Skip to content

keycloak_identity_provider: add hideOnLogin parameter to module #9983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

keycloak_identity_provider: add hideOnLogin parameter to module #9983

wants to merge 3 commits into from

Conversation

fgruenbauer
Copy link
Contributor

@fgruenbauer fgruenbauer commented Apr 10, 2025
edited
Loading

SUMMARY

The hideOnLoginPage parameter was moved out of the config dict and renamed to hideOnLogin in Keycloak 26. KC26 still seems to accept config/hideOnLoginPage in a request, but the response always only contains hideOnLogin.

The MR adds the parameter to the module and keeps the old parameter for compatibility.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

keycloak_identity_provider

ADDITIONAL INFORMATION

KC 26 IDP response:

{
  "alias": "IDP",
  "displayName": "IDP",
  "internalId": "cf6795b3-7e97-4a4a-82b4-767ee6a89a88",
  "providerId": "keycloak-oidc",
  "linkOnly": false,
  "hideOnLogin": false,
  "config": {
    ...
  }
}

KC 25:

{
  "alias": "keycloak-oidc",
  "displayName": "",
  "internalId": "9048593b-f534-40c5-8c49-9de4e3058580",
  "providerId": "keycloak-oidc",
  "enabled": true,
  "config": {
    "validateSignature": "false",
    "hideOnLoginPage": "true",
    "tokenUrl": "http://localhost:8999",
    ...
  }
}

See also in the docu: https://www.keycloak.org/docs-api/latest/rest-api/index.html#IdentityProviderRepresentation and https://www.keycloak.org/docs-api/25.0.6/rest-api/index.html#IdentityProviderRepresentation

@ansibullbot
Copy link
Collaborator

cc @eikef @laurpaum @mattock @ndclt @thomasbach-dev
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug module module plugins plugin (any type) labels Apr 10, 2025
@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot ansibullbot added ci_verified Push fixes to PR branch to re-run CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Apr 10, 2025
@fgruenbauer fgruenbauer marked this pull request as draft April 10, 2025 14:03
@ansibullbot ansibullbot added the WIP Work in progress label Apr 10, 2025
@felixfontein felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-10 Automatically create a backport for the stable-10 branch labels Apr 10, 2025
@ansibullbot ansibullbot removed the ci_verified Push fixes to PR branch to re-run CI label Apr 14, 2025
@fgruenbauer fgruenbauer marked this pull request as ready for review April 14, 2025 08:16
@ansibullbot ansibullbot removed WIP Work in progress needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Apr 14, 2025
@felixfontein
Copy link
Collaborator

BTW, @fgruenbauer you might be interested in https://forum.ansible.com/t/keycloak-modules-in-community-general/41746.

felixfontein
felixfontein reviewed Apr 15, 2025
View reviewed changes
Copy link
Collaborator

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

I'm wondering a bit whether it's not better to add a Keycloak version detection, and depending on the version moving the value to the right position. Not sure whether that's a good approach though...

plugins/modules/keycloak_identity_provider.py
@@ -124,6 +124,15 @@
- providerId
type: str

hide_on_login:
description:
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you forgot one line from the original parameter:

Suggested change
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint)
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint)
parameter.

changelogs/fragments/9983-keycloak_idp-add-hideOnLogin-param.yml
@@ -0,0 +1,2 @@
bugfixes:
- keycloak_identity_provider - add ``hideOnLogin`` parameter to the module, the old parameter ``config/hideOnLoginPage`` is kept for compatibility (https://github.com/ansible-collections/community.general/pull/9983).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- keycloak_identity_provider - add ``hideOnLogin`` parameter to the module, the old parameter ``config/hideOnLoginPage`` is kept for compatibility (https://github.com/ansible-collections/community.general/pull/9983).
- keycloak_identity_provider - add ``hideOnLogin`` parameter to the module, the old parameter ``config.hideOnLoginPage`` is kept for compatibility (https://github.com/ansible-collections/community.general/pull/9983).

russoz
russoz reviewed Apr 16, 2025
View reviewed changes
plugins/modules/keycloak_identity_provider.py
@@ -124,6 +124,15 @@
- providerId
type: str

hide_on_login:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it being created at the top level and not as a suboption of config? I understand it could generate some confusion, but that would be temporary and could be mitigated with documentation.

Aren't we breaking from the pattern used in this module?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My guess is that the parameters for this module are more or less identical (up to some parameters that will be removed) to what the Keycloak API expects. In the API the value was moved from config to top-level, so this PR mirrors that.

Whether that's a good pattern - I don't know. Keeping the value in config and solving this in the code could be a liability for the future, if the value inside config is re-used for something else by Keycloak. (Maybe that even was the reason why it was moved away from config in Keycloak?)

Copy link
Contributor Author

@fgruenbauer fgruenbauer Apr 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in the Keycloak API the parameter was moved to the top-level, which i tried to mirror. I don't know why it was changed, though.

I thought accepting both parameters would be the most flexible solution. Users could provide the module with client configs (for example from an Keycloak config export) from both Keycloak 25 and 26 without having to edit them. Which would also allow users to update Keycloak to 26 without having to edit their existing client configs. But its also confusing to have two parameter for the same Keycloak setting.

I think, determining in code what parameter the API expects is good idea. If we accept only one parameter, i think we have to, otherwise it wouldn't work with the other Keycloak version.

It would be nice to fetch the version only once an share it between all Keycloak modules. Is it possible to set Keycloak module defaults from within a module? Otherwise it might be a good idea to allow users to provide a value, so they can make a single version request in the setup phase and use the value for all Keycloak module calls.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to set Keycloak module defaults from within a module?

That's not possible. The only thing modules can do is set a fact, but they can't read it. (You could add an action plugin for that part, but that's "magic" with its own set of problems.)

Might be worth thinking about once the modules have been moved to a separate collection, though. I don't really want such "magic" in this collection though, it's already does way too much :)

@russoz russoz mentioned this pull request Apr 16, 2025
Merged
@ansibullbot ansibullbot added the stale_ci CI is older than 7 days, rerun before merging label Apr 26, 2025
@felixfontein felixfontein removed the backport-10 Automatically create a backport for the stable-10 branch label May 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russoz russoz russoz left review comments

@felixfontein felixfontein felixfontein left review comments

Assignees
No one assigned
Labels
bug This issue/PR relates to a bug check-before-release PR will be looked at again shortly before release and merged if possible. module module plugins plugin (any type) stale_ci CI is older than 7 days, rerun before merging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fgruenbauer @ansibullbot @felixfontein @russoz