Idempotency regression in keycloak_client

[gionn]

Summary

After bumping community.general to 10.4.0 from 10.3.1, a community.general.keycloak_client task started failing the idempotency check in my molecule tests (playbook is run a second time expecting no tasks with changes)

Issue Type

Bug Report

Component Name

keycloak_client

Ansible Version

$ ansible --version
ansible [core 2.16.14]
  config file = /Users/giovanni.toraldo/src/alfresco/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/Users/giovanni.toraldo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/giovanni.toraldo/.virtualenvs/alfresco-ansible-deployment-bsC9-Jms/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/giovanni.toraldo/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/giovanni.toraldo/.virtualenvs/alfresco-ansible-deployment-bsC9-Jms/bin/ansible
  python version = 3.11.11 (main, Jan 20 2025, 10:59:42) [Clang 16.0.0 (clang-1600.0.26.4)] (/Users/giovanni.toraldo/.virtualenvs/alfresco-ansible-deployment-bsC9-Jms/bin/python)
  jinja version = 3.1.5
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /Users/giovanni.toraldo/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 10.4.0 

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Steps to Reproduce

- name: Configure basic alfresco client
  community.general.keycloak_client:
    auth_client_id: admin-cli
    auth_keycloak_url: "http://localhost:{{ identity_keycloak_http_port }}{{ identity_keycloak_http_relative_path }}" # pragma: allowlist secret
    auth_realm: master
    auth_username: "{{ identity_admin_username }}"
    auth_password: "{{ identity_admin_password }}"
    realm: "{{ identity_default_realm_id }}"
    client_id: "{{ identity_default_client_id }}"
    enabled: true
    implicit_flow_enabled: "{{ identity_default_client_implicit_flow_enabled }}"
    redirect_uris: "{{ identity_known_urls | map('regex_replace', '(.+)', '\\1/*') | list }}"
    web_origins: "{{ identity_known_urls }}"
    state: present

code is used in an open source role https://github.com/Alfresco/alfresco-ansible-deployment/blob/master/roles/identity/tasks/realm.yml

Expected Results

Task should yield no changes if run a second time without changes

Actual Results

  CRITICAL Idempotence test failed because of the following tasks:
  *  => ../roles/identity : Configure basic alfresco client

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/keycloak_client.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @eikef @mattock @ndclt @thomasbach-dev
click here for bot help

[felixfontein]

Might be related to #9739.

CC @fgruenbauer.

[russoz]

@gionn thanks for reporting!

If you could publish the output of the offending task running with -vvvv, that could be useful for whoever is going to fix it.

[fgruenbauer]

I think before_client['authorizationServicesEnabled'] = False is the problem. We set authorizationServicesEnabled in before_client but not in after_client. In checkmode thats okay because it copies the before_client as the base for desired_client, but in normal mode the client config is fetched from kc again and compared without processing.

We could just copy the if-clause but i then we have the same code in two different places. We could maybe move it into a normalize function only for kc responses or into an if branch in the existing normalize function.

Edit: Running the task with --diff should show if thats indeed the issue.