From 106817316d4e4bb71aec0e7c47d03697e1bcc7ad Mon Sep 17 00:00:00 2001
From: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Date: Sat, 7 Feb 2026 16:21:32 +0100
Subject: [PATCH] keycloak_realm_key: handle missing config fields for default
 keys (#11470)

* fix(keycloak_realm_key): handle missing config fields for default keys

Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.

Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.

Fixes: #11459

* add PR link to changelog entry per review feedback
---
 .../keycloak-realm-key-keyerror-bugfix.yml          |  5 +++++
 plugins/modules/keycloak_realm_key.py               | 13 ++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml

diff --git a/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml b/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml
new file mode 100644
index 0000000000..cb8dd12271
--- /dev/null
+++ b/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml
@@ -0,0 +1,5 @@
+bugfixes:
+  - keycloak_realm_key - fix ``KeyError`` crash when managing realm keys where Keycloak
+    does not return ``active``, ``enabled``, or ``algorithm`` fields in the config
+    response (https://github.com/ansible-collections/community.general/issues/11459,
+    https://github.com/ansible-collections/community.general/pull/11470).
diff --git a/plugins/modules/keycloak_realm_key.py b/plugins/modules/keycloak_realm_key.py
index 996e6bf356..e59228fe39 100644
--- a/plugins/modules/keycloak_realm_key.py
+++ b/plugins/modules/keycloak_realm_key.py
@@ -402,10 +402,17 @@ def main():
                     result["changed"] = True
 
             # Compare parameters under the "config" key
+            # Note: Keycloak API may not return all config fields for default keys
+            # (e.g., 'active', 'enabled', 'algorithm' may be missing). Handle this
+            # gracefully by using .get() with defaults.
             for p, v in changeset_copy["config"].items():
-                before_realm_key["config"][p] = key["config"][p]
-                if v != key["config"][p]:
-                    changes += f"config.{p}: {key['config'][p]} -> {v}, "
+                # Get the current value, defaulting to our expected value if not present
+                # This handles the case where Keycloak does not return certain fields
+                # for default/generated keys
+                current_value = key["config"].get(p, v)
+                before_realm_key["config"][p] = current_value
+                if v != current_value:
+                    changes += f"config.{p}: {current_value} -> {v}, "
                     result["changed"] = True
 
     # Sanitize linefeeds for the privateKey. Without this the JSON payload