keycloak_clientscope: Map client scope to role

[aristotelos]

Summary

In Keycloak, it is possible to map a client scope to one or more client roles or realm roles. However, it seems that the community.general.keycloak_clientscope module does not have this option.

See Keycloak documentation:

When a client scope does not have any role scope mappings defined, each user is permitted to use this client scope. However, when a client scope has role scope mappings defined, the user must be a member of at least one of the roles.

So it would be handy to have a roles option in the community.general.keycloak_clientscope task that allows a list of client or realm roles that are then mapped to that client scope.

Issue Type

Feature Idea

Component Name

keycloak_clientscope

Additional Information

Note that the following KeyCloak REST APIs (see documentation) support the scope mapping feature:

• POST /admin/realms/{realm}/client-scopes/{id}/scope-mappings/realm
• POST /admin/realms/{realm}/client-scopes/{id}/scope-mappings/clients/{client}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/keycloak_clientscope.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @Gaetan2907 @eikef @mattock @ndclt
click here for bot help

[ansibullbot]

cc @thomasbach-dev
click here for bot help

[flvmz]

Stumbled across this lately and there was an attempt to "fix" community.general.keycloak_client_rolescope to allow mapping roles to client scopes (#10342), which would have broken the intended purpose of this module.

I think there should be a dedicated module to map realm and client roles to a client scope. This should not be integrated into community.general.keycloak_clientscope, as even the keycloak api does not allow to map roles to a client scope during its creation (only attributes and mappers are allowed, see https://www.keycloak.org/docs-api/latest/rest-api/index.html#ClientScopeRepresentation).
This must be accomplished via "Scope Mapping" API endpoints (see https://www.keycloak.org/docs-api/latest/rest-api/index.html#_scope_mappings).

With the afformentioned fix, it looks like there were only a few changes needed for it to work in principle (but failing the tests, as this module is not intended for that purpose). Perhaps the modules code can be easily "recycled" into a new module community.general.keycloak_clientscope_rolemappings(?) by someone with more knowledge about python than me :(

@killianlevacher Mentioning you here, as you are interrested in this feature

[desand01]

Hi @aristotelos, sorry for the poor naming. The module was intended to assign client "b" role(s) directly to client "a"’s default scope.
It looks like you might be experiencing the same issue here (#10343).