version 3.0.0: of community.general

Synopsis

  • This module allows the administration of Keycloak realm via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.

  • The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at https://www.keycloak.org/docs-api/8.0/rest-api/index.html. Aliases are provided so camelCased versions can be used as well.

  • The Keycloak API does not always sanity check inputs e.g. you can set SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. If you do not specify a setting, usually a sensible default is chosen.

Parameters

Parameter

Comments

access_code_lifespan

aliases: accessCodeLifespan

integer

The realm access code lifespan.

access_code_lifespan_login

aliases: accessCodeLifespanLogin

integer

The realm access code lifespan login.

access_code_lifespan_user_action

aliases: accessCodeLifespanUserAction

integer

The realm access code lifespan user action.

access_token_lifespan

aliases: accessTokenLifespan

integer

The realm access token lifespan.

access_token_lifespan_for_implicit_flow

aliases: accessTokenLifespanForImplicitFlow

integer

The realm access token lifespan for implicit flow.

account_theme

aliases: accountTheme

string

The realm account theme.

action_token_generated_by_admin_lifespan

aliases: actionTokenGeneratedByAdminLifespan

integer

The realm action token generated by admin lifespan.

action_token_generated_by_user_lifespan

aliases: actionTokenGeneratedByUserLifespan

integer

The realm action token generated by user lifespan.

admin_events_details_enabled

aliases: adminEventsDetailsEnabled

boolean

The realm admin events details enabled.

Choices:

  • no

  • yes

admin_events_enabled

aliases: adminEventsEnabled

boolean

The realm admin events enabled.

Choices:

  • no

  • yes

admin_theme

aliases: adminTheme

string

The realm admin theme.

attributes

dictionary

The realm attributes.

auth_client_id

string

OpenID Connect client_id to authenticate to the API with.

Default: “admin-cli”

auth_client_secret

string

Client Secret to use in conjunction with auth_client_id (if required).

auth_keycloak_url

aliases: url

string / required

URL to the Keycloak instance.

auth_password

aliases: password

string

Password to authenticate for API access with.

auth_realm

string

Keycloak realm name to authenticate to for API access.

auth_username

aliases: username

string

Username to authenticate for API access with.

browser_flow

aliases: browserFlow

string

The realm browser flow.

browser_security_headers

aliases: browserSecurityHeaders

dictionary

The realm browser security headers.

brute_force_protected

aliases: bruteForceProtected

boolean

The realm brute force protected.

Choices:

  • no

  • yes

client_authentication_flow

aliases: clientAuthenticationFlow

string

The realm client authentication flow.

client_scope_mappings

aliases: clientScopeMappings

dictionary

The realm client scope mappings.

default_default_client_scopes

aliases: defaultDefaultClientScopes

list / elements=dictionary

The realm default default client scopes.

default_groups

aliases: defaultGroups

list / elements=dictionary

The realm default groups.

default_locale

aliases: defaultLocale

string

The realm default locale.

default_optional_client_scopes

aliases: defaultOptionalClientScopes

list / elements=dictionary

The realm default optional client scopes.

default_roles

aliases: defaultRoles

list / elements=dictionary

The realm default roles.

default_signature_algorithm

aliases: defaultSignatureAlgorithm

string

The realm default signature algorithm.

direct_grant_flow

aliases: directGrantFlow

string

The realm direct grant flow.

display_name

aliases: displayName

string

The realm display name.

display_name_html

aliases: displayNameHtml

string

The realm display name HTML.

docker_authentication_flow

aliases: dockerAuthenticationFlow

string

The realm docker authentication flow.

duplicate_emails_allowed

aliases: duplicateEmailsAllowed

boolean

The realm duplicate emails allowed option.

Choices:

  • no

  • yes

edit_username_allowed

aliases: editUsernameAllowed

boolean

The realm edit username allowed option.

Choices:

  • no

  • yes

email_theme

aliases: emailTheme

string

The realm email theme.

enabled

boolean

The realm enabled option.

Choices:

  • no

  • yes

enabled_event_types

aliases: enabledEventTypes

list / elements=string

The realm enabled event types.

events_enabled

aliases: eventsEnabled

boolean

added in 3.6.0 of community.general

Enables or disables login events for this realm.

Choices:

  • no

  • yes

events_expiration

aliases: eventsExpiration

integer

The realm events expiration.

events_listeners

aliases: eventsListeners

list / elements=string

The realm events listeners.

failure_factor

aliases: failureFactor

integer

The realm failure factor.

id

string

The realm to create.

internationalization_enabled

aliases: internationalizationEnabled

boolean

The realm internationalization enabled option.

Choices:

  • no

  • yes

login_theme

aliases: loginTheme

string

The realm login theme.

login_with_email_allowed

aliases: loginWithEmailAllowed

boolean

The realm login with email allowed option.

