1067 Add first broker login flow to authentication flow bindings (#1084)

* 1067 Add first broker login flow to authentication flow bindings

Signed-off-by: Sebastian Schuster <[email protected]>

* Fixed failures with Keycloak < 24

Signed-off-by: Sebastian Schuster <[email protected]>

---------

Signed-off-by: Sebastian Schuster <[email protected]>

Author: sschu

docs/resources/authentication_bindings.md

@@ -66,3 +66,4 @@ resource "keycloak_authentication_bindings" "browser_authentication_binding" {
 - `reset_credentials_flow` - (Optional) The alias of the flow to assign to the realm ResetCredentialsFlow.
 - `client_authentication_flow` - (Optional) The alias of the flow to assign to the realm ClientAuthenticationFlow.
 - `docker_authentication_flow` - (Optional) The alias of the flow to assign to the realm DockerAuthenticationFlow.
+- `first_broker_login_flow` - (Optional) The alias of the flow to assign to the realm FirstBrokerLoginFlow (since Keycloak 24).

docs/resources/realm.md

@@ -208,6 +208,7 @@ The arguments below can be used to configure authentication flow bindings:
 - `reset_credentials_flow` - (Optional) The desired flow to use when a user attempts to reset their credentials. Defaults to `reset credentials`.
 - `client_authentication_flow` - (Optional) The desired flow for client authentication. Defaults to `clients`.
 - `docker_authentication_flow` - (Optional) The desired flow for Docker authentication. Defaults to `docker auth`.
+- `first_broker_login_flow` - (Optional) The desired flow for First Broker Login (since Keycloak 24). Defaults to `first broker login`.
 
 ### OTP Policy
 

keycloak/realm.go

@@ -106,6 +106,7 @@ type Realm struct {
 	ResetCredentialsFlow     *string `json:"resetCredentialsFlow,omitempty"`
 	ClientAuthenticationFlow *string `json:"clientAuthenticationFlow,omitempty"`
 	DockerAuthenticationFlow *string `json:"dockerAuthenticationFlow,omitempty"`
+	FirstBrokerLoginFlow     *string `json:"firstBrokerLoginFlow,omitempty"`
 
 	// OTP Policy
 	OTPPolicyAlgorithm       string `json:"otpPolicyAlgorithm,omitempty"`

provider/data_source_keycloak_realm.go

@@ -478,6 +478,11 @@ func dataSourceKeycloakRealm() *schema.Resource {
 				Description: "Which flow should be used for DockerAuthenticationFlow",
 				Computed:    true,
 			},
+			"first_broker_login_flow": {
+				Type:        schema.TypeString,
+				Description: "Which flow should be used for FirstBrokerLoginFlow",
+				Computed:    true,
+			},
 			"attributes": {
 				Type:     schema.TypeMap,
 				Optional: true,
@@ -536,6 +541,7 @@ func dataSourceKeycloakRealm() *schema.Resource {
 
 func dataSourceKeycloakRealmRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realmName := data.Get("realm").(string)
 
@@ -544,7 +550,7 @@ func dataSourceKeycloakRealmRead(ctx context.Context, data *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	setRealmData(data, realm)
+	setRealmData(data, realm, keycloakVersion)
 
 	return nil
 }

provider/resource_keycloak_authentication_bindings.go

@@ -2,6 +2,7 @@ package provider
 
 import (
 	"context"
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
@@ -55,38 +56,51 @@ func resourceKeycloakAuthenticationBindings() *schema.Resource {
 				Optional:    true,
 				Computed:    true,
 			},
+			"first_broker_login_flow": {
+				Type:        schema.TypeString,
+				Description: "Which flow should be used for FirstBrokerLoginFlow",
+				Optional:    true,
+				Computed:    true,
+			},
 		},
 	}
 }
 
-func setAuthenticationBindingsData(data *schema.ResourceData, realm *keycloak.Realm) {
+func setAuthenticationBindingsData(data *schema.ResourceData, realm *keycloak.Realm, keycloakVersion *version.Version) {
 	data.SetId(realm.Realm)
 	data.Set("browser_flow", realm.BrowserFlow)
 	data.Set("registration_flow", realm.RegistrationFlow)
 	data.Set("direct_grant_flow", realm.DirectGrantFlow)
 	data.Set("reset_credentials_flow", realm.ResetCredentialsFlow)
 	data.Set("client_authentication_flow", realm.ClientAuthenticationFlow)
 	data.Set("docker_authentication_flow", realm.DockerAuthenticationFlow)
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_24.AsVersion()) {
+		data.Set("first_broker_login_flow", realm.FirstBrokerLoginFlow)
+	}
 }
 
-func resetAuthenticationBindingsForRealm(realm *keycloak.Realm) {
+func resetAuthenticationBindingsForRealm(realm *keycloak.Realm, keycloakVersion *version.Version) {
 	realm.BrowserFlow = stringPointer("browser")
 	realm.RegistrationFlow = stringPointer("registration")
 	realm.DirectGrantFlow = stringPointer("direct grant")
 	realm.ResetCredentialsFlow = stringPointer("reset credentials")
 	realm.ClientAuthenticationFlow = stringPointer("clients")
 	realm.DockerAuthenticationFlow = stringPointer("docker auth")
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_24.AsVersion()) {
+		realm.FirstBrokerLoginFlow = stringPointer("first broker login")
+	}
 }
 
 func resourceKeycloakAuthenticationBindingsCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realm, err := keycloakClient.GetRealm(ctx, data.Get("realm_id").(string))
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	setRealmFlowBindings(data, realm)
+	setRealmFlowBindings(data, realm, keycloakVersion)
 
 	err = keycloakClient.ValidateRealm(ctx, realm)
 	if err != nil {
@@ -103,33 +117,35 @@ func resourceKeycloakAuthenticationBindingsCreate(ctx context.Context, data *sch
 		return diag.FromErr(err)
 	}
 
-	setAuthenticationBindingsData(data, realm)
+	setAuthenticationBindingsData(data, realm, keycloakVersion)
 
 	return resourceKeycloakAuthenticationBindingsRead(ctx, data, meta)
 }
 
 func resourceKeycloakAuthenticationBindingsRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realm, err := keycloakClient.GetRealm(ctx, data.Id())
 	if err != nil {
 		return handleNotFoundError(ctx, err, data)
 	}
 
-	setAuthenticationBindingsData(data, realm)
+	setAuthenticationBindingsData(data, realm, keycloakVersion)
 
 	return nil
 }
 
 func resourceKeycloakAuthenticationBindingsDelete(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realm, err := keycloakClient.GetRealm(ctx, data.Id())
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	resetAuthenticationBindingsForRealm(realm)
+	resetAuthenticationBindingsForRealm(realm, keycloakVersion)
 
 	err = keycloakClient.UpdateRealm(ctx, realm)
 	if err != nil {
@@ -141,13 +157,14 @@ func resourceKeycloakAuthenticationBindingsDelete(ctx context.Context, data *sch
 
 func resourceKeycloakAuthenticationBindingsUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realm, err := keycloakClient.GetRealm(ctx, data.Id())
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	setRealmFlowBindings(data, realm)
+	setRealmFlowBindings(data, realm, keycloakVersion)
 
 	err = keycloakClient.ValidateRealm(ctx, realm)
 	if err != nil {
@@ -159,7 +176,7 @@ func resourceKeycloakAuthenticationBindingsUpdate(ctx context.Context, data *sch
 		return diag.FromErr(err)
 	}
 
-	setAuthenticationBindingsData(data, realm)
+	setAuthenticationBindingsData(data, realm, keycloakVersion)
 
 	return resourceKeycloakAuthenticationBindingsRead(ctx, data, meta)
 }

provider/resource_keycloak_authentication_bindings_test.go

@@ -3,6 +3,7 @@ package provider
 import (
 	"fmt"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak"
 	"reflect"
 	"testing"
 
@@ -124,6 +125,24 @@ func TestAccKeycloakAuthenticationBindings_dockerAuthenticationGrant(t *testing.
 	})
 }
 
+func TestAccKeycloakAuthenticationBindings_firstBrokerLoginFlow(t *testing.T) {
+	skipIfVersionIsLessThan(testCtx, t, keycloakClient, keycloak.Version_24)
+
+	flow := "first_broker_login_flow"
+	flowAlias := "firstBrokerLoginCopyFlow"
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakAuthenticationBindings(testAccRealm.Realm, flow, flowAlias),
+				Check:  testAccCheckKeycloakAuthenticationBindingBrowserSet(testAccRealm.Realm, "FirstBrokerLoginFlow", flowAlias),
+			},
+		},
+	})
+}
+
 func TestAccKeycloakAuthenticationBindings_existingFlow(t *testing.T) {
 	flow := "browser_flow"
 	flowAlias := "browser"

provider/resource_keycloak_realm.go

@@ -2,6 +2,7 @@ package provider
 
 import (
 	"context"
+	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -610,6 +611,12 @@ func resourceKeycloakRealm() *schema.Resource {
 				Optional:    true,
 				Computed:    true,
 			},
+			"first_broker_login_flow": {
+				Type:        schema.TypeString,
+				Description: "Which flow should be used for FirstBrokerLoginFlow",
+				Optional:    true,
+				Computed:    true,
+			},
 
 			// misc attributes
 			"attributes": {
@@ -684,7 +691,7 @@ func getRealmSMTPPasswordFromData(data *schema.ResourceData) (string, bool) {
 	return "", false
 }
 
-func setRealmFlowBindings(data *schema.ResourceData, realm *keycloak.Realm) {
+func setRealmFlowBindings(data *schema.ResourceData, realm *keycloak.Realm, keycloakVersion *version.Version) {
 	if flow, ok := data.GetOk("browser_flow"); ok {
 		realm.BrowserFlow = stringPointer(flow.(string))
 	} else {
@@ -720,9 +727,17 @@ func setRealmFlowBindings(data *schema.ResourceData, realm *keycloak.Realm) {
 	} else {
 		realm.DockerAuthenticationFlow = stringPointer("docker auth")
 	}
+
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_24.AsVersion()) {
+		if flow, ok := data.GetOk("first_broker_login_flow"); ok {
+			realm.FirstBrokerLoginFlow = stringPointer(flow.(string))
+		} else {
+			realm.FirstBrokerLoginFlow = stringPointer("first broker login")
+		}
+	}
 }
 
-func getRealmFromData(data *schema.ResourceData) (*keycloak.Realm, error) {
+func getRealmFromData(data *schema.ResourceData, keycloakVersion *version.Version) (*keycloak.Realm, error) {
 	internationalizationEnabled := false
 	supportLocales := make([]string, 0)
 	defaultLocale := ""
@@ -1012,7 +1027,7 @@ func getRealmFromData(data *schema.ResourceData) (*keycloak.Realm, error) {
 		realm.PasswordPolicy = passwordPolicy.(string)
 	}
 
-	setRealmFlowBindings(data, realm)
+	setRealmFlowBindings(data, realm, keycloakVersion)
 
 	attributes := map[string]interface{}{}
 	if v, ok := data.GetOk("attributes"); ok {
@@ -1176,7 +1191,7 @@ func setDefaultSecuritySettingsBruteForceDetection(realm *keycloak.Realm) {
 	realm.MaxDeltaTimeSeconds = 43200
 }
 
-func setRealmData(data *schema.ResourceData, realm *keycloak.Realm) {
+func setRealmData(data *schema.ResourceData, realm *keycloak.Realm, keycloakVersion *version.Version) {
 	data.SetId(realm.Realm)
 
 	data.Set("realm", realm.Realm)
@@ -1296,6 +1311,10 @@ func setRealmData(data *schema.ResourceData, realm *keycloak.Realm) {
 	data.Set("client_authentication_flow", realm.ClientAuthenticationFlow)
 	data.Set("docker_authentication_flow", realm.DockerAuthenticationFlow)
 
+	if keycloakVersion.GreaterThanOrEqual(keycloak.Version_24.AsVersion()) {
+		data.Set("first_broker_login_flow", realm.FirstBrokerLoginFlow)
+	}
+
 	//WebAuthn
 	webAuthnPolicy := make(map[string]interface{})
 	webAuthnPolicy["acceptable_aaguids"] = realm.WebAuthnPolicyAcceptableAaguids
@@ -1375,8 +1394,9 @@ func getHeaderSettings(realm *keycloak.Realm) map[string]interface{} {
 
 func resourceKeycloakRealmCreate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
-	realm, err := getRealmFromData(data)
+	realm, err := getRealmFromData(data, keycloakVersion)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -1396,13 +1416,14 @@ func resourceKeycloakRealmCreate(ctx context.Context, data *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	setRealmData(data, realm)
+	setRealmData(data, realm, keycloakVersion)
 
 	return resourceKeycloakRealmRead(ctx, data, meta)
 }
 
 func resourceKeycloakRealmRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
 	realm, err := keycloakClient.GetRealm(ctx, data.Id())
 	if err != nil {
@@ -1414,15 +1435,16 @@ func resourceKeycloakRealmRead(ctx context.Context, data *schema.ResourceData, m
 		realm.SmtpServer.Password = smtpPassword
 	}
 
-	setRealmData(data, realm)
+	setRealmData(data, realm, keycloakVersion)
 
 	return nil
 }
 
 func resourceKeycloakRealmUpdate(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	keycloakClient := meta.(*keycloak.KeycloakClient)
+	keycloakVersion := keycloakClient.Version()
 
-	realm, err := getRealmFromData(data)
+	realm, err := getRealmFromData(data, keycloakVersion)
 	if err != nil {
 		return diag.FromErr(err)
 	}
@@ -1437,7 +1459,7 @@ func resourceKeycloakRealmUpdate(ctx context.Context, data *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	setRealmData(data, realm)
+	setRealmData(data, realm, keycloakVersion)
 
 	return nil
 }