keycloak_client: add valid_post_logout_redirect_uris and backchannel_logout_url (#11473)

* feat(keycloak_client): add valid_post_logout_redirect_uris and backchannel_logout_url Add two new convenience parameters that map to client attributes: - valid_post_logout_redirect_uris: sets post.logout.redirect.uris attribute (list items joined with ##) - backchannel_logout_url: sets backchannel.logout.url attribute These fields are not top-level in the Keycloak REST API but are stored as client attributes. The new parameters provide a user-friendly interface without requiring users to know the internal attribute names and ##-separator format. Fixes #6812, fixes #4892 * consolidate changelog and add PR link per review feedback
2026-03-22 05:09:12 +00:00 · 2026-02-07 16:19:29 +01:00 · 2026-02-07 16:19:29 +01:00 · df6d6269a6
commit df6d6269a6
parent c41de53dbb
4 changed files with 138 additions and 1 deletions
--- a/tests/integration/targets/keycloak_client/tasks/main.yml
+++ b/tests/integration/targets/keycloak_client/tasks/main.yml
@ -456,4 +456,74 @@
      - end_state.attributes["backchannel.logout.session.required"] == 'false'
      - end_state.attributes["oauth2.device.authorization.grant.enabled"] == 'false'
  vars:
-    end_state: "{{ check_client_when_present_and_attributes_modified.end_state }}"
+    end_state: "{{ check_client_when_present_and_attributes_modified.end_state }}"
+
+# ---- Tests for valid_post_logout_redirect_uris and backchannel_logout_url ----
+
+- name: Create client with post logout redirect URIs and backchannel logout URL
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: logout-test-client
+    valid_post_logout_redirect_uris: "{{ post_logout_redirect_uris }}"
+    backchannel_logout_url: "{{ backchannel_logout_url }}"
+    state: present
+  register: result_create_logout_client
+
+- name: Assert logout client is created with correct attributes
+  assert:
+    that:
+      - result_create_logout_client is changed
+      - result_create_logout_client.end_state.attributes["post.logout.redirect.uris"] is defined
+      - result_create_logout_client.end_state.attributes["backchannel.logout.url"] == backchannel_logout_url
+
+- name: Re-create client with same logout fields (idempotency)
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: logout-test-client
+    valid_post_logout_redirect_uris: "{{ post_logout_redirect_uris }}"
+    backchannel_logout_url: "{{ backchannel_logout_url }}"
+    state: present
+  register: result_idempotent_logout_client
+
+- name: Assert logout client is idempotent
+  assert:
+    that:
+      - result_idempotent_logout_client is not changed
+
+- name: Update client logout fields
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: logout-test-client
+    valid_post_logout_redirect_uris:
+      - "https://example.com/new-logout"
+    backchannel_logout_url: "https://example.com/new-backchannel"
+    state: present
+  register: result_update_logout_client
+
+- name: Assert logout client fields are updated
+  assert:
+    that:
+      - result_update_logout_client is changed
+      - result_update_logout_client.end_state.attributes["backchannel.logout.url"] == "https://example.com/new-backchannel"
+
+- name: Delete logout test client
+  community.general.keycloak_client:
+    auth_keycloak_url: "{{ url }}"
+    auth_realm: "{{ admin_realm }}"
+    auth_username: "{{ admin_user }}"
+    auth_password: "{{ admin_password }}"
+    realm: "{{ realm }}"
+    client_id: logout-test-client
+    state: absent