community / community.general / 8.5.0 / module / keycloak_authz_custom_policy Allows administration of Keycloak client custom Javascript policies via Keycloak API | "added in version" 7.5.0 of community.general" Authors: Samuli Seppänen (@mattock)community.general.keycloak_authz_custom_policy (8.5.0) — module
Install with ansible-galaxy collection install community.general:==8.5.0
collections: - name: community.general version: 8.5.0
This module allows the administration of Keycloak client custom Javascript via the Keycloak REST API. Custom Javascript policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
This module requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- name: Manage Keycloak custom authorization policy community.general.keycloak_authz_custom_policy: name: OnlyOwner state: present policy_type: script-policy.js client_id: myclient realm: myrealm auth_keycloak_url: http://localhost:8080/auth auth_username: keycloak auth_password: keycloak auth_realm: master
name: description: - Name of the custom policy to create. required: true type: str realm: description: - The name of the Keycloak realm the Keycloak client is in. required: true type: str state: choices: - present - absent default: present description: - State of the custom policy. - On V(present), the custom policy will be created (or updated if it exists already). - On V(absent), the custom policy will be removed if it exists. type: str token: description: - Authentication token for Keycloak API. type: str version_added: 3.0.0 version_added_collection: community.general client_id: description: - The V(clientId) of the Keycloak client that should have the custom policy attached to it. - This is usually a human-readable name of the Keycloak client. required: true type: str auth_realm: description: - Keycloak realm name to authenticate to for API access. type: str http_agent: default: Ansible description: - Configures the HTTP User-Agent header. type: str version_added: 5.4.0 version_added_collection: community.general policy_type: description: - The type of the policy. This must match the name of the custom policy deployed to the server. - Multiple policies pointing to the same policy type can be created, but their names have to differ. required: true type: str auth_password: aliases: - password description: - Password to authenticate for API access with. type: str auth_username: aliases: - username description: - Username to authenticate for API access with. type: str auth_client_id: default: admin-cli description: - OpenID Connect C(client_id) to authenticate to the API with. type: str validate_certs: default: true description: - Verify TLS certificates (do not disable this in production). type: bool auth_keycloak_url: aliases: - url description: - URL to the Keycloak instance. required: true type: str auth_client_secret: description: - Client Secret to use in conjunction with O(auth_client_id) (if required). type: str connection_timeout: default: 10 description: - Controls the HTTP connections timeout period (in seconds) to Keycloak API. type: int version_added: 4.5.0 version_added_collection: community.general
end_state: contains: name: description: Name of the custom policy. returned: when I(state=present) sample: file:delete type: str policy_type: description: Type of custom policy. returned: when I(state=present) sample: File delete type: str description: Representation of the custom policy after module execution. returned: on success type: dict msg: description: Message as to what action was taken. returned: always type: str