Choices:

  • no

  • yes

max_delta_time_seconds

aliases: maxDeltaTimeSeconds

integer

The realm max delta time in seconds.

max_failure_wait_seconds

aliases: maxFailureWaitSeconds

integer

The realm max failure wait in seconds.

minimum_quick_login_wait_seconds

aliases: minimumQuickLoginWaitSeconds

integer

The realm minimum quick login wait in seconds.

not_before

aliases: notBefore

integer

The realm not before.

offline_session_idle_timeout

aliases: offlineSessionIdleTimeout

integer

The realm offline session idle timeout.

offline_session_max_lifespan

aliases: offlineSessionMaxLifespan

integer

The realm offline session max lifespan.

offline_session_max_lifespan_enabled

aliases: offlineSessionMaxLifespanEnabled

boolean

The realm offline session max lifespan enabled option.

Choices:

  • no

  • yes

otp_policy_algorithm

aliases: otpPolicyAlgorithm

string

The realm otp policy algorithm.

otp_policy_digits

aliases: otpPolicyDigits

integer

The realm otp policy digits.

otp_policy_initial_counter

aliases: otpPolicyInitialCounter

integer

The realm otp policy initial counter.

otp_policy_look_ahead_window

aliases: otpPolicyLookAheadWindow

integer

The realm otp policy look ahead window.

otp_policy_period

aliases: otpPolicyPeriod

integer

The realm otp policy period.

otp_policy_type

aliases: otpPolicyType

string

The realm otp policy type.

otp_supported_applications

aliases: otpSupportedApplications

list / elements=string

The realm otp supported applications.

password_policy

aliases: passwordPolicy

string

The realm password policy.

permanent_lockout

aliases: permanentLockout

boolean

The realm permanent lockout.

Choices:

  • no

  • yes

quick_login_check_milli_seconds

aliases: quickLoginCheckMilliSeconds

integer

The realm quick login check in milliseconds.

realm

string

The realm name.

refresh_token_max_reuse

aliases: refreshTokenMaxReuse

integer

The realm refresh token max reuse.

registration_allowed

aliases: registrationAllowed

boolean

The realm registration allowed option.

Choices:

  • no

  • yes

registration_email_as_username

aliases: registrationEmailAsUsername

boolean

The realm registration email as username option.

Choices:

  • no

  • yes

registration_flow

aliases: registrationFlow

string

The realm registration flow.

remember_me

aliases: rememberMe

boolean

The realm remember me option.

Choices:

  • no

  • yes

reset_credentials_flow

aliases: resetCredentialsFlow

string

The realm reset credentials flow.

reset_password_allowed

aliases: resetPasswordAllowed

boolean

The realm reset password allowed option.

Choices:

  • no

  • yes

revoke_refresh_token

aliases: revokeRefreshToken

boolean

The realm revoke refresh token option.

Choices:

  • no

  • yes

smtp_server

aliases: smtpServer

dictionary

The realm smtp server.

ssl_required

aliases: sslRequired

string

The realm ssl required option.

Choices:

  • all

  • external

  • none

sso_session_idle_timeout

aliases: ssoSessionIdleTimeout

integer

The realm sso session idle timeout.

sso_session_idle_timeout_remember_me

aliases: ssoSessionIdleTimeoutRememberMe

integer

The realm sso session idle timeout remember me.

sso_session_max_lifespan

aliases: ssoSessionMaxLifespan

integer

The realm sso session max lifespan.

sso_session_max_lifespan_remember_me

aliases: ssoSessionMaxLifespanRememberMe

integer

The realm sso session max lifespan remember me.

state

string

State of the realm.

On present, the realm will be created (or updated if it exists already).

On absent, the realm will be removed if it exists.

Choices:

  • present ← (default)

  • absent

supported_locales

aliases: supportedLocales

list / elements=string

The realm supported locales.

token

string

added in 3.0.0 of community.general

Authentication token for Keycloak API.

user_managed_access_allowed

aliases: userManagedAccessAllowed

boolean

The realm user managed access allowed option.

Choices:

  • no

  • yes

validate_certs

boolean

Verify TLS certificates (do not disable this in production).

Choices:

  • no

  • yes ← (default)

verify_email

aliases: verifyEmail

boolean

The realm verify email option.

Choices:

  • no

  • yes

wait_increment_seconds

aliases: waitIncrementSeconds

integer

The realm wait increment in seconds.

Examples

- name: Create or update Keycloak realm (minimal example)
  community.general.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    id: realm
    state: present

- name: Delete a Keycloak realm
  community.general.keycloak_realm:
    auth_client_id: admin-cli
    auth_keycloak_url: https://auth.example.com/auth
    auth_realm: master
    auth_username: USERNAME
    auth_password: PASSWORD
    id: test
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

end_state

dictionary

realm representation of realm after module execution (sample is truncated)

Returned: always

Sample: {“adminUrl”: “http://www.example.com/admin_url”, “attributes”: {“request.object.signature.alg”: “RS256”}}

existing

dictionary

realm representation of existing realm (sample is truncated)

Returned: always

Sample: {“adminUrl”: “http://www.example.com/admin_url”, “attributes”: {“request.object.signature.alg”: “RS256”}}

msg

string

Message as to what action was taken

Returned: always

Sample: “Realm testrealm has been updated”

proposed

dictionary

realm representation of proposed changes to realm

Returned: always

Sample: {“id”: “test”}

Authors

  • Christophe Gilles (@kris2kris)