From 88bfb6dda35296d06ec6887f43af9efef1e9a17b Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 16:34:22 +0100
Subject: [PATCH] [PR #11470/10681731 backport][stable-12] keycloak_realm_key:
 handle missing config fields for default keys (#11478)

keycloak_realm_key: handle missing config fields for default keys (#11470)

* fix(keycloak_realm_key): handle missing config fields for default keys

Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.

Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.

Fixes: #11459

* add PR link to changelog entry per review feedback

(cherry picked from commit 106817316d4e4bb71aec0e7c47d03697e1bcc7ad)

Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
---
 .../keycloak-realm-key-keyerror-bugfix.yml          |  5 +++++
 plugins/modules/keycloak_realm_key.py               | 13 ++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml

diff --git a/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml b/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml
new file mode 100644
index 0000000000..cb8dd12271
--- /dev/null
+++ b/changelogs/fragments/keycloak-realm-key-keyerror-bugfix.yml
@@ -0,0 +1,5 @@
+bugfixes:
+  - keycloak_realm_key - fix ``KeyError`` crash when managing realm keys where Keycloak
+    does not return ``active``, ``enabled``, or ``algorithm`` fields in the config
+    response (https://github.com/ansible-collections/community.general/issues/11459,
+    https://github.com/ansible-collections/community.general/pull/11470).
diff --git a/plugins/modules/keycloak_realm_key.py b/plugins/modules/keycloak_realm_key.py
index 996e6bf356..e59228fe39 100644
--- a/plugins/modules/keycloak_realm_key.py
+++ b/plugins/modules/keycloak_realm_key.py
@@ -402,10 +402,17 @@ def main():
                     result["changed"] = True
 
             # Compare parameters under the "config" key
+            # Note: Keycloak API may not return all config fields for default keys
+            # (e.g., 'active', 'enabled', 'algorithm' may be missing). Handle this
+            # gracefully by using .get() with defaults.
             for p, v in changeset_copy["config"].items():
-                before_realm_key["config"][p] = key["config"][p]
-                if v != key["config"][p]:
-                    changes += f"config.{p}: {key['config'][p]} -> {v}, "
+                # Get the current value, defaulting to our expected value if not present
+                # This handles the case where Keycloak does not return certain fields
+                # for default/generated keys
+                current_value = key["config"].get(p, v)
+                before_realm_key["config"][p] = current_value
+                if v != current_value:
+                    changes += f"config.{p}: {current_value} -> {v}, "
                     result["changed"] = True
 
     # Sanitize linefeeds for the privateKey. Without this the JSON payload