community.general.keycloak_authentication – Configure authentication in Keycloak

Note

This plugin is part of the community.general collection (version 4.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.keycloak_authentication.

New in version 3.3.0: of community.general

Synopsis

  • This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.

  • It can also delete the flow.

Parameters

Parameter Choices/Defaults Comments
alias
string / required
Alias for the authentication flow.
auth_client_id
string
Default:
"admin-cli"
OpenID Connect client_id to authenticate to the API with.
auth_client_secret
string
Client Secret to use in conjunction with auth_client_id (if required).
auth_keycloak_url
string / required
URL to the Keycloak instance.

aliases: url
auth_password
string
Password to authenticate for API access with.

aliases: password
auth_realm
string
Keycloak realm name to authenticate to for API access.
auth_username
string
Username to authenticate for API access with.

aliases: username
authenticationExecutions
list / elements=dictionary
Configuration structure for the executions.
authenticationConfig
dictionary
Describe the config of the authentication.
displayName
string
Name of the execution or subflow to create or update.
flowAlias
string
Alias of parent flow.
index
integer
Priority order of the execution.
providerId
string
providerID for the new flow when not copied from an existing flow.
requirement
string
    Choices:
  • REQUIRED
  • ALTERNATIVE
  • DISABLED
  • CONDITIONAL
Control status of the subflow or execution.
copyFrom
string
flowAlias of the authentication flow to use for the copy.
description
string
Description of the flow.
force
boolean
    Choices:
  • no ←
  • yes
If true, allows to remove the authentication flow and recreate it.
providerId
string
providerId for the new flow when not copied from an existing flow.
realm
string / required
The name of the realm in which is the authentication.
state
string
    Choices:
  • present ←
  • absent
Control if the authentication flow must exists or not.
token
string
added in 3.0.0 of community.general
Authentication token for Keycloak API.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Verify TLS certificates (do not disable this in production).

Examples

- name: Create an authentication flow from first broker login and add an execution to it.
  community.general.keycloak_authentication:
    auth_keycloak_url: http://localhost:8080/auth
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: master
    alias: "Copy of first broker login"
    copyFrom: "first broker login"
    authenticationExecutions:
      - providerId: "test-execution1"
        requirement: "REQUIRED"
        authenticationConfig:
          alias: "test.execution1.property"
          config:
            test1.property: "value"
      - providerId: "test-execution2"
        requirement: "REQUIRED"
        authenticationConfig:
          alias: "test.execution2.property"
          config:
            test2.property: "value"
    state: present

- name: Re-create the authentication flow
  community.general.keycloak_authentication:
    auth_keycloak_url: http://localhost:8080/auth
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: master
    alias: "Copy of first broker login"
    copyFrom: "first broker login"
    authenticationExecutions:
      - providerId: "test-provisioning"
        requirement: "REQUIRED"
        authenticationConfig:
          alias: "test.provisioning.property"
          config:
            test.provisioning.property: "value"
    state: present
    force: true

- name: Create an authentication flow with subflow containing an execution.
  community.general.keycloak_authentication:
    auth_keycloak_url: http://localhost:8080/auth
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: master
    alias: "Copy of first broker login"
    copyFrom: "first broker login"
    authenticationExecutions:
      - providerId: "test-execution1"
        requirement: "REQUIRED"
      - displayName: "New Subflow"
        requirement: "REQUIRED"
      - providerId: "auth-cookie"
        requirement: "REQUIRED"
        flowAlias: "New Sublow"
    state: present

- name: Remove authentication.
  community.general.keycloak_authentication:
    auth_keycloak_url: http://localhost:8080/auth
    auth_realm: master
    auth_username: admin
    auth_password: password
    realm: master
    alias: "Copy of first broker login"
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
end_state
dictionary
on success
Representation of the authentication after module execution.

Sample:
{'alias': 'Copy of first broker login', 'authenticationExecutions': [{'alias': 'review profile config', 'authenticationConfig': {'alias': 'review profile config', 'config': {'update.profile.on.first.login': 'missing'}, 'id': '6f09e4fb-aad4-496a-b873-7fa9779df6d7'}, 'configurable': True, 'displayName': 'Review Profile', 'id': '8f77dab8-2008-416f-989e-88b09ccf0b4c', 'index': 0, 'level': 0, 'providerId': 'idp-review-profile', 'requirement': 'REQUIRED', 'requirementChoices': ['REQUIRED', 'ALTERNATIVE', 'DISABLED']}], 'builtIn': False, 'description': 'Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account', 'id': 'bc228863-5887-4297-b898-4d988f8eaa5c', 'providerId': 'basic-flow', 'topLevel': True}
flow
dictionary
on success
JSON representation for the authentication.
Deprecated return value, it will be removed in community.general 6.0.0. Please use the return value end_state instead.

Sample:
{'alias': 'Copy of first broker login', 'authenticationExecutions': [{'alias': 'review profile config', 'authenticationConfig': {'alias': 'review profile config', 'config': {'update.profile.on.first.login': 'missing'}, 'id': '6f09e4fb-aad4-496a-b873-7fa9779df6d7'}, 'configurable': True, 'displayName': 'Review Profile', 'id': '8f77dab8-2008-416f-989e-88b09ccf0b4c', 'index': 0, 'level': 0, 'providerId': 'idp-review-profile', 'requirement': 'REQUIRED', 'requirementChoices': ['REQUIRED', 'ALTERNATIVE', 'DISABLED']}], 'builtIn': False, 'description': 'Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account', 'id': 'bc228863-5887-4297-b898-4d988f8eaa5c', 'providerId': 'basic-flow', 'topLevel': True}
msg
string
always
Message as to what action was taken.



Authors

  • Philippe Gauthier (@elfelip)

  • Gaëtan Daubresse (@Gaetan2907)