feat: add keycloak_identity_provider_token_exchange_scope_permission

[goran-rajta]

Description of your changes

Implement https://registry.terraform.io/providers/keycloak/keycloak/latest/docs/resources/identity_provider_token_exchange_scope_permission

Fixes #482

I have:

• Read and followed Crossplane's contribution process.
• Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

Tested with:

• k3s v1.34.2+k3s1
• crossplane v2.0.4
• keycloak 26.4.7

apiVersion: identityprovider.keycloak.m.crossplane.io/v1alpha1
kind: ProviderTokenExchangeScopePermission
metadata:
  name: my-idp-token-exchange
  namespace: default
spec:
  forProvider:
    realmId: my-realm
    providerAliasRef:
      name: my-idp
    policyType: "client"
    clientsRefs:
      - name: some-client
  managementPolicies:
  - Observe
  - Create
  - Update
  - LateInitialize
  - Delete
  providerConfigRef:
    kind: ClusterProviderConfig
    name: keycloak

[Breee]

Sorry, will take care of this tomorrow

[Breee]

Please add an e2e test case to cluster/test/cases.txt

[Breee]

still

ProviderTokenExchangeScopePermission/token-exchange-permission              False    -       ReconcileError: cannot resolve references: mg.Spec.ForProvider.Clients: cannot get referenced resource: Client.openidclient.keycloak.crossplane.io "webapp-client" not found

[Breee]

please make sure the test is self-contained so its easier to debug

[Breee]

its a bit weird that this sometimes happens - but the e2e test looked good and was green twice.
so i'm a bit confused why it happens and takes ages to delete the namespaced resource.

        Wait for deletion with: /home/runner/work/provider-keycloak/provider-keycloak/.cache/tools/linux_x86_64/kubectl-v1.32.2 wait --namespace dev-ns --for=delete providertokenexchangescopepermission.identityprovider.keycloak.m.crossplane.io/token-exchange-permission --timeout 20m0s
        === STDERR
        error: timed out waiting for the condition on providertokenexchangescopepermissions/token-exchange-permission
uptest-v2.2.0: error: cannot run e2e tests successfully: cannot execute tests: cannot execute test 03-delete.yaml: some tests failed

[goran-rajta]

yes... i haven't fully figured it out but it has something to do with the Token Exchange feature. in 26.2.0 the legacy one has been disabled (https://www.keycloak.org/docs/latest/release_notes/index.html#supported-standard-token-exchange). I think the tests are passing for 26.3 and 26.4 because the feature flags are not enabled and because of that Keycloak does nothing...

In my keycloak i have to set --features=admin-fine-grained-authz:v1,token-exchange:v1

also there may be a change in terraform-provider-keycloak which influences this.

I think i have to setup a local test environment and check the Keycloak server logs for each version.

[Breee]

is the new resource a new feature or something that is around for some time?

[goran-rajta]

The Legacy Token Exchange v1 is there for a long time, as a preview feature, but since 26.2 the new v2 called Standard Token Exchange went from preview to supported. Both can be active at the same time...

[goran-rajta]

Finally got the time to look into it! The issue was that the IDP got deleted before the ProviderTokenExchangeScopePermission and then keycloak failed to delete it with:

2026-02-06 13:32:19,131 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-56) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.IdentityProviderModel.getInternalId()" because "idp" is null

[goran-rajta]

Hi @Breee, can you please approve the worklfow? Many thanks!

[goran-rajta]

Here is the fix for the broken CI tests: #494

[Breee]

@haarchri or @denniskniep can you have a look please and merge? :)

[denniskniep]

Hi @goran-rajta ,

can you rebase main, which now includes your fix of tests?

[denniskniep]

@goran-rajta thanks for the contribution

[goran-rajta]

Amazing! Thank you!

[goran-rajta]

Hey @denniskniep, thanks again for the merge but when can I expect this to be released?

[Breee]

release is building, thx!