From 16863a716e8129f724483d6401d04eb2c1754c92 Mon Sep 17 00:00:00 2001 From: boolman Date: Wed, 2 Oct 2024 14:49:48 +0200 Subject: [PATCH 1/9] keycloak_client: add client-x509 option to client_authenticator_type Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index d7e4fb0b7ee..fdc08cedb00 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -108,13 +108,14 @@ client_authenticator_type: description: - - How do clients authenticate with the auth server? Either V(client-secret) or - V(client-jwt) can be chosen. When using V(client-secret), the module parameter - O(secret) can set it, while for V(client-jwt), you can use the keys C(use.jwks.url), + - How do clients authenticate with the auth server? Either V(client-secret), + V(client-jwt) or V(client-x509) can be chosen. When using V(client-secret), the module parameter + O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter - to configure its behavior. + to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) + and C(x509.subjectdn) in the O(attributes) module parameter. - This is 'clientAuthenticatorType' in the Keycloak REST API. - choices: ['client-secret', 'client-jwt'] + choices: ['client-secret', 'client-jwt', 'client-x509'] aliases: - clientAuthenticatorType type: str @@ -913,7 +914,7 @@ def main(): base_url=dict(type='str', aliases=['baseUrl']), surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']), enabled=dict(type='bool'), - client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), + client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']), secret=dict(type='str', no_log=True), registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), default_roles=dict(type='list', elements='str', aliases=['defaultRoles']), From 762fcebdfe17aa6f18a7438d722ec871e10b3682 Mon Sep 17 00:00:00 2001 From: boolman Date: Thu, 3 Oct 2024 09:12:10 +0200 Subject: [PATCH 2/9] keycloak_client: add attributes for client-x509 Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index fdc08cedb00..bb3661381bb 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -582,6 +582,14 @@ - For OpenID-Connect clients, client certificate for validating JWT issued by client and signed by its key, base64-encoded. + x509.subjectdn: + description: + - For OpenID-Connect clients, subject which will be used to authenticate the client. + + x509.allow.regex.pattern.comparison: + description: + - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. + extends_documentation_fragment: - community.general.keycloak - community.general.attributes From 9c8027f3c9a95885796ec4fd950f6dc0b8cad0ea Mon Sep 17 00:00:00 2001 From: boolman Date: Thu, 3 Oct 2024 09:52:33 +0200 Subject: [PATCH 3/9] keycloak_client update description Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index bb3661381bb..7af774e7188 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -113,7 +113,7 @@ O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) - and C(x509.subjectdn) in the O(attributes) module parameter. + and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. - This is 'clientAuthenticatorType' in the Keycloak REST API. choices: ['client-secret', 'client-jwt', 'client-x509'] aliases: From 67e1d1a052c05bcf208432513d86a245c09cffd5 Mon Sep 17 00:00:00 2001 From: boolman Date: Thu, 3 Oct 2024 09:58:29 +0200 Subject: [PATCH 4/9] keycloak_client add fragment Signed-off-by: boolman --- changelogs/fragments/8973-keycloak_client-add-x509-auth.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/8973-keycloak_client-add-x509-auth.yml diff --git a/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml new file mode 100644 index 00000000000..0046c4d7b4e --- /dev/null +++ b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml @@ -0,0 +1,2 @@ +minor_changes: + - keycloak_client - Add ``client-x509`` choise to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973). From ff7ee4af87b745b6ef5800eb0a5de309e5824c78 Mon Sep 17 00:00:00 2001 From: boolman Date: Thu, 3 Oct 2024 10:36:06 +0200 Subject: [PATCH 5/9] remove trailing whitespace Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index 7af774e7188..85a10271a3f 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -112,7 +112,7 @@ V(client-jwt) or V(client-x509) can be chosen. When using V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter - to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) + to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept. - This is 'clientAuthenticatorType' in the Keycloak REST API. choices: ['client-secret', 'client-jwt', 'client-x509'] From e883caf29c354f0e6093b8c4ed94138db8e4d501 Mon Sep 17 00:00:00 2001 From: boolman Date: Thu, 3 Oct 2024 12:17:07 +0200 Subject: [PATCH 6/9] keycloak_client add example with x509 authentication Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index 85a10271a3f..40f8b746bae 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -633,6 +633,22 @@ delegate_to: localhost +- name: Create or update a Keycloak client (minimal example), with x509 authentication + community.general.keycloak_client: + auth_client_id: admin-cli + auth_keycloak_url: https://auth.example.com/auth + auth_realm: master + auth_username: USERNAME + auth_password: PASSWORD + realm: master + state: present + client_id: test + client_authenticator_type: client-x509 + attributes: + x509.subjectdn: "CN=client" + x509.allow.regex.pattern.comparison: false + + - name: Create or update a Keycloak client (with all the bells and whistles) community.general.keycloak_client: auth_client_id: admin-cli From 73c65702624cce1e822ec49312175c31421c0a07 Mon Sep 17 00:00:00 2001 From: Boolman Date: Thu, 3 Oct 2024 17:44:16 +0200 Subject: [PATCH 7/9] Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein --- plugins/modules/keycloak_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index 40f8b746bae..b0f43af614f 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -109,7 +109,7 @@ client_authenticator_type: description: - How do clients authenticate with the auth server? Either V(client-secret), - V(client-jwt) or V(client-x509) can be chosen. When using V(client-secret), the module parameter + V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) From 584c547d70235e3800e8c7a4ad760be56ce1447d Mon Sep 17 00:00:00 2001 From: Boolman Date: Thu, 3 Oct 2024 17:44:28 +0200 Subject: [PATCH 8/9] Update changelogs/fragments/8973-keycloak_client-add-x509-auth.yml Co-authored-by: Felix Fontein --- changelogs/fragments/8973-keycloak_client-add-x509-auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml index 0046c4d7b4e..a7bc125f828 100644 --- a/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml +++ b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml @@ -1,2 +1,2 @@ minor_changes: - - keycloak_client - Add ``client-x509`` choise to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973). + - keycloak_client - add ``client-x509`` choice to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973). From 25f12d00ad22b18352fc8201c63dce8e590ced25 Mon Sep 17 00:00:00 2001 From: boolman Date: Fri, 4 Oct 2024 10:34:52 +0200 Subject: [PATCH 9/9] keycloak_client added type on new suboptions Signed-off-by: boolman --- plugins/modules/keycloak_client.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index b0f43af614f..d2800be2924 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -534,7 +534,6 @@ description: - SAML Redirect Binding URL for the client's assertion consumer service (login responses). - saml_force_name_id_format: description: - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. @@ -585,10 +584,14 @@ x509.subjectdn: description: - For OpenID-Connect clients, subject which will be used to authenticate the client. + type: str + version_added: 9.5.0 x509.allow.regex.pattern.comparison: description: - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression. + type: bool + version_added: 9.5.0 extends_documentation_fragment: - community.general.keycloak