Try SpotterAllows administration of Keycloak client custom Javascript policies via Keycloak API
| "added in version" 7.5.0 of community.general"
Authors: Samuli Seppänen (@mattock)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0This module allows the administration of Keycloak client custom Javascript via the Keycloak REST API. Custom Javascript policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- name: Manage Keycloak custom authorization policy
community.general.keycloak_authz_custom_policy:
name: OnlyOwner
state: present
policy_type: script-policy.js
client_id: myclient
realm: myrealm
auth_keycloak_url: http://localhost:8080/auth
auth_username: keycloak
auth_password: keycloak
auth_realm: master
name:
description:
- Name of the custom policy to create.
required: true
type: str
realm:
description:
- The name of the Keycloak realm the Keycloak client is in.
required: true
type: str
state:
choices:
- present
- absent
default: present
description:
- State of the custom policy.
- On V(present), the custom policy will be created (or updated if it exists already).
- On V(absent), the custom policy will be removed if it exists.
type: str
token:
description:
- Authentication token for Keycloak API.
type: str
version_added: 3.0.0
version_added_collection: community.general
client_id:
description:
- The V(clientId) of the Keycloak client that should have the custom policy attached
to it.
- This is usually a human-readable name of the Keycloak client.
required: true
type: str
auth_realm:
description:
- Keycloak realm name to authenticate to for API access.
type: str
http_agent:
default: Ansible
description:
- Configures the HTTP User-Agent header.
type: str
version_added: 5.4.0
version_added_collection: community.general
policy_type:
description:
- The type of the policy. This must match the name of the custom policy deployed to
the server.
- Multiple policies pointing to the same policy type can be created, but their names
have to differ.
required: true
type: str
auth_password:
aliases:
- password
description:
- Password to authenticate for API access with.
type: str
auth_username:
aliases:
- username
description:
- Username to authenticate for API access with.
type: str
auth_client_id:
default: admin-cli
description:
- OpenID Connect C(client_id) to authenticate to the API with.
type: str
validate_certs:
default: true
description:
- Verify TLS certificates (do not disable this in production).
type: bool
auth_keycloak_url:
aliases:
- url
description:
- URL to the Keycloak instance.
required: true
type: str
auth_client_secret:
description:
- Client Secret to use in conjunction with O(auth_client_id) (if required).
type: str
connection_timeout:
default: 10
description:
- Controls the HTTP connections timeout period (in seconds) to Keycloak API.
type: int
version_added: 4.5.0
version_added_collection: community.general
end_state:
contains:
name:
description: Name of the custom policy.
returned: when I(state=present)
sample: file:delete
type: str
policy_type:
description: Type of custom policy.
returned: when I(state=present)
sample: File delete
type: str
description: Representation of the custom policy after module execution.
returned: on success
type: dict
msg:
description: Message as to what action was taken.
returned: always
type: str