Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add fine-grained realm-wide client scope management #1021

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

aslafy-z
Copy link

@aslafy-z aslafy-z commented Nov 22, 2024

Replaces #649 (Closes #649)
Relates #895 #470 #547

This PR adds two new resources to the Terraform Keycloak provider: keycloak_openid_default_client_scope and keycloak_openid_optional_client_scope. These resources allow assigning default or optional client scopes at the realm level, resolving a significant limitation. While default client scopes can already be configured at the realm level, custom-created scopes are not supported due to a chicken-and-egg issue: custom scopes require the realm to exist beforehand. Moreover, these resources enable fine-grained management of individual client scopes rather than managing an entire list, providing enhanced flexibility and precision.

Thanks to @Korsarro69 for the initial work. I opened this PR as #649 is now stale.

cc @daviddelannoy @dglozano @lebronnecf

TODO:

  • Naming clarification: Current client scope mapping resources are called keycloak_openid_client_default_scopes and keycloak_openid_client_optional_scopes. Isn't keycloak_openid_default_client_scope and keycloak_openid_optional_client_scope not too confusing? Should I rename to keycloak_openid_client_default_scope and keycloak_openid_client_optional_scope? I guess the real-wide will be added to the list resources in the future, which will align functionalities.
  • Fix/Add tests

Run tests in codespaces with:

sudo apt update
sudo apt-get install -y openjdk-11-jdk
make user-federation-example
make local
export KEYCLOAK_CLIENT_ID=terraform \
KEYCLOAK_CLIENT_SECRET=884e0f95-0f42-4a63-9b1f-94274655669e \
KEYCLOAK_CLIENT_TIMEOUT=5 \
KEYCLOAK_REALM=master \
KEYCLOAK_URL="http://localhost:8080"
make testacc TESTARGS='-run "DefaultClientScope|OptionalClientScope"'

@aslafy-z aslafy-z changed the title feat: add realm-wide client scope management feat: add fine-grained realm-wide client scope management Nov 22, 2024
@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch 2 times, most recently from a813fd3 to 3c8dd28 Compare November 22, 2024 10:22
@aslafy-z aslafy-z marked this pull request as draft November 22, 2024 10:26
@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch 4 times, most recently from ca3eccc to 3fdb9b5 Compare November 22, 2024 14:43
@aslafy-z aslafy-z marked this pull request as ready for review November 22, 2024 14:44
@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch 4 times, most recently from cd18f63 to 3a32483 Compare November 22, 2024 18:32
@aslafy-z aslafy-z marked this pull request as draft November 22, 2024 18:33
@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch 5 times, most recently from 55fc048 to 5d3859c Compare November 28, 2024 15:00
@denniskniep
Copy link
Contributor

@aslafy-z are you still working on that PR? Do you have any plans when to continue or complete that?

@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch from 5d3859c to 613b50c Compare January 13, 2025 16:19
@aslafy-z aslafy-z force-pushed the feat/clientless-optional-scope branch from 613b50c to 90644ef Compare January 13, 2025 16:20
@aslafy-z
Copy link
Author

For some reason, TestAccKeycloakOpenidClientDefaultScopes_authoritativeRemove becomes flacky with this addition. I guess it's linked to these new added tests that interacts with the same Realm as TestAccKeycloakOpenidClientDefaultScopes. Any idea why and how this may be resolved @denniskniep?

@denniskniep
Copy link
Contributor

Hi @aslafy-z,

How can I set an scope explicitly to None with that approach?

Wouldn´t it be easier to add a new type property to the keycloak_openid_client_scope resource (possible values would be: None, Default, Optional)? Like its reflected in the GUI:

image

cc: @sschu

@alexnuttinck
Copy link

Hi @denniskniep, @aslafy-z,
This PR #1079 has been merged in v5.1.0.
I think it may solve what you are trying to do here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants