Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'treydock-keycloak', '13.3.0'
Learn more about managing modules with a PuppetfileDocumentation
puppet-module-keycloak
Table of Contents
- Overview
- Usage - Configuration options
- Keycloak
- Deploy SPI
- Partial Import
- keycloak_realm
- keycloak_role_mapping
- keycloak_ldap_user_provider
- keycloak_ldap_mapper
- keycloak_sssd_user_provider
- keycloak_client
- keycloak::client_scope::oidc
- keycloak::client_scope::saml
- keycloak_client_scope
- keycloak_protocol_mapper
- keycloak_client_protocol_mapper
- keycloak_identity_provider
- Keycloak Flows
- keycloak_api
- keycloak_required_action
- Reference - Parameter and detailed reference to all options
- Limitations - OS compatibility, etc.
Overview
The keycloak module allows easy installation and management of Keycloak.
Upgrade to 12.x
Version 12.x of this module had some major breaking changes to support Keycloak 25.x.
The default Java version is now OpenJDK 21 except for Debian. The next major release will drop Debian support unless OpenJDK 21 is added to Debian repos.
The keycloak_flow
and keycloak_flow_execution
types had their index
property replaced by priority
. If you had executions with index
0,1,2 you'd need to set priority
to something like 10,20,30.
The configuration options switched to using Hostname v2 options.
hostname
now accepts a URLhostname-url
is removedhostname-path
is removedhostname-port
is removedhostname-admin
now requires a URLhostname-admin-url
is removedhostname-strict-backchannel
is renamed tohostname-backchannel-dynamic
hostname-strict-https
is removed
Upgrade to 8.x
This module underwent major changes in the 8.0.0 release to support Keycloak that uses Quarkus. The initial 8.0.0 release of this module only supports Keycloak 18.x.
Numerous parameters were changed or removed. Below is a list of the changes to parameters as well as some behavior changes.
Parameters removed
service_hasstatus
,service_hasrestart
management_bind_address
java_opts_append
wildfly_user
,wildfly_user_password
datasource_package
,datasource_jar_source
,datasource_jar_filename
,datasource_module_source
,datasource_xa_class
proxy_https
truststore_hostname_verification_policy
theme_static_max_age
,theme_cache_themes
,theme_cache_templates
operating_mode
,enable_jdbc_ping
,jboss_bind_public_address
,jboss_bind_private_address
master_address
,server_name
,role
,user_cache
tech_preview_features
auto_deploy_exploded
,auto_deploy_zipped
syslog
,syslog_app_name
,syslog_facility
,syslog_hostname
,syslog_level
syslog_port
,syslog_server_address
,syslog_format
Parameters renamed
service_bind_address
renamed tohttp_host
and now defined in keycloak.conf instead of the systemd unit filemanage_datasource
renamed tomanage_db
datasource_driver
renamed todb
datasource_host
renamed todb_url_host
datasource_port
renamed todb_url_port
datasource_url
renamed todb_url
datasource_dbname
renamed todb_url_database
datasource_username
renamed todb_username
datasource_password
renamed todb_password
mysql_database_charset
renamed todb_charset
auth_url_path
renamed tovalidator_test_url
and default value changed
Parameters added
java_declare_method
to make it easier for EL platforms to deploy working Keycloak with correct Javajava_package
,java_home
,java_alternative_path
,java_alternative
start_command
configs
hostname
,http_enabled
,http_host
,https_port
,proxy
manage_db_server
features
features_disabled
providers_purge
Behavior changes
The SSSD parameters are no longer tested and likely won't work. If you use the SSSD user provider and SSSD related parameters, please open an issue on this repo.
This module no longer makes copies for DB driver jar files or install Java bindings, they are not necessary.
When db
is set to mariadb
, mysql
or postgres
this module will by default install the database server to the Keycloak host. If you run a remote DB server for Keycloak, set manage_db_server
and manage_db
to false
.
There is no longer a need to define cluster or domain modes in the Quarkus deployment, all related functionality is removed.
Some basic configuration options are exposed using parameters but most configuration options for Keycloak will need to be passed into the configs
parameter.
Drop Debian 9 support due to OS repos not having Java 11.
Changes to LDAP user provider IDs
If you had keycloak_ldap_user_provider
resources defined the mechanism for defining the ID has changed and requires some migration. Also the ldap
property for any keycloak_ldap_mapper
resources will have to be adjusted.
WARNING The LDAP user provider ID is used to create user IDs for LDAP users. These will change if the ID is changed. This is to prevent messages such as this: The given key is not a valid key per specification, future migration might fail: f:OSC-LDAP-osc:tdockendorf
. If you wish to keep the old style IDs you must provide the id
parameter as $ldap-$realm
to maintain old IDs.
It's advised to either Migrate to new IDs or Keep old IDs
Migrate to new IDs
Changes
- Define old
keycloak_ldap_user_provider
resource as absent with new name and settingid
andresource_name
. - Define same
keycloak_ldap_user_provider
resource to get created with new ID - Update
keycloak_ldap_mapper
resources to point to just name ofkeycloak_ldap_user_provider
.
Before:
keycloak_ldap_user_provider { 'LDAP on test':
users_dn => 'ou=People,dc=test',
connection_url => 'ldap://localhost:389',
custom_user_search_filter => '(objectClass=posixAccount)',
}
keycloak_ldap_mapper { "first name for LDAP-test on test":
ensure => 'present',
type => 'user-attribute-ldap-mapper',
user_model_attribute => 'firstName',
ldap_attribute => 'givenName',
}
After:
keycloak_ldap_user_provider { 'LDAP-remove on test':
ensure => 'absent',
resource_name => 'LDAP',
id => 'LDAP-test',
}
keycloak_ldap_user_provider { 'LDAP on test':
users_dn => 'ou=People,dc=test',
connection_url => 'ldap://localhost:389',
custom_user_search_filter => '(objectClass=posixAccount)',
}
keycloak_ldap_mapper { "first name for LDAP on test":
ensure => 'present',
type => 'user-attribute-ldap-mapper',
user_model_attribute => 'firstName',
ldap_attribute => 'givenName',
}
Keep old IDs
If you wish to avoid re-creating keycloak_ldap_user_provider
and keycloak_ldap_mapper
resources then the ID parameters must be defined.
For keycloak_ldap_user_provider
ensure the id
property is set to match the old pattern. If name was LDAP
and realm test
or name was componsite LDAP on test
then set id
to LDAP-test
.
For keycloak_ldap_mapper
ensure the parent_id
property is set to point to old ID for associated keycloak_ldap_user_provider
. If the ldap
value is LDAP
and realm
is test
or composite name is first name for LDAP on test
then ensure parent_id
is set to LDAP-test
.
Supported Versions of Keycloak
Currently this module supports Keycloak version 24.x. This module may work on earlier versions but this is the only version tested.
Keycloak Version | Keycloak Puppet module versions |
---|---|
3.x | 2.x |
4.x - 6.x | 3.x |
6.x - 8.x | 4.x - 5.x |
8.x - 12.x | 6.x |
12.x - 16.x | 7.x |
18.x | 8.x |
19.x - 21.x | 9.x |
21.x | 10.x |
22.x - 24.x | 11.x |
25.x | 12.x - 13.x |
----------------- | --------------------------------- |
Usage
keycloak
Install Keycloak using default dev-file
database.
class { 'keycloak': }
Install a specific version of Keycloak.
class { 'keycloak':
version => '24.0.0',
db => 'mariadb',
}
Upgrading Keycloak version works by changing version
parameter as long as the db
parameter is not the default of dev-file
. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to /opt/keycloak
, applying all changes to new version and then restarting the keycloak
service.
If the previous version
was 22.0.0
using the following will upgrade to 24.0.0
:
class { 'keycloak':
version => '24.0.0',
db => 'mariadb',
}
Install keycloak and use a local MariaDB server for database storage
include mysql::server
class { 'keycloak':
db => 'mariadb',
db_url_host => 'localhost',
db_url_port => 3306,
db_url_database => 'keycloak',
db_username => 'keycloak',
db_password => 'foobar',
}
The following example can be used to configure keycloak with a local PostgreSQL server.
include postgresql::server
class { 'keycloak':
db => 'postgres',
db_url_host => 'localhost',
db_url_port => 5432,
db_url_database => 'keycloak',
db_username => 'keycloak',
db_password => 'foobar',
}
Configure a SSL certificate truststore and add a LDAP server's certificate to the truststore.
class { 'keycloak':
truststore => true,
truststore_password => 'supersecret',
}
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Setup Keycloak to proxy through Apache HTTPS.
class { 'keycloak':
http_host => '127.0.0.1',
proxy => 'edge',
}
apache::vhost { 'idp.example.com':
servername => 'idp.example.com',
port => '443',
ssl => true,
manage_docroot => false,
docroot => '/var/www/html',
proxy_preserve_host => true,
proxy_add_headers => true,
proxy_pass => [
{'path' => '/', 'url' => 'http://localhost:8080/'}
],
request_headers => [
'set X-Forwarded-Proto "https"',
'set X-Forwarded-Port "443"'
],
ssl_cert => '/etc/pki/tls/certs/idp.example.com/crt',
ssl_key => '/etc/pki/tls/private/idp.example.com.key',
}
NOTE: Can set hostname
parameter to unset
if you wish for that configuration to not be set in the Keycloak configuration if you wish for Keycloak to not use strict hostname checking and respond to multiple hostnames.
Deploy SPI
A simple example of deploying a custom SPI from a URL:
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar',
source => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.5/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.5.jar',
}
The source
can be a URL or a file path like /tmp/foo.jar
or prefixed with file://
or puppet://
The following example will deploy a custom SPI then check the Keycloak API for the resource to exist. This is useful to ensure SPI is loaded into Keycloak before attempting to add custom resources.
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar',
source => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.4/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.4.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-universal',
test_realm => 'test',
test_before => [
'Keycloak_flow[form-browser-with-duo]',
'Keycloak_flow_execution[duo-universal under form-browser-with-duo on test]',
],
}
Partial Import
This module supports Importing data from exported JSON files via the keycloak::partial_import
defined type.
Example of importing a JSON file into the test
realm:
keycloak::partial_import { 'mysettings':
realm => 'test',
if_resource_exists => 'SKIP',
source => 'puppet:///modules/profile/keycloak/mysettings.json',
}
NOTE: By default the keycloak::partial_import
defined type will require the Keycloak_realm
resource used for the realm
parameter. If you manage the realm a different way, pass require_realm => false
.
keycloak_realm
Define a Keycloak realm that uses username and not email for login and to use a local branded theme.
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
NOTE: If the flow properties such as browser_flow
are changed from their defaults then this value will not be set when a realm is first created. The value will also not be updated if the flow does not exist. For new realms you will have to run Puppet twice in order to create the flows then update the realm setting.
keycloak_role_mapping
Manage realm role mappings for users and groups. Example:
keycloak_role_mapping { 'roles for john on master':
realm => 'master',
name => 'john',
realm_roles => ['role1', 'role2'],
}
keycloak_role_mapping { 'roles for mygroup on master':
realm => 'master',
name => 'mygroup',
group => true,
realm_roles => ['role1'],
}
keycloak_ldap_user_provider
Define a LDAP user provider so that authentication can be performed against LDAP. The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
If you're using FreeIPA you can use a defined resource that wraps keycloak_ldap_user_provider:
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
keycloak_ldap_mapper
Use the LDAP attribute 'gecos' as the full name attribute.
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
resource_name => 'full name',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
If you're using FreeIPA you can use a defined resource that adds all the required attribute mappings automatically:
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
keycloak_sssd_user_provider
WARNING This feature is no longer tested and likely stopped working when Keycloak began requiring Java 11+. If you rely on this feature, please open an issue or pull request. Likely need to build jna from source.
Define SSSD user provider. NOTE This type requires that SSSD be properly configured and Keycloak service restarted after SSSD ifp service is setup. Also requires keycloak
class be called with with_sssd_support
set to true
.
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
keycloak_client
Register a client.
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
client_template => 'oidc-clients',
secret => 'supersecret',
}
keycloak::client_scope::oidc
Defined type that can be used to define both keycloak_client_scope
and keycloak_protocol_mapper
resources for OpenID Connect.
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
keycloak::client_scope::saml
Defined type that can be used to define both keycloak_client_scope
and keycloak_protocol_mapper
resources for SAML.
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
keycloak_client_scope
Define a Client Scope of email
for realm test
in Keycloak:
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
keycloak_protocol_mapper
Associate a Protocol Mapper to a given Client Scope. The name in the following example will add the email
protocol mapper to client scope oidc-email
in the realm test
.
keycloak_protocol_mapper { "email for oidc-email on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_client_protocol_mapper
Add email
protocol mapper to test.example.com
client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_identity_provider
Add cilogon
identity provider to test
realm
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
Keycloak Flows
The following is an example of deploying a custom Flow.
The name for the top level flow is $alias on $realm
The name for an execution is $provider under $flow on $realm
.
The name for the flow under a top level flow is $alias under $flow_alias on $realm
.
keycloak_flow { 'browser-with-duo on test':
ensure => 'present',
}
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
priority => 10,
requirement => 'ALTERNATIVE',
}
keycloak_flow_execution { 'identity-provider-redirector under browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Identity Provider Redirector',
priority => 15,
requirement => 'ALTERNATIVE',
}
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
priority => 20,
requirement => 'ALTERNATIVE',
top_level => false,
}
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
priority => 10,
requirement => 'REQUIRED',
}
keycloak_flow_execution { 'duo-universal under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo Universal MFA',
alias => 'Duo',
config => {
"duoApiHostname" => "api-foo.duosecurity.com",
"duoSecretKey" => "secret",
"duoIntegrationKey" => "foo-ikey",
"duoGroups" => "duo"
},
requirement => 'REQUIRED',
priority => 15,
}
keycloak_api
The keycloak_api type can be used to define how this module's types access the Keycloak API if this module is only used for the types/providers and the module's kcadm-wrapper.sh
is not installed.
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
The path for install_dir
will be joined with bin/kcadm.sh
to produce the full path to kcadm.sh
.
keycloak_required_action
The keycloak_required_action type can be used to define actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For instance, change a one-time password, accept T&C, etc.
The name for an action is $provider_id on $realm
.
Important: The keycloak rest api documentation uses the term alias
which will be filled with the value of provider_id
in this module.
# Minimal example
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
provider_id => 'webauthn-register',
}
# Full example
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
}
Reference
http://treydock.github.io/puppet-module-keycloak/
Limitations
This module has been tested on:
- RedHat/Rocky/AlmaLinux 8 x86_64
- RedHat/Rocky/AlmaLinux 9 x86_64
- Debian 11 x86_64
- Ubuntu 20.04 x86_64
- Ubuntu 22.04 x86_64
UUID Generation
bundle exec irb
2.5.1 :001 > require File.expand_path(File.join(File.dirname(__FILE__), 'lib/puppet/provider/keycloak_api'))
=> true
2.5.1 :002 > Puppet::Provider::KeycloakAPI.name_uuid('LDAP')
=> "bc7bc27f-39b8-5152-91c3-915d710fba35"
Reference
Table of Contents
Classes
Public Classes
keycloak
: Manage Keycloakkeycloak::config
: Private class.keycloak::install
: Private class.keycloak::service
: Private class.keycloak::sssd
: Private class.
Private Classes
keycloak::db::mariadb
: Manage MySQL DBkeycloak::db::mysql
: Manage MySQL DBkeycloak::db::postgres
: Manage postgres DBkeycloak::resources
: Define Keycloak resources
Defined types
keycloak::client_scope::oidc
: Manage Keycloak OpenID Connect client scope using built-in mapperskeycloak::client_scope::saml
: Manage Keycloak SAML client scope using built-in mapperskeycloak::freeipa_ldap_mappers
: setup FreeIPA LDAP mappers for Keycloakkeycloak::freeipa_user_provider
: setup IPA as an LDAP user provider for Keycloakkeycloak::partial_import
: Perform partialImport using CLIkeycloak::spi_deployment
: Manage Keycloak SPI deploymentkeycloak::truststore::host
: Add host to Keycloak truststore
Resource types
keycloak_api
: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client
: Manage Keycloak clientskeycloak_client_protocol_mapper
: Manage Keycloak protocol mapperskeycloak_client_scope
: Manage Keycloak client scopeskeycloak_conn_validator
: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_flow
: Manage a Keycloak flow Autorequireskeycloak_realm
defined forrealm
parameterkeycloak_flow
offlow_alias
if `top_level=falskeycloak_flow_execution
: Manage a Keycloak flow Autorequireskeycloak_realm
defined forrealm
parameterkeycloak_flow
of value defined forflow_alias
keycloak_identity_provider
: Manage Keycloak identity providerskeycloak_ldap_mapper
: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider
: Manage Keycloak LDAP user providerskeycloak_protocol_mapper
: Manage Keycloak client scope protocol mapperskeycloak_realm
: Manage Keycloak realmskeycloak_required_action
: Manage Keycloak required actionskeycloak_resource_validator
: Verify that a specific Keycloak resource is availablekeycloak_role_mapping
: Attach realm roles to users and groupskeycloak_sssd_user_provider
: Manage Keycloak SSSD user providers
Data types
Classes
keycloak
Manage Keycloak
Examples
include ::keycloak
Parameters
The following parameters are available in the keycloak
class:
manage_install
version
package_url
install_dir
java_package_dependencies
java_declare_method
java_package
java_home
java_alternative_path
java_alternative
service_name
service_ensure
service_enable
java_opts
start_command
service_extra_opts
service_environment_file
conf_dir_mode
conf_dir_purge
conf_dir_purge_ignore
configs
extra_configs
hostname
http_enabled
http_host
http_port
https_port
http_relative_path
manage_user
user
user_shell
group
user_uid
group_gid
system_user
admin_user
admin_user_password
manage_db
manage_db_server
db
db_url_host
db_url_port
db_url
db_url_database
db_username
db_password
db_charset
db_collate
db_encoding
features
features_disabled
truststore
truststore_hosts
truststore_password
proxy
realms
realms_merge
oidc_client_scopes
oidc_client_scopes_merge
saml_client_scopes
saml_client_scopes_merge
identity_providers
identity_providers_merge
client_protocol_mappers
client_scopes
client_scopes_merge
protocol_mappers
protocol_mappers_merge
clients
clients_merge
flows
flows_merge
flow_executions
flow_executions_merge
required_actions
required_actions_merge
ldap_mappers
ldap_mappers_merge
ldap_user_providers
ldap_user_providers_merge
with_sssd_support
libunix_dbus_java_source
install_libunix_dbus_java_build_dependencies
libunix_dbus_java_build_dependencies
libunix_dbus_java_libdir
jna_package_name
manage_sssd_config
sssd_ifp_user_attributes
restart_sssd
spi_deployments
partial_imports
providers_purge
custom_config_content
custom_config_source
validator_test_url
manage_install
Data type: Boolean
Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.
