-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for defining Flow priorities declaratively #296
Comments
Hey, I agree it is annoying and I agree using You can make a solution that works with nested objects and that fetches the whole flow and compares everything and checks if everything is where it should be. Another solution would be to make PR towards the Keycloak project to allow to set the priority of subflow/authenticator directly. (Internally Keycloak is using an integer to sort the subflows/authenticators if i am not mistaken, so it is really a pity) As you already know: there is more info about this in the comments of PR #138 |
Thank you for the detailed explanation. That's also what I figured. What I'm thinking is: you can still kind of acceptably pretend to allow for absolute ordering by allowing the user to input absolute number, sorting the items of the same flow level by those numbers and then issuing the API calls in order. You could even allow for reordering using that method. Granted, it would take a little longer as you'd be issuing manual relative requests (which really sucks from keycloak tbh) but I think it would be workable. |
I noticed that the authentication executions have a priority attribute, at least according to the API documentation (https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_authenticationexecutionexportrepresentation). Would this help to fix the issue? We would also appreciate to use the priority within our authentication flows. |
AFAIK the priority has always been there. Furthermore keycloak uses it internally to order them and you get the priority returned when getting a flow. But you can not set it via POST or PUT. (I think it is stripped out of the input) You can only influence the priority by calling raise or lower priority. The admin API is only build for supporting the admin UI, and I think that is the main culprit |
This is super annoying. We are heavily reliant on custom auth flows that frequently change due to different requirements. It's a hack of course, but with so many realms, we have no choice. The order in the modules must match the order in Keycloak. |
With Terraform 1.2 and the - depends_on = [
- keycloak_authentication_execution.browser_sso_cookie
- ]
+ lifecycle {
+ replace_triggered_by = [
+ keycloak_authentication_subflow.browser_sso_cookie
+ ]
+ } This will instruct Terraform to re-create a resource after one of the dependent executions are re-created. If this provider exposed the underlying lifecycle {
replace_triggered_by = [
keycloak_authentication_subflow.browser_sso_cookie.priority
]
} |
Good news everyone, keycloak/keycloak#27751 got finally merged 🎉 There are no blockers to get this implemented now for Keycloak 25 (when it gets released ofc) and up. |
…lows Fixes mrparkers#296 Signed-off-by: Andrejs Mivreniks <[email protected]>
Fixes mrparkers#296 Signed-off-by: Andrejs Mivreniks <[email protected]>
Fixes mrparkers#296 Signed-off-by: Andrejs Mivreniks <[email protected]>
Hey, great plugin. We use in Arch Linux for basically all of our SSO infra.
However, we ran into the limitation that we can't declaratively define the priorities of executions and subflows inside of a flow. This is kind of annoying. I know that you can hack this using
depends_on
but frankly that's not really the Terraform spirit. It would be great if you could add some logic to allow for declaratively defining the Flow priorities.The text was updated successfully, but these errors were encountered: