Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keycloak_client add option to support client-x509 authentication #8973

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

keycloak_client add option to support client-x509 authentication #8973

wants to merge 9 commits into from
+37 −7

Conversation

Boolman
Copy link
Contributor

@Boolman Boolman commented Oct 3, 2024

SUMMARY

keycloak_client is missing support for x509 client authentication,
this PR updates client_authenticator_type with the choice client-x509

ISSUE TYPE

Feature Pull Request

COMPONENT NAME

modules/keycloak_client

ADDITIONAL INFORMATION

Below is steps to test the result with this PR applied.

cat ~/keycloak/certs/start.sh  
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=admin


cd /opt/keycloak
bin/kc.sh start-dev --https-certificate-key-file=/certs/certificate.key --https-certificate-file=/certs/certificate.crt --https-trust-store-file=/certs/truststore.jks --https-trust-store-password=password --https-client-auth=request --log-level=trace

Start Keycloak
docker run --rm -it -p 8080:8080 -p 8443:8443 -v ~/keycloak/certs:/certs --entrypoint=/bin/bash keycloak/keycloak:25.0 bash /certs/start.sh

Apply config

ansible-playbook ....

Verify

$ curl --cacert ~/keycloak/certs/ca.crt --cert ~/keycloak/certs/certificate.crt --key ~/keycloak/certs/certificate.key https://127.0.0.1:8443/realms/test/protocol/openid-connect/token --data "client_id=test&username=testuser&password=testuser&grant_type=password" -k -v

@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot
Copy link
Collaborator

cc @eikef @mattock @ndclt @thomasbach-dev
click here for bot help

@ansibullbot ansibullbot added ci_verified Push fixes to PR branch to re-run CI feature This issue/PR relates to a feature request module module needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR plugins plugin (any type) labels Oct 3, 2024
@ansibullbot ansibullbot removed ci_verified Push fixes to PR branch to re-run CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Oct 3, 2024
@felixfontein felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-9 Automatically create a backport for the stable-9 branch labels Oct 3, 2024
felixfontein
felixfontein reviewed Oct 3, 2024
View reviewed changes
Copy link
Collaborator

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. I've added some first comments below.

changelogs/fragments/8973-keycloak_client-add-x509-auth.yml Outdated Show resolved Hide resolved
plugins/modules/keycloak_client.py Outdated Show resolved Hide resolved
plugins/modules/keycloak_client.py Show resolved Hide resolved
plugins/modules/keycloak_client.py Show resolved Hide resolved
@ansibullbot ansibullbot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Oct 3, 2024
russoz
russoz reviewed Oct 4, 2024
View reviewed changes
Copy link
Collaborator

@russoz russoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Boolman thanks for your contribution!

Just left a small comment below, about the docs.

Other than that, I am assuming (lazily not checking the code) that the simple fact of adding new keys to attributes makes them be passed through KC's API. If that's not the case, then maybe more code is needed to ensure the new options are passed along.

plugins/modules/keycloak_client.py Show resolved Hide resolved
@felixfontein
Copy link
Collaborator

CC @fgruenbauer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russoz russoz russoz left review comments

@felixfontein felixfontein felixfontein left review comments

Assignees
No one assigned
Labels
backport-9 Automatically create a backport for the stable-9 branch check-before-release PR will be looked at again shortly before release and merged if possible. feature This issue/PR relates to a feature request module module plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Boolman @ansibullbot @felixfontein @russoz