* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
* fix(keycloak_realm_key): handle missing config fields for default keys
Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.
Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.
Fixes: #11459
* add PR link to changelog entry per review feedback
* Get rid of all six.moves imports.
* Get rid of iteritems.
* Get rid of *_type(s) aliases.
* Replace StringIO import.
* Get rid of PY2/PY3 constants.
* Get rid of raise_from.
* Get rid of python_2_unicode_compatible.
* Clean up global six imports.
* Remove all usage of ansible.module_utils.six.
* Linting.
* Fix xml module.
* Docs adjustments.
* Adjust all __future__ imports:
for i in $(grep -REl "__future__.*absolute_import" plugins/ tests/); do
sed -e 's/from __future__ import .*/from __future__ import annotations/g' -i $i;
done
* Remove all UTF-8 encoding specifications for Python source files:
for i in $(grep -REl '[-][*]- coding: utf-8 -[*]-' plugins/ tests/); do
sed -e '/^# -\*- coding: utf-8 -\*-/d' -i $i;
done
* Remove __metaclass__ = type:
for i in $(grep -REl '__metaclass__ = type' plugins/ tests/); do
sed -e '/^__metaclass__ = type/d' -i $i;
done
* add client_credentials authentication for keycloak tasks incl. test case
* support client credentials in all keycloak modules
* Add changelog fragment
* fix typos in required list
* Update changelogs/fragments/10231-keycloak-add-client-credentials-authentication.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* revert keycloak url in test environment
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat: begin refactor to support refresh token in keycloak modules
* chore: add start of tests for shared token usage
* feat: progress towards supporting refresh token; token introspection not yet working [8857]
* chore: reset to main branch previous state; a different approach is needed [8857]
* feat: add request methods to keycloak class, which will be expanded with retry logic [8857]
* feat: all requests to keycloak use request methods instead of open_url [8857]
* fix: data argument is optional in keycloak request methods [8857]
* feat: add integration test for keycloak module authentication methods [8857]
* chore: refactor get token logic to separate logic using username/pass credentials [8857]
* chore: refactor token request logic further to isolate request logic [8857]
* chore: fix minor lint issues [8857]
* test: add (currently failing) test for request with invalid auth token, valid refresh token [8857]
* chore: allow realm to be provided to role module with refresh_token, without username/pass [8857]
* feat: add retry logic to requests in keycloak module utils [8857]
* chore: rename keycloak module fail_open_url method to fail_request [8857]
* chore: update all keycloak modules to support refresh token param [8857]
* chore: add refresh_token param to keycloak doc_fragments [8857]
* chore: restore dependency between auth_realm and auth_username,auth_password params [8857]
* chore: rearrange module param checks to reduce future pr size [8857]
* chore: remove extra comma [8857]
* chore: update version added for refresh token param [8857]
* chore: add changelog fragment [8857]
* chore: re-add fail_open_url to keycloak module utils for backward compatability [8857]
* fix: do not make a new request to keycloak without reauth when refresh token not provided (#8857)
* fix: only make final auth attempt if username/pass provided, and return exception on failure (#8857)
* fix: make re-auth and retry code more consistent, ensure final exceptions are thrown (#8857)
* test: fix arguments for invalid token, valid refresh token test (#8857)
* feat: catch invalid refresh token errors during re-auth attempt (#8857)
Add test to verify this behaviour works.
* test: improve test coverage, including some unhappy path tests for authentication failures (#8857)
* chore: store auth errors from token request in backwards compatible way (#8857)
* fix: ensure method is still specified for all requests (#8857)
* chore: simplify token request logic (#8857)
* chore: rename functions to request tokens using refresh token or username/password (#8857)
To emphasize their difference from the `get_token` function,
which either gets the token from the module params
*or* makes a request for it.
* doc: add docstrings for new or significantly modified functions (#8857)
* test: repair unit test following change to exception message upon key error during auth request (#8857)
* Create group for keycloak
This will allows keycloak authentication details to be set as a module_defaults rather than repeated on each task
* add documentation to keycloak modules to note creation of action_group
* add changelog for keycloak action_group creation
* exclude keycloak_realm_info from action group, as it does not share same set of base parameters
* fix formatting on changelog entry for adding Keycloak action group
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* add support for rsa enc key usage, more algorithms, and make certficate optional
* fix formatting
* adding changelog fragment
* made suggested code changes based on review
* fix typo and be more clear
* revert certificate to previous defined settings
* Add keycloak_realm_key module
* keycloak_realm_key: make "ansible-test sanity" happy
Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
* keycloak_realm_key: support check_mode
* keycloak_realm_key: add integration tests
* keycloak_realm_key: remove FIXME comment
* keycloak_realm_key: fix EOL in integration test variables
* keycloak_realm_key: remove unused import
* keycloak_realm_key: remove integration test realm at the end of test suite
* keycloak_realm_key: add version_added metadata
* keycloak_realm_key: add documentation for end_state
* keycloak_realm_key: support the "certificate" parameter
As with "private_key" changing the certificate after creation is not possible
because we can't compare the current value to the desired value.
* keycloak_realm_key: document default for certificate parameter
Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
* keycloak_realm_key: implement diff mode
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* keycloak_realm_key: remove note about literal linefeeds
* keycloak_realm_key: remove defaults from priority and certificate
* keycloak_realm_key: mark diff and check modes as partially supported
* keycloak_realm_key: implement "force" parameter
This ensures that the desired state is always enforced on keys that should be,
and are, present.
* keycloak_realm_key: fix yaml parsing error in documentation
* keycloak_realm_key: document why check_mode support is partial
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* keycloak_realm_key: documentation and metadata fixes
* keycloak_realm_key: small documentation fix
* keycloak_realm_key: change version_added to 7.5.0
* Update plugins/modules/keycloak_realm_key.py
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Signed-off-by: Samuli Seppänen <samuli.seppanen@puppeteers.net>
Co-authored-by: Felix Fontein <felix@fontein.de>