Default value: true
version
Data type: String
Version of Keycloak to install and manage.
Default value: '25.0.1'
package_url
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Stdlib::Absolutepath]]
URL of the Keycloak download. Default is based on version.
Default value: undef
install_dir
Data type: Optional[Stdlib::Absolutepath]
The directory of where to install Keycloak.
Default is /opt/keycloak-${version}
.
Default value: undef
java_package_dependencies
Data type: Array[String[1]]
Packages to install before Java
Default value: []
java_declare_method
Data type: Enum['include','class']
How to declare the Java class within this module
The include
value only includes the java class
The class
method defines the Java class and passes necessary parameters
For RedHat base systems this defaults to class
, other OSes default to include
Default value: 'class'
java_package
Data type: String[1]
Java package name, only used when java_declare_method
is class
Default value: 'java-21-openjdk-devel'
java_home
Data type: Stdlib::Absolutepath
Java home path. This value is used when java_declare_method
is class
as well as to set JAVA_HOME environment variable for the Keycloak service.
Default value: '/usr/lib/jvm/java-21-openjdk'
java_alternative_path
Data type: Stdlib::Absolutepath
Java alternative path, only used when java_declare_method
is class
Default value: '/usr/lib/jvm/java-21-openjdk/bin/java'
java_alternative
Data type: String[1]
Java alternative, only used when java_declare_method
is class
Default value: '/usr/lib/jvm/java-21-openjdk/bin/java'
service_name
Data type: String
Keycloak service name.
Default is keycloak
.
Default value: 'keycloak'
service_ensure
Data type: String
Keycloak service ensure property.
Default is running
.
Default value: 'running'
service_enable
Data type: Boolean
Keycloak service enable property.
Default is true
.
Default value: true
java_opts
Data type: Optional[Variant[String, Array]]
Sets additional options to Java virtual machine environment variable.
Default value: undef
start_command
Data type: Enum['start','start-dev']
The start command to use to run Keycloak
Default value: 'start'
service_extra_opts
Data type: Optional[String]
Additional options added to the end of the service command-line.
Default value: undef
service_environment_file
Data type: Optional[Stdlib::Absolutepath]
Path to the file with environment variables for the systemd service
Default value: undef
conf_dir_mode
Data type: Stdlib::Filemode
The mode for the configuration directory
Default value: '0755'
conf_dir_purge
Data type: Boolean
Purge unmanaged files in configuration directory
Default value: true
conf_dir_purge_ignore
Data type: Array
The files to ignore when unmanaged files are purged from the configuration directory
Default value: ['cache-ispn.xml', 'README.md', 'truststore.jks', 'kcadm.config']
configs
Data type: Keycloak::Configs
Define additional configs for keycloak.conf
Default value: {}
extra_configs
Data type: Hash[String, Variant[String[1],Boolean,Array]]
Additional configs for keycloak.conf
Default value: {}
hostname
Data type: Variant[Stdlib::Host, Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Enum['unset','UNSET']]
hostname to set in keycloak.conf
Set to unset
or UNSET
to not define this in keycloak.conf
Default value: $facts['networking']['fqdn']
http_enabled
Data type: Boolean
Whether to enable HTTP
Default value: true
http_host
Data type: Stdlib::IP::Address
HTTP host
Default value: '0.0.0.0'
http_port
Data type: Stdlib::Port
HTTP port
Default value: 8080
https_port
Data type: Stdlib::Port
HTTPS port
Default value: 8443
http_relative_path
Data type: Pattern[/^\/.*/]
Set the path relative to '/' for serving resources. The path must start with a '/'.
Default value: '/'
manage_user
Data type: Boolean
Defines if the module should manage the Linux user for Keycloak installation
Default value: true
user
Data type: String
Keycloak user name.
Default is keycloak
.
Default value: 'keycloak'
user_shell
Data type: Stdlib::Absolutepath
Keycloak user shell.
Default value: '/sbin/nologin'
group
Data type: String
Keycloak user group name.
Default is keycloak
.
Default value: 'keycloak'
user_uid
Data type: Optional[Integer]
Keycloak user UID.
Default is undef
.
Default value: undef
group_gid
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef
.
Default value: undef
system_user
Data type: Boolean
If keycloak user should be a system user with lower uid and gid.
Default is true
Default value: true
admin_user
Data type: String
Keycloak administrative username.
Default is admin
.
Default value: 'admin'
admin_user_password
Data type: String
Keycloak administrative user password.
Default is changeme
.
Default value: 'changeme'
manage_db
Data type: Boolean
Boolean that determines if configured database will be managed.
Default value: true
manage_db_server
Data type: Boolean
Include the DB server class for postgres, mariadb or mysql
Default value: true
db
Data type: Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres']
Database driver to use for Keycloak.
Default value: 'dev-file'
db_url_host
Data type: Optional[Stdlib::Host]
Database host.
Default value: undef
db_url_port
Data type: Optional[Stdlib::Port]
Database port.
Default value: undef
db_url
Data type: Optional[String[1]]
Database url.
Default value: undef
db_url_database
Data type: String[1]
Database name.
Default value: 'keycloak'
db_username
Data type: String[1]
Database user name.
Default value: 'keycloak'
db_password
Data type: String[1]
Database user password.
Default value: 'changeme'
db_charset
Data type: String
MySQL and MariaDB database charset
Default value: 'utf8'
db_collate
Data type: String
MySQL and MariaDB database collate
Default value: 'utf8_general_ci'
db_encoding
Data type: String
PostgreSQL database encoding
Default value: 'UTF8'
features
Data type: Optional[Array[String[1]]]
Keycloak features to enable
Default value: undef
features_disabled
Data type: Optional[Array[String[1]]]
Keycloak features to disable
Default value: undef
truststore
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false
.
Default value: false
truststore_hosts
Data type: Hash
Hash that is used to define keycloak::turststore::host
resources.
Default is {}
.
Default value: {}
truststore_password
Data type: String
Truststore password.
Default is keycloak
.
Default value: 'keycloak'
proxy
Data type: Enum['edge','reencrypt','passthrough','none']
Type of proxy to use for Keycloak
Default value: 'none'
realms
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}
.
Default value: {}
realms_merge
Data type: Boolean
Boolean that sets if realms
should be merged from Hiera.
Default value: false
oidc_client_scopes
Data type: Hash
Hash that is used to define keycloak::client_scope::oidc resources.
Default is {}
.
Default value: {}
oidc_client_scopes_merge
Data type: Boolean
Boolean that sets if oidc_client_scopes
should be merged from Hiera.
Default value: false
saml_client_scopes
Data type: Hash
Hash that is used to define keycloak::client_scope::saml resources.
Default is {}
.
Default value: {}
saml_client_scopes_merge
Data type: Boolean
Boolean that sets if saml_client_scopes
should be merged from Hiera.
Default value: false
identity_providers
Data type: Hash
Hash that is used to define keycloak_identity_provider resources.
Default value: {}
identity_providers_merge
Data type: Boolean
Boolean that sets if identity_providers
should be merged from Hiera.
Default value: false
client_protocol_mappers
Data type: Hash
Hash that is used to define keycloak_client_protocol_mapper resources.
Default value: {}
client_scopes
Data type: Hash
Hash that is used to define keycloak_client_scope resources.
Default value: {}
client_scopes_merge
Data type: Boolean
Boolean that sets if client_scopes
should be merged from Hiera.
Default value: false
protocol_mappers
Data type: Hash
Hash that is used to define keycloak_protocol_mapper resources.
Default value: {}
protocol_mappers_merge
Data type: Boolean
Boolean that sets if protocol_mappers
should be merged from Hiera.
Default value: false
clients
Data type: Hash
Hash that is used to define keycloak_client resources.
Default value: {}
clients_merge
Data type: Boolean
Boolean that sets if clients
should be merged from Hiera.
Default value: false
flows
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
flows_merge
Data type: Boolean
Boolean that sets if flows
should be merged from Hiera.
Default value: false
flow_executions
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
flow_executions_merge
Data type: Boolean
Boolean that sets if flows
should be merged from Hiera.
Default value: false
required_actions
Data type: Hash
Hash that is used to define keycloak_required_action resources.
Default value: {}
required_actions_merge
Data type: Boolean
Boolean that sets if required_actions
should be merged from Hiera.
Default value: false
ldap_mappers
Data type: Hash
Hash that is used to define keycloak_ldap_mapper resources.
Default value: {}
ldap_mappers_merge
Data type: Boolean
Boolean that sets if ldap_mappers
should be merged from Hiera.
Default value: false
ldap_user_providers
Data type: Hash
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: {}
ldap_user_providers_merge
Data type: Boolean
Boolean that sets if ldap_user_providers
should be merged from Hiera.
Default value: false
with_sssd_support
Data type: Boolean
Boolean that determines if SSSD user provider support should be available
Default value: false
libunix_dbus_java_source
Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
Source URL of libunix-dbus-java
Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'
install_libunix_dbus_java_build_dependencies
Data type: Boolean
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: true
libunix_dbus_java_build_dependencies
Data type: Array
Packages needed to build libunix-dbus-java
Default value: []
libunix_dbus_java_libdir
Data type: Stdlib::Absolutepath
Path to directory to install libunix-dbus-java libraries
Default value: '/usr/lib64'
jna_package_name
Data type: String
Package name for jna
Default value: 'jna'
manage_sssd_config
Data type: Boolean
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: true
sssd_ifp_user_attributes
Data type: Array
user_attributes to define for SSSD ifp service
Default value: []
restart_sssd
Data type: Boolean
Boolean that determines if SSSD should be restarted
Default value: true
spi_deployments
Data type: Hash
Hash used to define keycloak::spi_deployment resources
Default value: {}
partial_imports
Data type: Hash
Hash used to define keycloak::partial_import resources
Default value: {}
providers_purge
Data type: Boolean
Purge the providers directory of unmanaged SPIs
Default value: true
custom_config_content
Data type: Optional[String]
Custom configuration content to be added to keycloak.conf
Default value: undef
custom_config_source
Data type: Optional[Variant[String, Array]]
Custom configuration source file to be added to keycloak.conf
Default value: undef
validator_test_url
Data type: String
The URL path for validator testing Only necessary to set if the URL path to Keycloak is modified
Default value: '/realms/master/.well-known/openid-configuration'
keycloak::config
Private class.
keycloak::install
Private class.
keycloak::service
Private class.
keycloak::sssd
Private class.
Defined types
keycloak::client_scope::oidc
Manage Keycloak OpenID Connect client scope using built-in mappers
Examples
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_scope::oidc
defined type:
realm
Data type: String
Realm of the client scope.
resource_name
Data type: String
Name of the client scope resource
Default value: $name
keycloak::client_scope::saml
Manage Keycloak SAML client scope using built-in mappers
Examples
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_scope::saml
defined type:
realm
Data type: String
Realm of the client scope.
resource_name
Data type: String
Name of the client scope resource
Default value: $name
keycloak::freeipa_ldap_mappers
setup FreeIPA LDAP mappers for Keycloak
Examples
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
Parameters
The following parameters are available in the keycloak::freeipa_ldap_mappers
defined type:
realm
Data type: String
Keycloak realm
groups_dn
Data type: String
Groups DN
roles_dn
Data type: String
Roles DN
parent_id
Data type: String
Used to identify the parent LDAP user provider, name used with keycloak::freeipa_user_provider
Default value: $title
keycloak::freeipa_user_provider
setup IPA as an LDAP user provider for Keycloak
Examples
Add FreeIPA as a user provider
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
Parameters
The following parameters are available in the keycloak::freeipa_user_provider
defined type:
ensure
id
ipa_host
realm
bind_dn
bind_credential
users_dn
priority
ldaps
full_sync_period
changed_sync_period
ensure
Data type: Enum['present', 'absent']
LDAP user provider status
Default value: 'present'
id
Data type: Optional[String]
ID to use for user provider
Default value: undef
ipa_host
Data type: Stdlib::Host
Hostname of the FreeIPA server (e.g. ipa.example.org)
Default value: $title
realm
Data type: String
Keycloak realm
bind_dn
Data type: String
LDAP bind dn
bind_credential
Data type: String
LDAP bind password
users_dn
Data type: String
The DN for user search
priority
Data type: Integer
Priority for this user provider
Default value: 10
ldaps
Data type: Boolean
Use LDAPS protocol instead of LDAP
Default value: false
full_sync_period
Data type: Optional[Integer]
Synchronize all users this often (fullSyncPeriod)
Default value: undef
changed_sync_period
Data type: Optional[Integer]
Synchronize changed users this often (changedSyncPeriod)
Default value: undef
keycloak::partial_import
Perform partialImport using CLI
Examples
Perform partial import
keycloak::partial_import { 'mysettings':
realm => 'test',
if_resource_exists => 'SKIP',
source => 'puppet:///modules/profile/keycloak/mysettings.json',
}
Parameters
The following parameters are available in the keycloak::partial_import
defined type:
realm
Data type: String[1]
The Keycloak Realm
if_resource_exists
Data type: Enum['FAIL','SKIP','OVERWRITE']
Behavior for when resources exist
source
Data type: Optional[Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]]
The import JSON source
Default value: undef
content
Data type: Optional[String[1]]
The import JSON content
Default value: undef
filename
Data type: String[1]
The filename of the stored JSON
Default value: $name
require_realm
Data type: Boolean
Determines whether to require the Keycloak_realm resource
Default value: true
create_realm
Data type: Boolean
Determines whether to define the Keycloak_realm resource
Default value: false
keycloak::spi_deployment
}
Examples
Add Duo SPI
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
Add Duo SPI and check API for existance of resources before going onto dependenct resources
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],
Parameters
The following parameters are available in the keycloak::spi_deployment
defined type:
ensure
Data type: Enum['present', 'absent']
State of the deployment
Default value: 'present'
deployed_name
Data type: String[1]
Name of the file to be deployed. Defaults to $name
.
Default value: $name
source
Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
test_url
Data type: Optional[String]
URL to test for existance of resources created by this SPI
Default value: undef
test_key
Data type: Optional[String]
Key of resource when testing for resource created by this SPI
Default value: undef
test_value
Data type: Optional[String]
Value of the test_key
when testing for resources created by this SPI
Default value: undef
test_realm
Data type: Optional[String]
Realm to query when looking for resources created by this SPI
Default value: undef
test_before
Data type: Optional[Array]
Setup autorequires for validator dependent resources
Default value: undef
keycloak::truststore::host
Add host to Keycloak truststore
Examples
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Parameters
The following parameters are available in the keycloak::truststore::host
defined type:
certificate
Data type: String
Path to host certificate
ensure
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks
resource.
Default value: 'latest'
Resource types
keycloak_api
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
Examples
Define API access
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080',
realm => 'master',
user => 'admin',
password => 'changeme',
}
Parameters
The following parameters are available in the keycloak_api
type.
install_dir
Install location of Keycloak
Default value: /opt/keycloak
name
namevar
Keycloak API config
password
Password for authentication
Default value: changeme
realm
Realm for authentication
Default value: master
server
Auth URL for Keycloak server
Default value: http://localhost:8080
use_wrapper
Valid values: true
, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
user
User for authentication
Default value: admin
keycloak_client
Manage Keycloak clients
Examples
Add a OpenID Connect client
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
Properties
The following properties are available in the keycloak_client
type.
access_token_lifespan
access.token.lifespan
admin_url
adminUrl
authorization_services_enabled
Valid values: true
, false
authorizationServicesEnabled
Default value: false
backchannel_logout_url
backchannel.logout.url
base_url
baseUrl
bearer_only
Valid values: true
, false
bearerOnly
Default value: false
browser_flow
authenticationFlowBindingOverrides.browser (Use flow alias, not ID)
Default value: absent
client_authenticator_type
clientAuthenticatorType
Default value: client-secret
default_client_scopes
defaultClientScopes
Default value: []
direct_access_grants_enabled
Valid values: true
, false
enabled
Default value: true
direct_grant_flow
authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)
Default value: absent
enabled
Valid values: true
, false
enabled
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
full_scope_allowed
Valid values: true
, false
fullScopeAllowed
Default value: true
implicit_flow_enabled
Valid values: true
, false
implicitFlowEnabled
Default value: false
login_theme
login_theme
Default value: absent
optional_client_scopes
optionalClientScopes
Default value: []
protocol
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
public_client
Valid values: true
, false
enabled
Default value: false
redirect_uris
redirectUris
Default value: []
roles
roles
Default value: []
root_url
rootUrl
saml_artifact_binding_url
saml_artifact_binding_url
saml_assertion_consumer_url_post
saml_assertion_consumer_url_post
saml_assertion_signature
saml.assertion.signature
saml_encrypt
saml.encrypt
saml_encryption_certificate
saml.encryption.certificate
saml_name_id_format
saml_name_id_format
saml_signing_certificate
saml.signing.certificate
saml_signing_private_key
saml.signing.private.key
saml_single_logout_service_url_redirect
saml_single_logout_service_url_redirect
secret
secret
service_accounts_enabled
Valid values: true
, false
serviceAccountsEnabled
Default value: false
standard_flow_enabled
Valid values: true
, false
standardFlowEnabled
Default value: true
web_origins
webOrigins
Parameters
The following parameters are available in the keycloak_client
type.
client_id
clientId. Defaults to name
.
id
Id. Defaults to client_id
name
namevar
The client name
provider
The specific backend to use for this keycloak_client
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
realm
realm
keycloak_client_protocol_mapper
Manage Keycloak protocol mappers
Examples
Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_client_protocol_mapper
type.
access_token_claim
Valid values: true
, false
access.token.claim. Default to true
for protocol
openid-connect
.
attribute_name
attribute.name Default to resource_name
for type
saml-user-property-mapper
.
attribute_nameformat
attribute.nameformat
claim_name
claim.name
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
friendly_name
friendly.name. Default to resource_name
for type
saml-user-property-mapper
.
full_path
Valid values: true
, false
full.path. Default to false
for type
oidc-group-membership-mapper
.
id_token_claim
Valid values: true
, false
id.token.claim. Default to true
for protocol
openid-connect
.
included_client_audience
included.client.audience Required for type
of oidc-audience-mapper
json_type_label
json.type.label. Default to String
for type
oidc-usermodel-property-mapper
and oidc-group-membership-mapper
.
multivalued
Valid values: true
, false
multivalued
protocol
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
single
Valid values: true
, false
single. Default to false
for type
saml-role-list-mapper
.
user_attribute
user.attribute. Default to resource_name
for type
oidc-usermodel-property-mapper
or saml-user-property-mapper
userinfo_token_claim
Valid values: true
, false
userinfo.token.claim. Default to true
for protocol
openid-connect
except type
of oidc-audience-mapper
.
usermodel_client_role_mapping_client_id
usermodel.clientRoleMapping.clientId for type
oidc-usermodel-client-role-mapper
Parameters
The following parameters are available in the keycloak_client_protocol_mapper
type.
client
client
id
Id.
name
namevar
The protocol mapper name
provider
The specific backend to use for this keycloak_client_protocol_mapper
resource. You will seldom need to specify this
--- Puppet will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The protocol mapper name. Defaults to name
.
type
Valid values: oidc-usermodel-client-role-mapper
, oidc-usermodel-property-mapper
, oidc-full-name-mapper
, oidc-group-membership-mapper
, oidc-audience-mapper
, saml-user-property-mapper
, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper
for protocol
openid-connect
and
saml-user-property-mapper
for protocol
saml
.
keycloak_client_scope
Manage Keycloak client scopes
Examples
Define a OpenID Connect client scope in the test realm
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
Properties
The following properties are available in the keycloak_client_scope
type.
consent_screen_text
consent.screen.text
display_on_consent_screen
Valid values: true
, false
display.on.consent.screen
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
Parameters
The following parameters are available in the keycloak_client_scope
type.
id
Id. Defaults to resource_name
.
name
namevar
The client scope name
provider
The specific backend to use for this keycloak_client_scope
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The client scope name. Defaults to name
.
keycloak_conn_validator
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
Properties
The following properties are available in the keycloak_conn_validator
type.
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_conn_validator
type.
keycloak_port
The port that the keycloak server should be listening on.
Default value: 8080
keycloak_server
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
name
namevar
An arbitrary name used as the identity of the resource.
provider
The specific backend to use for this keycloak_conn_validator
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
relative_path
URL relative path that is used by Keycloak
Default value: /
test_url
URL to use for testing if the Keycloak database is up
Default value: /realms/master/.well-known/openid-configuration
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
use_ssl
Whether the connection will be attemped using https
Default value: false
keycloak_flow
Manage a Keycloak flow Autorequires
keycloak_realm
defined forrealm
parameterkeycloak_flow
offlow_alias
iftop_level=false
keycloak_flow
offlow_alias
if otherpriority
is lower and iftop_level=false
keycloak_flow_execution
ifflow_alias
is the same and otherpriority
is lower and iftop_level=false
Examples
Add custom flow
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}
Add a flow execution to existing browser-with-duo flow
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
priority => 20,
requirement => 'ALTERNATIVE',
top_level => false,
}
Properties
The following properties are available in the keycloak_flow
type.
description
description
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
priority
execution priority, only applied to top_level=false, required for top_level=false
requirement
Valid values: DISABLED
, ALTERNATIVE
, REQUIRED
, CONDITIONAL
, disabled
, alternative
, required
, conditional
requirement, only applied to top_level=false and defaults to DISABLED
Parameters
The following parameters are available in the keycloak_flow
type.
alias
Alias. Default to name
.
flow_alias
flowAlias, required for top_level=false
id
Id. Default to $alias-$realm
when top_level is true. Only applies to top_level=true
name
namevar
The flow name
provider
The specific backend to use for this keycloak_flow
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
provider_id
Valid values: basic-flow
, form-flow
providerId
Default value: basic-flow
realm
realm
top_level
Valid values: true
, false
topLevel
Default value: true
type
sub-flow execution provider, default to registration-page-form
for top_level=false and does not apply to
top_level=true
keycloak_flow_execution
Manage a Keycloak flow Autorequires
keycloak_realm
defined forrealm
parameterkeycloak_flow
of value defined forflow_alias
keycloak_flow
if they share sameflow_alias
value and the other resourcepriority
is lowerkeycloak_flow_execution
ifflow_alias
is the same and otherpriority
is lower
Examples
Add an execution to a flow
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
priority => 10,
requirement => 'ALTERNATIVE',
}
Add an execution to a execution flow that is one level deeper than top level
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
priority => 10,
requirement => 'REQUIRED',
}
Add an execution with a configuration
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
priority => 20,
}
Properties
The following properties are available in the keycloak_flow_execution
type.
config
execution config
configurable
Valid values: true
, false
configurable
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
priority
execution priority
requirement
Valid values: DISABLED
, ALTERNATIVE
, REQUIRED
, CONDITIONAL
, disabled
, alternative
, required
, conditional
requirement
Default value: DISABLED
Parameters
The following parameters are available in the keycloak_flow_execution
type.
alias
alias
config_id
read-only config ID
display_name
displayName
flow_alias
flowAlias
id
read-only Id
name
namevar
The flow execution name
provider
The specific backend to use for this keycloak_flow_execution
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
provider_id
provider
realm
realm
keycloak_identity_provider
Manage Keycloak identity providers
Examples
Add CILogon identity provider to test realm
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
Properties
The following properties are available in the keycloak_identity_provider
type.
add_read_token_role_on_create
Valid values: true
, false
addReadTokenRoleOnCreate
Default value: false
allowed_clock_skew
allowedClockSkew
authenticate_by_default
Valid values: true
, false
authenticateByDefault
Default value: false
authorization_url
authorizationUrl
backchannel_supported
Valid values: true
, false
backchannelSupported
Default value: false
client_auth_method
Valid values: client_secret_post
, client_secret_basic
, client_secret_jwt
, private_key_jwt
clientAuthMethod
Default value: client_secret_post
client_id
clientId
client_secret
clientSecret
default_scope
default_scope
disable_user_info
Valid values: true
, false
disableUserInfo
Default value: false
display_name
displayName
enabled
Valid values: true
, false
enabled
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
first_broker_login_flow_alias
firstBrokerLoginFlowAlias
Default value: first broker login
forward_parameters
forwardParameters
gui_order
guiOrder
hide_on_login_page
Valid values: true
, false
hideOnLoginPage
Default value: false
issuer
issuer
jwks_url
jwksUrl
link_only
Valid values: true
, false
linkOnly
Default value: false
login_hint
Valid values: true
, false
loginHint
Default value: false
logout_url
logoutUrl
post_broker_login_flow_alias
postBrokerLoginFlowAlias
prompt
Valid values: none
, consent
, login
, select_account
prompt
store_token
Valid values: true
, false
storeToken
Default value: false
sync_mode
Valid values: IMPORT
, LEGACY
, FORCE
syncMode
Default value: IMPORT
token_url
tokenUrl
trust_email
Valid values: true
, false
trustEmail
Default value: false
ui_locales
Valid values: true
, false
uiLocales
Default value: false
update_profile_first_login_mode
Valid values: on
, off
updateProfileFirstLoginMode
Default value: on
use_jwks_url
Valid values: true
, false
useJwksUrl
Default value: true
user_info_url
userInfoUrl
validate_signature
Valid values: true
, false
validateSignature
Default value: false
Parameters
The following parameters are available in the keycloak_identity_provider
type.
alias
The identity provider name. Defaults to name
.
internal_id
internalId. Defaults to "alias
-realm
"
name
namevar
The identity provider name
provider
The specific backend to use for this keycloak_identity_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
provider_id
Valid values: oidc
, keycloak-oidc
providerId
Default value: oidc
realm
realm
keycloak_ldap_mapper
Manage Keycloak LDAP attribute mappers
Examples
Add full name attribute mapping
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
Properties
The following properties are available in the keycloak_ldap_mapper
type.
always_read_value_from_ldap
Valid values: true
, false
always.read.value.from.ldap. Defaults to true
if type
is user-attribute-ldap-mapper
.
client_id
client.id, only for type
of role-ldap-mapper
drop_non_existing_groups_during_sync
Valid values: true
, false
drop.non.existing.groups.during.sync, only for type
of group-ldap-mapper
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
group_name_ldap_attribute
group.name.ldap.attribute, only for type
of group-ldap-mapper
group_object_classes
group.object.classes, only for type
of group-ldap-mapper
groups_dn
groups.dn, only for type
of group-ldap-mapper
groups_ldap_filter
groups.ldap.filter, only for type
of group-ldap-mapper
ignore_missing_groups
Valid values: true
, false
ignore.missing.groups, only for type
of group-ldap-mapper
is_mandatory_in_ldap
is.mandatory.in.ldap. Defaults to false
unless type
is full-name-ldap-mapper
.
ldap_attribute
ldap.attribute
mapped_group_attributes
mapped.group.attributes, only for type
of group-ldap-mapper
Default value: absent
memberof_ldap_attribute
memberof.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
membership_attribute_type
Valid values: DN
, UID
membership.attribute.type, only for type
of group-ldap-mapper
and role-ldap-mapper
membership_ldap_attribute
membership.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
membership_user_ldap_attribute
membership.user.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
mode
Valid values: READ_ONLY
, LDAP_ONLY
mode, only for type
of group-ldap-mapper
and role-ldap-mapper
preserve_group_inheritance
Valid values: true
, false
preserve.group.inheritance, only for type
of group-ldap-mapper
read_only
Valid values: true
, false
read.only
role_name_ldap_attribute
role.name.ldap.attribute, only for type
of role-ldap-mapper
role_object_classes
role.object.classes, only for type
of role-ldap-mapper
roles_dn
roles.dn, only for type
of role-ldap-mapper
roles_ldap_filter
roles.ldap.filter, only for type
of role-ldap-mapper
use_realm_roles_mapping
Valid values: true
, false
use.realm.roles.mapping, only for type
of role-ldap-mapper
user_model_attribute
user.model.attribute
user_roles_retrieve_strategy
Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY
, LOAD_ROLES_BY_MEMBER_ATTRIBUTE
, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE
, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY
user.roles.retrieve.strategy, only for type
of group-ldap-mapper
and role-ldap-mapper
write_only
Valid values: true
, false
write.only. Defaults to false
if type
is full-name-ldap-mapper
.
Parameters
The following parameters are available in the keycloak_ldap_mapper
type.
id
Id.
ldap
Name of parent keycloak_ldap_user_provider
resource
name
namevar
The LDAP mapper name
parent_id
parentId
provider
The specific backend to use for this keycloak_ldap_mapper
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The LDAP mapper name. Defaults to name
type
Valid values: user-attribute-ldap-mapper
, full-name-ldap-mapper
, group-ldap-mapper
, role-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
keycloak_ldap_user_provider
Manage Keycloak LDAP user providers
Examples
Add LDAP user provider to test realm
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
Properties
The following properties are available in the keycloak_ldap_user_provider
type.
allow_kerberos_authentication
Valid values: true
, false
allowKerberosAuthentication
auth_type
Valid values: none
, simple
authType
Default value: none
batch_size_for_sync
batchSizeForSync
Default value: 1000
bind_credential
bindCredential
bind_dn
bindDn
cache_policy
Valid values: DEFAULT
, EVICT_DAILY
, EVICT_WEEKLY
, MAX_LIFESPAN
, NO_CACHE
cachePolicy
Default value: DEFAULT
changed_sync_period
changedSyncPeriod
Default value: -1
connection_url
connectionUrl
custom_user_search_filter
Valid values: %r{.*}
, absent
customUserSearchFilter
Default value: absent
edit_mode
Valid values: READ_ONLY
, WRITABLE
, UNSYNCED
editMode
Default value: READ_ONLY
enabled
Valid values: true
, false
enabled
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
full_sync_period
fullSyncPeriod
Default value: -1
import_enabled
Valid values: true
, false
importEnabled
Default value: true
kerberos_realm
kerberosRealm
key_tab
keyTab
priority
priority
Default value: 0
rdn_ldap_attribute
rdnLdapAttribute
Default value: uid
search_scope
Valid values: one
, one_level
, subtree
, 1
, 2
, 1
, 2
searchScope
server_principal
serverPrincipal
sync_registrations
Valid values: true
, false
syncRegistrations
Default value: false
trust_email
Valid values: true
, false
trustEmail
Default value: false
use_kerberos_for_password_authentication
Valid values: true
, false
useKerberosForPasswordAuthentication
use_truststore_spi
Valid values: always
, never
useTruststoreSpi
Default value: always
user_object_classes
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
username_ldap_attribute
usernameLdapAttribute
Default value: uid
users_dn
usersDn
uuid_ldap_attribute
uuidLdapAttribute
Default value: entryUUID
vendor
Valid values: ad
, rhds
, tivoli
, eDirectory
, other
vendor
Default value: other
Parameters
The following parameters are available in the keycloak_ldap_user_provider
type.
id
Id
name
namevar
The LDAP user provider name
provider
The specific backend to use for this keycloak_ldap_user_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
parentId
resource_name
The LDAP user provider name. Defaults to name
.
keycloak_protocol_mapper
Manage Keycloak client scope protocol mappers
Examples
Add email protocol mapper to oidc-client client scope in realm test
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_protocol_mapper
type.
access_token_claim
Valid values: true
, false
access.token.claim. Default to true
for protocol
openid-connect
.
attribute_name
attribute.name Default to resource_name
for type
saml-user-property-mapper
.
attribute_nameformat
attribute.nameformat
claim_name
claim.name
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
friendly_name
friendly.name. Default to resource_name
for type
saml-user-property-mapper
.
full_path
Valid values: true
, false
full.path. Default to false
for type
oidc-group-membership-mapper
.
id_token_claim
Valid values: true
, false
id.token.claim. Default to true
for protocol
openid-connect
.
included_client_audience
included.client.audience Required for type
of oidc-audience-mapper
json_type_label
json.type.label. Default to String
for type
oidc-usermodel-property-mapper
and oidc-group-membership-mapper
.
multivalued
Valid values: true
, false
multivalued
protocol
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
single
Valid values: true
, false
single. Default to false
for type
saml-role-list-mapper
.
user_attribute
user.attribute. Default to resource_name
for type
oidc-usermodel-property-mapper
or saml-user-property-mapper
userinfo_token_claim
Valid values: true
, false
userinfo.token.claim. Default to true
for protocol
openid-connect
except type
of oidc-audience-mapper
.
Parameters
The following parameters are available in the keycloak_protocol_mapper
type.
client_scope
client scope
id
Id.
name
namevar
The protocol mapper name
provider
The specific backend to use for this keycloak_protocol_mapper
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The protocol mapper name. Defaults to name
.
type
Valid values: oidc-usermodel-property-mapper
, oidc-usermodel-attribute-mapper
, oidc-full-name-mapper
, oidc-group-membership-mapper
, oidc-audience-mapper
, saml-group-membership-mapper
, saml-user-property-mapper
, saml-user-attribute-mapper
, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper
for protocol
openid-connect
and
saml-user-property-mapper
for protocol
saml
.
keycloak_realm
Manage Keycloak realms
Examples
Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
Properties
The following properties are available in the keycloak_realm
type.
access_code_lifespan
accessCodeLifespan
access_code_lifespan_login
accessCodeLifespanLogin
access_code_lifespan_user_action
accessCodeLifespanUserAction
access_token_lifespan
accessTokenLifespan
access_token_lifespan_for_implicit_flow
accessTokenLifespanForImplicitFlow
account_theme
accountTheme
Default value: keycloak
action_token_generated_by_admin_lifespan
actionTokenGeneratedByAdminLifespan
action_token_generated_by_user_lifespan
actionTokenGeneratedByUserLifespan
admin_events_details_enabled
Valid values: true
, false
adminEventsDetailsEnabled
Default value: false
admin_events_enabled
Valid values: true
, false
adminEventsEnabled
Default value: false
admin_theme
adminTheme
Default value: keycloak
browser_flow
browserFlow
Default value: browser
brute_force_protected
Valid values: true
, false
bruteForceProtected
client_authentication_flow
clientAuthenticationFlow
Default value: clients
content_security_policy
contentSecurityPolicy
Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
custom_properties
custom properties to pass as realm configurations
default_client_scopes
Default Client Scopes
default_locale
defaultLocale
direct_grant_flow
directGrantFlow
Default value: direct grant
display_name
displayName
display_name_html
displayNameHtml
docker_authentication_flow
dockerAuthenticationFlow
Default value: docker auth
duplicate_emails_allowed
Valid values: true
, false
duplicateEmailsAllowed
Default value: false
edit_username_allowed
Valid values: true
, false
editUsernameAllowed
Default value: false
email_theme
emailTheme
Default value: keycloak
enabled
Valid values: true
, false
enabled
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
events_enabled
Valid values: true
, false
eventsEnabled
Default value: false
events_expiration
eventsExpiration
events_listeners
eventsListeners
Default value: ['jboss-logging']
failure_factor
failureFactor
Default value: 30
internationalization_enabled
Valid values: true
, false
internationalizationEnabled
Default value: false
login_theme
loginTheme
Default value: keycloak
login_with_email_allowed
Valid values: true
, false
loginWithEmailAllowed
Default value: true
max_delta_time_seconds
maxDeltaTimeSeconds
Default value: 43_200
max_failure_wait_seconds
maxFailureWaitSeconds
Default value: 900
minimum_quick_login_wait_seconds
minimumQuickLoginWaitSeconds
Default value: 60
offline_session_idle_timeout
offlineSessionIdleTimeout
offline_session_max_lifespan
offlineSessionMaxLifespan
offline_session_max_lifespan_enabled
Valid values: true
, false
offlineSessionMaxLifespanEnabled
Default value: false
optional_client_scopes
Optional Client Scopes
otp_policy_algorithm
Valid values: HmacSHA1
, HmacSHA256
, HmacSHA512
otpPolicyAlgorithm
Default value: HmacSHA1
otp_policy_code_reusable
Valid values: true
, false
otpPolicyCodeReusable
Default value: false
otp_policy_digits
Valid values: 6
, 8
otpPolicyDigits
Default value: 6
otp_policy_initial_counter
otpPolicyInitialCounter
Default value: 0
otp_policy_look_ahead_window
otpPolicyLookAheadWindow
Default value: 1
otp_policy_period
otpPolicyPeriod
Default value: 30
otp_policy_type
Valid values: totp
, hotp
otpPolicyType
Default value: totp
password_policy
passwordPolicy
permanent_lockout
Valid values: true
, false
permanentLockout
Default value: false
quick_login_check_milli_seconds
quickLoginCheckMilliSeconds
Default value: 1_000
registration_allowed
Valid values: true
, false
registrationAllowed
Default value: false
registration_flow
registrationFlow
Default value: registration
remember_me
Valid values: true
, false
rememberMe
Default value: false
reset_credentials_flow
resetCredentialsFlow
Default value: reset credentials
reset_password_allowed
Valid values: true
, false
resetPasswordAllowed
Default value: false
roles
roles
Default value: ['offline_access', 'uma_authorization']
smtp_server_auth
Valid values: true
, false
smtpServer auth
smtp_server_envelope_from
smtpServer envelope_from
smtp_server_from
smtpServer from
smtp_server_from_display_name
smtpServer fromDisplayName
smtp_server_host
smtpServer host
smtp_server_password
smtpServer password
smtp_server_port
smtpServer port
smtp_server_reply_to
smtpServer replyto
smtp_server_reply_to_display_name
smtpServer replyToDisplayName
smtp_server_ssl
Valid values: true
, false
smtpServer ssl
smtp_server_starttls
Valid values: true
, false
smtpServer starttls
smtp_server_user
smtpServer user
ssl_required
Valid values: none
, all
, external
sslRequired
Default value: external
sso_session_idle_timeout
ssoSessionIdleTimeout
sso_session_idle_timeout_remember_me
ssoSessionIdleTimeoutRememberMe
sso_session_max_lifespan
ssoSessionMaxLifespan
sso_session_max_lifespan_remember_me
ssoSessionMaxLifespanRememberMe
supported_locales
Supported Locales
user_managed_access_allowed
Valid values: true
, false
userManagedAccessAllowed
Default value: false
verify_email
Valid values: true
, false
verifyEmail
Default value: false
wait_increment_seconds
waitIncrementSeconds
Default value: 60
web_authn_policy_acceptable_aaguids
webAuthnPolicyAcceptableAaguids
Default value: []
web_authn_policy_attestation_conveyance_preference
Valid values: none
, direct
, indirect
, not specified
webAuthnPolicyAttestationConveyancePreference
Default value: not specified
web_authn_policy_authenticator_attachment
Valid values: platform
, cross-platform
, not specified
webAuthnPolicyAuthenticatorAttachment
Default value: not specified
web_authn_policy_avoid_same_authenticator_register
Valid values: true
, false
webAuthnPolicyAvoidSameAuthenticatorRegister
Default value: false
web_authn_policy_create_timeout
webAuthnPolicyCreateTimeout
Default value: 0
web_authn_policy_extra_origins
webAuthnPolicyExtraOrigins
Default value: []
web_authn_policy_passwordless_acceptable_aaguids
webAuthnPolicyPasswordlessAcceptableAaguids
Default value: []
web_authn_policy_passwordless_attestation_conveyance_preference
Valid values: none
, direct
, indirect
, not specified
webAuthnPolicyPasswordlessAttestationConveyancePreference
Default value: not specified
web_authn_policy_passwordless_authenticator_attachment
Valid values: platform
, cross-platform
, not specified
webAuthnPolicyPasswordlessAuthenticatorAttachment
Default value: not specified
web_authn_policy_passwordless_avoid_same_authenticator_register
Valid values: true
, false
webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister
Default value: false
web_authn_policy_passwordless_create_timeout
webAuthnPolicyPasswordlessCreateTimeout
Default value: 0
web_authn_policy_passwordless_extra_origins
webAuthnPolicyPasswordlessExtraOrigins
Default value: []
web_authn_policy_passwordless_require_resident_key
Valid values: No
, Yes
, not specified
webAuthnPolicyPasswordlessRequireResidentKey
Default value: not specified
web_authn_policy_passwordless_rp_entity_name
webAuthnPolicyPasswordlessRpEntityName
Default value: keycloak
web_authn_policy_passwordless_rp_id
webAuthnPolicyPasswordlessRpId
Default value: ''
web_authn_policy_passwordless_signature_algorithms
webAuthnPolicyPasswordlessSignatureAlgorithms
Default value: ['ES256']
web_authn_policy_passwordless_user_verification_requirement
Valid values: required
, preferred
, discouraged
, not specified
webAuthnPolicyPasswordlessUserVerificationRequirement
Default value: not specified
web_authn_policy_require_resident_key
Valid values: No
, Yes
, not specified
webAuthnPolicyRequireResidentKey
Default value: not specified
web_authn_policy_rp_entity_name
webAuthnPolicyRpEntityName
Default value: keycloak
web_authn_policy_rp_id
webAuthnPolicyRpId
Default value: ''
web_authn_policy_signature_algorithms
webAuthnPolicySignatureAlgorithms
Default value: ['ES256']
web_authn_policy_user_verification_requirement
Valid values: required
, preferred
, discouraged
, not specified
webAuthnPolicyUserVerificationRequirement
Default value: not specified
Parameters
The following parameters are available in the keycloak_realm
type.
id
Id. Default to name
.
manage_roles
Valid values: true
, false
Manage realm roles
Default value: true
name
namevar
The realm name
provider
The specific backend to use for this keycloak_realm
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
keycloak_required_action
Manage Keycloak required actions
Examples
Enable Webauthn Register and make it default
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
}
Properties
The following properties are available in the keycloak_required_action
type.
config
Required action config
default
Valid values: true
, false
If the required action is a default one. Default to false
Default value: false
display_name
Displayed name.
enabled
Valid values: true
, false
If the required action is enabled. Default to true.
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
priority
Required action priority
Parameters
The following parameters are available in the keycloak_required_action
type.
name
namevar
The required action name
provider
The specific backend to use for this keycloak_required_action
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
provider_id
providerId of the required action.
realm
realm
keycloak_resource_validator
Verify that a specific Keycloak resource is available
Properties
The following properties are available in the keycloak_resource_validator
type.
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_resource_validator
type.
dependent_resources
Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]
name
namevar
An arbitrary name used as the identity of the resource.
provider
The specific backend to use for this keycloak_resource_validator
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
Realm to query
test_key
Key to lookup
test_url
URL to use for testing if the Keycloak database is up
test_value
Value to lookup
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
keycloak_role_mapping
Attach realm roles to users and groups
Examples
Ensure that a user has the defined realm roles
keycloak_role_mapping { 'john-offline_access':
realm => 'test',
name => 'john',
realm_roles => ['offline_access'],
}
Properties
The following properties are available in the keycloak_role_mapping
type.
realm_roles
realm roles
Default value: []
Parameters
The following parameters are available in the keycloak_role_mapping
type.
group
Valid values: true
, false
is this a group instead of a user
Default value: false
name
namevar
--uusername/--gname
provider
The specific backend to use for this keycloak_role_mapping
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
keycloak_sssd_user_provider
Manage Keycloak SSSD user providers
Examples
Add SSSD user provider to test realm
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
Properties
The following properties are available in the keycloak_sssd_user_provider
type.
cache_policy
Valid values: DEFAULT
, EVICT_DAILY
, EVICT_WEEKLY
, MAX_LIFESPAN
, NO_CACHE
cachePolicy
Default value: DEFAULT
enabled
Valid values: true
, false
enabled
Default value: true
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
eviction_day
evictionDay
eviction_hour
evictionHour
eviction_minute
evictionMinute
max_lifespan
maxLifespan
priority
priority
Default value: 0
Parameters
The following parameters are available in the keycloak_sssd_user_provider
type.
id
Id. Defaults to "resource_name
-realm
"
name
namevar
The SSSD user provider name
provider
The specific backend to use for this keycloak_sssd_user_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
parentId
resource_name
The SSSD user provider name. Defaults to name
.
Data types
Keycloak::Configs
https://www.keycloak.org/server/all-config
Alias of
Struct[{
Optional['cache'] => Enum['local', 'ispn'],
Optional['cache-config-file'] => String[1],
Optional['cache-embedded-mtls-enabled'] => Boolean,
Optional['cache-embedded-mtls-key-store-file'] => String[1],
Optional['cache-embedded-mtls-key-store-password'] => Variant[String[1], Sensitive],
Optional['cache-embedded-mtls-trust-store-file'] => String[1],
Optional['cache-embedded-mtls-trust-store-password'] => Variant[String[1], Sensitive],
Optional['cache-remote-host'] => Variant[Stdlib::Host, Stdlib::IP::Address],
Optional['cache-remote-password'] => Variant[String[1], Sensitive],
Optional['cache-remote-port'] => Stdlib::Port,
Optional['cache-remote-username'] => String[1],
Optional['cache-stack'] => Enum['tcp','udp','kubernetes','ec2','azure','google'],
Optional['db'] => Enum['dev-file','dev-mem','mariadb','mysql','oracle','postgres'],
Optional['db-password'] => String[1],
Optional['db-pool-initial-size'] => Integer,
Optional['db-pool-max-size'] => Integer,
Optional['db-pool-min-size'] => Integer,
Optional['db-schema'] => String[1],
Optional['db-url'] => String[1],
Optional['db-url-database'] => String[1],
Optional['db-url-host'] => Stdlib::Host,
Optional['db-url-port'] => Stdlib::Port,
Optional['db-url-properties'] => String[1],
Optional['db-username'] => String[1],
Optional['transaction-xa-enabled'] => Boolean,
Optional['features'] => Array[String[1]],
Optional['features-disabled'] => Array[String[1]],
Optional['hostname'] => Variant[Stdlib::Host, Stdlib::HTTPUrl, Stdlib::HTTPSUrl],
Optional['hostname-admin'] => Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl],
Optional['hostname-backchannel-dynamic'] => Boolean,
Optional['hostname-debug'] => Boolean,
Optional['hostname-strict'] => Boolean,
Optional['http-enabled'] => Boolean,
Optional['http-host'] => Stdlib::Host,
Optional['http-max-queued-requests'] => Integer,
Optional['http-pool-max-threads'] => Integer,
Optional['http-port'] => Stdlib::Port,
Optional['http-relative-path'] => String[1],
Optional['https-certificate-file'] => Stdlib::Absolutepath,
Optional['https-certificate-key-file'] => Stdlib::Absolutepath,
Optional['https-cipher-suites'] => Array[String[1]],
Optional['https-client-auth'] => Enum['none','request','required'],
Optional['https-key-store-file'] => Stdlib::Absolutepath,
Optional['https-key-store-password'] => Variant[String[1], Sensitive],
Optional['https-key-store-type'] => String[1],
Optional['https-port'] => Stdlib::Port,
Optional['https-protocols'] => Array[String[1]],
Optional['https-trust-store-file'] => Stdlib::Absolutepath,
Optional['https-trust-store-password'] => Variant[String[1], Sensitive],
Optional['https-trust-store-type'] => String[1],
Optional['http-management-port'] => Stdlib::Port,
Optional['http-management-relative-path'] => String[1],
Optional['https-management-certificate-file'] => Stdlib::Absolutepath,
Optional['https-management-certificate-key-file'] => Stdlib::Absolutepath,
Optional['https-management-client-auth'] => Enum['none','request','required'],
Optional['https-management-key-store-file'] => Stdlib::Absolutepath,
Optional['https-management-key-store-password'] => Variant[String[1], Sensitive],
Optional['health-enabled'] => Boolean,
Optional['config-keystore'] => String[1],
Optional['config-keystore-password'] => Variant[String[1], Sensitive],
Optional['config-keystore-type'] => Enum['PKCS12'],
Optional['metrics-enabled'] => Boolean,
Optional['proxy'] => Enum['edge','reencrypt','passthrough','none'],
Optional['proxy-headers'] => Enum['forwarded', 'xforwarded'],
Optional['vault'] => Enum['file','keystore'],
Optional['vault-dir'] => Stdlib::Absolutepath,
Optional['vault-file'] => Stdlib::Absolutepath,
Optional['vault-pass'] => Variant[String[1], Sensitive],
Optional['vault-type'] => Enum['PKCS12'],
Optional['log'] => Array[Enum['console','file','gelf','syslog']],
Optional['log-console-color'] => Boolean,
Optional['log-console-format'] => String[1],
Optional['log-console-output'] => Enum['default','json'],
Optional['log-file'] => String[1],
Optional['log-file-format'] => String[1],
Optional['log-file-output'] => Enum['default','json'],
Optional['log-gelf-facility'] => String[1],
Optional['log-gelf-host'] => Stdlib::Host,
Optional['log-gelf-include-location'] => Boolean,
Optional['log-gelf-include-message-parameters'] => Boolean,
Optional['log-gelf-include-stack-trace'] => Boolean,
Optional['log-gelf-level'] => String[1],
Optional['log-gelf-max-message-size'] => Integer,
Optional['log-gelf-port'] => Stdlib::Port,
Optional['log-gelf-timestamp-format'] => String[1],
Optional['log-syslog-protocol'] => Enum['tcp','udp','ssl-tcp'],
Optional['log-syslog-endpoint'] => String[1],
Optional['log-syslog-format'] => String[1],
Optional['log-syslog-output'] => Enum['json','default'],
Optional['log-level'] => String[1],
Optional['tls-hostname-verifier'] => Enum['ANY','WILDCARD','STRICT'],
Optional['truststore-paths'] => Array[String[1]],
Optional['fips-mode'] => Enum['non-strict','strict'],
Optional['dir'] => Stdlib::Absolutepath,
Optional['realm'] => String[1],
Optional['users'] => Enum['skip','realm_file','same_file','different_files'],
Optional['users-per-file'] => Integer,
Optional['file'] => Stdlib::Absolutepath,
Optional['override'] => Boolean,
}]
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v13.3.0 (2024-11-26)
Added
v13.2.1 (2024-11-25)
Fixed
v13.2.0 (2024-11-20)
Added
Fixed
v13.1.0 (2024-11-18)
Added
- Update keycloak_flow_execution to handle script authenticators #329 (treydock)
- Reuse session when running kcadm commands #328 (treydock)
v13.0.0 (2024-10-19)
Changed
- Require stdlib 9.x and update module dependency version ranges #324 (treydock)
- Adjust keycloak_required_action resource to not use metaparameter alias #321 (TuningYourCode)
v12.1.1 (2024-10-19)
Fixed
- Fix ldap user provider parent_id lookup #319 (aba-zwicker)
v12.1.0 (2024-08-25)
Added
v12.0.0 (2024-07-12)
Changed
- BREAKING: Support Keycloak 25 #316 (treydock)
- Implement webauthn extra origins & Raise KeyCloak version to 24.0.5 in acceptance tests #313 (TuningYourCode)
Added
- Implement password policy property #315 (TuningYourCode)
v11.2.0 (2024-06-19)
Added
- Implement realm otp, webauthn, webauthn passwordless and bruteforce properties #312 (TuningYourCode)
v11.1.1 (2024-05-03)
Fixed
v11.1.0 (2024-04-19)
Added
v11.0.2 (2024-04-19)
Added
Fixed
- Bugfix: remove double declaration of "log-level" #308 (sircubbi)
- Fix #306 - Retrieve parentId by realm name #307 (TuningYourCode)
v11.0.1 (2023-09-22)
Fixed
v11.0.0 (2023-07-19)
Changed
- Drop Puppet 6, add Puppet 8 support, drop Ubuntu 18.04 #298 (treydock)
- Support Keycloak 22, Drop EL7 and Debian 10 #297 (treydock)
- Default java_declare_method to class for Debian and Ubuntu #295 (treydock)
Added
- Add keycloak::partial_import resource #301 (treydock)
- Add properties to keycloak_client_protocol_mapper #300 (treydock)
- Add cache_policy property to keycloal_ldap_user_provider #296 (treydock)
- Add default_locale property to keycloak_realm #294 (treydock)
- Set JAVA_HOME environment variable for Keycloak service #293 (treydock)
Fixed
v10.2.0 (2023-06-16)
Added
v10.1.0 (2023-04-14)
Added
v10.0.1 (2023-04-10)
Fixed
v10.0.0 (2023-04-05)
Changed
v9.4.0 (2023-03-22)
Added
v9.3.4 (2023-03-20)
Fixed
v9.3.3 (2023-03-09)
Fixed
v9.3.2 (2023-02-15)
Fixed
v9.3.1 (2023-01-04)
Fixed
v9.3.0 (2022-12-21)
Added
v9.2.0 (2022-12-19)
Added
- Allow to configure LDAP kerberos through the module #269 (PopiBrossard)
v9.1.0 (2022-12-02)
Added
v9.0.1 (2022-11-22)
Fixed
v9.0.0 (2022-11-01)
Changed
v8.5.0 (2022-10-31)
Added
v8.4.0 (2022-10-26)
Added
v8.3.0 (2022-10-18)
Added
Fixed
v8.2.0 (2022-10-10)
Added
Fixed
v8.1.0 (2022-07-13)
Added
v8.0.0 (2022-06-24)
Changed
- Major rewrite to support Keycloak 18+ using Quarkus (see README for breaking changes) #247 (treydock)
- BREAKING: Change how id is set for keycloak_ldap_user_provider (See README) #76 (treydock)
Fixed
v7.19.0 (2022-05-13)
Added
Fixed
v7.18.0 (2022-04-29)
Added
v7.17.0 (2022-04-25)
Added
- Support Debian 11 #241 (vilhelmprytz)
v7.16.0 (2022-04-04)
Added
v7.15.0 (2022-04-04)
Added
v7.14.0 (2022-03-14)
Added
v7.13.0 (2022-02-10)
Added
v7.12.2 (2022-02-08)
Fixed
v7.12.1 (2022-01-18)
Fixed
- Quota datasource username and password #235 (treydock)
- Fix issues with install_base /opt/keycloak #232 (dmaes)
v7.12.0 (2021-11-24)
Added
v7.11.1 (2021-11-24)
Fixed
- Further fix to set description on keycloak_flow when not top_level flow #227 (treydock)
- Fix to set description on keycloak_flow when not top_level flow #226 (treydock)
v7.11.0 (2021-11-05)
Added
- Replace CentOS 8 support with Rocky 8 #221 (treydock)
- Support stdlib 8.x, mysql 12.x and use puppet/systemd #220 (treydock)
- Add id parameter to keycloak::freeipa_user_provider #219 (treydock)
v7.10.0 (2021-09-22)
Added
Fixed
v7.9.1 (2021-09-16)
Fixed
- set keycloak_server in keycloak_conn_validator from 'localhost' to $service_bind_address #216 (hugendudel)
v7.9.0 (2021-09-08)
Added
- Remove Scientific Linux from metadata.json, still supported #213 (treydock)
- add saml-user-attribute-mapper support #212 (aba-rechsteiner)
Fixed
- Fix centos/7 in Vagrant failing #210 (rdcuzins)
- Fix invalid module dependency versions #209 (rdcuzins)
v7.8.0 (2021-09-01)
Added
v7.7.1 (2021-08-23)
Fixed
v7.7.0 (2021-08-16)
Added
v7.6.0 (2021-08-13)
Added
v7.5.1 (2021-08-03)
Fixed
v7.5.0 (2021-07-12)
Added
- Update dependency version ranges #200 (treydock)
- Support Keycloak 14 #199 (treydock)
- Fix Ubuntu acceptance tests #198 (treydock)
v7.4.1 (2021-07-10)
Fixed
v7.4.0 (2021-06-03)
Added
v7.3.0 (2021-06-02)
Added
v7.2.2 (2021-04-23)
Fixed
v7.2.1 (2021-04-17)
Fixed
v7.2.0 (2021-03-26)
Added
v7.1.0 (2021-03-25)
Added
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 9.0.0 <10.0.0)
- puppetlabs/mysql (>= 11.1.0 <16.0.0)
- puppetlabs/postgresql (>= 7.4.0 <11.0.0)
- puppetlabs/java (>= 7.3.0 <12.0.0)
- puppetlabs/java_ks (>= 1.0.0 <6.0.0)
- puppet/archive (>= 0.5.1 <8.0.0)
- puppet/systemd (>= 0.4.0 <8.0.0)
Copyright (C) 2017 <FULL NAME> <EMAIL> Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.