You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an issue with the Keycloak Ansible modules in the community.general collection that affects compatibility with Keycloak versions greater than 23.0.7. The problem stems from a change in the Keycloak API representation, specifically related to the handling of subgroups.
Background:
Keycloak 23.0.7 introduced a change in how the subGroups attribute is represented when fetching group data via the Keycloak API. According to the Keycloak Upgrade Documentation, the subGroups field is now always returned as an empty list, even if the subGroupCount indicates that subgroups exist. This behavior was introduced for backward compatibility, but it has led to issues where the actual subgroups are not fetched using the traditional GET /groups endpoint.
The new recommended approach to fetch subgroups is by using the GET /realms/{realm}/groups/{group_id}/children endpoint.
Affected Modules:
All Keycloak Ansible modules that interact with subgroups are affected. Specifically, this issue is similar to the one reported in issue #7650, but it should be mentioned that this change in keycloak API impacts a broader set of modules.
I am personally affected using the module community.general.keycloak_client_rolemapping
To maintain compatibility with newer Keycloak versions, the affected Ansible modules (specifically those in plugins/module_utils/identity/keycloak/keycloak.py) need to be updated to utilize the new API endpoint {keycloak server}/realms/{realm}/groups/{group_id}/children for fetching subgroups. This change will ensure that the modules can correctly handle and interact with subgroups in Keycloak environments running version 23.0.7 or later.
Impact:
Ansible keycloak modules are not (fully) compatible with Keycloak 23.0.7 or later.
Even though subGroupCount is 2, the subGroups array is empty. This leads to errors or incorrect behavior in Ansible modules that rely on this attribute.
To get represetation you should use: groups/7ab2bc07-9fce-4a04-955e-65cf1112a80a/children
Expected Results
playbook runs and does the mapping and succesfully fetches the subgroups based on the parentgroup parameters
Actual Results
FAILED! => changed=false msg: 'Could not fetch group subgroup1:'
Code of Conduct
I agree to follow the Ansible Code of Conduct
The text was updated successfully, but these errors were encountered:
Summary
Description:
There is an issue with the Keycloak Ansible modules in the
community.general
collection that affects compatibility with Keycloak versions greater than 23.0.7. The problem stems from a change in the Keycloak API representation, specifically related to the handling of subgroups.Background:
Keycloak 23.0.7 introduced a change in how the
subGroups
attribute is represented when fetching group data via the Keycloak API. According to the Keycloak Upgrade Documentation, thesubGroups
field is now always returned as an empty list, even if thesubGroupCount
indicates that subgroups exist. This behavior was introduced for backward compatibility, but it has led to issues where the actual subgroups are not fetched using the traditionalGET /groups
endpoint.The new recommended approach to fetch subgroups is by using the
GET /realms/{realm}/groups/{group_id}/children
endpoint.Affected Modules:
All Keycloak Ansible modules that interact with subgroups are affected. Specifically, this issue is similar to the one reported in issue #7650, but it should be mentioned that this change in keycloak API impacts a broader set of modules.
I am personally affected using the module
community.general.keycloak_client_rolemapping
In the code the issue is due to :
community.general/plugins/module_utils/identity/keycloak/keycloak.py
Line 1572 in e3a3c6d
receives always an empty list --> won't work.
Solution:
To maintain compatibility with newer Keycloak versions, the affected Ansible modules (specifically those in
plugins/module_utils/identity/keycloak/keycloak.py
) need to be updated to utilize the new API endpoint{keycloak server}/realms/{realm}/groups/{group_id}/children
for fetching subgroups. This change will ensure that the modules can correctly handle and interact with subgroups in Keycloak environments running version 23.0.7 or later.Impact:
Ansible keycloak modules are not (fully) compatible with Keycloak 23.0.7 or later.
BR
Issue Type
Bug Report
Component Name
plugins/module_utils/identity/keycloak/keycloak.py
Ansible Version
Community.general Version
Configuration
$ ansible-config dump --only-changed
OS / Environment
Ubuntu 22
Steps to Reproduce
Keycloak version
Used module example:
keycloak_client_rolemapping
Sample API Response:
Here’s an example of the current response from the
GET /groups
API call with recent Keycloak version 25.0.2:Even though
subGroupCount
is 2, thesubGroups
array is empty. This leads to errors or incorrect behavior in Ansible modules that rely on this attribute.To get represetation you should use:
groups/7ab2bc07-9fce-4a04-955e-65cf1112a80a/children
Expected Results
playbook runs and does the mapping and succesfully fetches the subgroups based on the parentgroup parameters
Actual Results
Code of Conduct
The text was updated successfully, but these errors were encountered: