feat: Add option to configure always_display_in_console for saml and oidc clients (#1114)

Signed-off-by: Michael Chittka <[email protected]>

Author: mchittka

.gitignore

@@ -14,6 +14,7 @@ terraform-provider-keycloak_*
 *.out
 
 .idea/
+.vscode/
 .terraform/
 terraform.d/
 .terraform.lock.hcl

docs/resources/openid_client.md

@@ -101,6 +101,7 @@ is set to `true`.
 - `backchannel_logout_url` - (Optional) The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
 - `backchannel_logout_session_required` - (Optional) When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
 - `backchannel_logout_revoke_offline_sessions` - (Optional) Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
+- `always_display_in_console` - (Optional) Always list this client in the Account UI, even if the user does not have an active session.
 - `extra_config` - (Optional) A map of key/value pairs to add extra configuration attributes to this client. This can be used for custom attributes, or to add configuration attributes that are not yet supported by this Terraform provider. Use this attribute at your own risk, as it may conflict with top-level configuration attributes in future provider updates. For example, the `extra_config` map can be used to set Authentication Context Class Reference (ACR) to Level of Authentication (LoA) mapping
 	``` hcl
 	extra_config = {

docs/resources/saml_client.md

@@ -68,6 +68,7 @@ resource "keycloak_saml_client" "saml_client" {
 - `authentication_flow_binding_overrides` - (Optional) Override realm authentication flow bindings
     - `browser_id` - (Optional) Browser flow id, (flow needs to exist)
     - `direct_grant_id` - (Optional) Direct grant flow id (flow needs to exist)
+- `always_display_in_console` - (Optional) Always list this client in the Account UI, even if the user does not have an active session.
 - `extra_config` - (Optional) A map of key/value pairs to add extra configuration attributes to this client. This can be used for custom attributes, or to add configuration attributes that is not yet supported by this Terraform provider. Use this attribute at your own risk, as s may conflict with top-level configuration attributes in future provider updates.
 
 ## Attributes Reference

keycloak/generic_client_description_converter.go

@@ -44,6 +44,7 @@ type GenericClientRepresentation struct {
 	StandardFlowEnabled                bool                     `json:"standardFlowEnabled"`
 	SurrogateAuthRequired              bool                     `json:"surrogateAuthRequired"`
 	WebOrigins                         []string                 `json:"webOrigins"`
+	AlwaysDisplayInConsole             bool                     `json:"alwaysDisplayInConsole"`
 }
 
 func (keycloakClient *KeycloakClient) NewGenericClientDescription(ctx context.Context, realmId string, body string) (*GenericClientRepresentation, error) {

keycloak/openid_client.go

@@ -3,8 +3,9 @@ package keycloak
 import (
 	"context"
 	"fmt"
-	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 	"reflect"
+
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 )
 
 type OpenidClientRole struct {
@@ -56,6 +57,7 @@ type OpenidClient struct {
 	AuthorizationSettings              *OpenidClientAuthorizationSettings       `json:"authorizationSettings,omitempty"`
 	ConsentRequired                    bool                                     `json:"consentRequired"`
 	AuthenticationFlowBindingOverrides OpenidAuthenticationFlowBindingOverrides `json:"authenticationFlowBindingOverrides,omitempty"`
+	AlwaysDisplayInConsole             bool                                     `json:"alwaysDisplayInConsole"`
 }
 
 type OpenidClientAttributes struct {

keycloak/saml_client.go

@@ -3,8 +3,9 @@ package keycloak
 import (
 	"context"
 	"fmt"
-	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 	"reflect"
+
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 )
 
 type SamlClientAttributes struct {
@@ -58,6 +59,8 @@ type SamlClient struct {
 
 	FullScopeAllowed bool `json:"fullScopeAllowed"`
 
+	AlwaysDisplayInConsole bool `json:"alwaysDisplayInConsole"`
+
 	Attributes *SamlClientAttributes `json:"attributes"`
 
 	AuthenticationFlowBindingOverrides SamlAuthenticationFlowBindingOverrides `json:"authenticationFlowBindingOverrides,omitempty"`

provider/data_source_keycloak_client_description_converter.go

@@ -2,6 +2,7 @@ package provider
 
 import (
 	"context"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
@@ -189,6 +190,10 @@ func dataSourceKeycloakClientDescriptionConverter() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Computed: true,
 			},
+			"always_display_in_console": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -231,6 +236,7 @@ func setClientDescriptionConverterData(data *schema.ResourceData, description *k
 	data.Set("standard_flow_enabled", description.StandardFlowEnabled)
 	data.Set("surrogate_auth_required", description.SurrogateAuthRequired)
 	data.Set("web_origins", description.WebOrigins)
+	data.Set("always_display_in_console", description.AlwaysDisplayInConsole)
 }
 
 func dataSourceKeycloakClientDescriptionConverterRead(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {

provider/data_source_keycloak_openid_client.go

@@ -238,6 +238,11 @@ func dataSourceKeycloakOpenidClient() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"always_display_in_console": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 }

provider/data_source_keycloak_saml_client.go

@@ -2,6 +2,7 @@ package provider
 
 import (
 	"context"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak"
@@ -178,6 +179,10 @@ func dataSourceKeycloakSamlClient() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"always_display_in_console": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 		},
 	}
 }

provider/resource_keycloak_openid_client.go

@@ -300,6 +300,11 @@ func resourceKeycloakOpenidClient() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"always_display_in_console": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 			"import": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -382,11 +387,12 @@ func getOpenidClientFromData(data *schema.ResourceData) (*keycloak.OpenidClient,
 			DisplayOnConsentScreen:                types.KeycloakBoolQuoted(data.Get("display_on_consent_screen").(bool)),
 			PostLogoutRedirectUris:                types.KeycloakSliceHashDelimited(validPostLogoutRedirectUris),
 		},
-		ValidRedirectUris: validRedirectUris,
-		WebOrigins:        webOrigins,
-		AdminUrl:          data.Get("admin_url").(string),
-		BaseUrl:           data.Get("base_url").(string),
-		ConsentRequired:   data.Get("consent_required").(bool),
+		ValidRedirectUris:      validRedirectUris,
+		WebOrigins:             webOrigins,
+		AdminUrl:               data.Get("admin_url").(string),
+		BaseUrl:                data.Get("base_url").(string),
+		ConsentRequired:        data.Get("consent_required").(bool),
+		AlwaysDisplayInConsole: data.Get("always_display_in_console").(bool),
 	}
 
 	if rootUrlOk {
@@ -468,6 +474,7 @@ func setOpenidClientData(ctx context.Context, keycloakClient *keycloak.KeycloakC
 	data.Set("root_url", &client.RootUrl)
 	data.Set("full_scope_allowed", client.FullScopeAllowed)
 	data.Set("consent_required", client.ConsentRequired)
+	data.Set("always_display_in_console", client.AlwaysDisplayInConsole)
 
 	data.Set("access_token_lifespan", client.Attributes.AccessTokenLifespan)
 	data.Set("login_theme", client.Attributes.LoginTheme)

provider/resource_keycloak_saml_client.go

@@ -7,11 +7,12 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"reflect"
+	"strings"
+
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
-	"reflect"
-	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -235,6 +236,11 @@ func resourceKeycloakSamlClient() *schema.Resource {
 				Optional:         true,
 				ValidateDiagFunc: validateExtraConfig(reflect.ValueOf(&keycloak.SamlClientAttributes{}).Elem()),
 			},
+			"always_display_in_console": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		},
 	}
 }
@@ -315,6 +321,7 @@ func mapToSamlClientFromData(data *schema.ResourceData) *keycloak.SamlClient {
 		BaseUrl:                 data.Get("base_url").(string),
 		MasterSamlProcessingUrl: data.Get("master_saml_processing_url").(string),
 		FullScopeAllowed:        data.Get("full_scope_allowed").(bool),
+		AlwaysDisplayInConsole:  data.Get("always_display_in_console").(bool),
 		Attributes:              samlAttributes,
 	}
 
@@ -371,6 +378,7 @@ func mapToDataFromSamlClient(ctx context.Context, data *schema.ResourceData, cli
 	data.Set("logout_service_redirect_binding_url", client.Attributes.LogoutServiceRedirectBindingURL)
 	data.Set("full_scope_allowed", client.FullScopeAllowed)
 	data.Set("login_theme", client.Attributes.LoginTheme)
+	data.Set("always_display_in_console", client.AlwaysDisplayInConsole)
 
 	if canonicalizationMethod, ok := mapKeyFromValue(keycloakSamlClientCanonicalizationMethods, client.Attributes.CanonicalizationMethod); ok {
 		data.Set("canonicalization_method", canonicalizationMethod)