Description
Summary
community.general.keycloak_client_rolescope Ansible Keycloak task used to assign a role to a client_scope fails. Following an investigation of the code itself, it appears that:
1/ in keycloak_client_rolescope.py the client_scope_id is used to search for a client within the realm, which causes the error Failed to retrive client to be thrown.
The exact line causing the issue is: objClientScope = kc.get_client_by_clientid(client_scope_id, realm)
2/ in the next code section a similar issue arises where a client_scope_id is used to retrieve client role names # client_scope_roles_by_name = kc.get_client_roles_by_id(objClientScope["id"], realm)
3/ in keycloak.py the URI URL_CLIENT_ROLE_SCOPE_CLIENTS = "{url}/admin/realms/{realm}/clients/{id}/scope-mappings/clients/{scopeid}" mistakenly uses clients instead of client-scopes
These 3 issues combine appear to be the reason why this task fails.
Issue Type
Bug Report
Component Name
community.general.keycloak_client_rolescope Ansible Keycloak task used to assign a role to a client_scope fails.
Ansible Version
$ ansible --version
ansible [core 2.18.4]
config file = /Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg
configured module search path = ['/Users/killianlevacher/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/lib/python3.12/site-packages/ansible
ansible collection location = /Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.12.6 (main, Sep 6 2024, 19:03:47) [Clang 15.0.0 (clang-1500.3.9.4)] (/opt/homebrew/opt/[email protected]/bin/python3.12)
jinja version = 3.1.6
libyaml = True
Community.general Version
$ ansible-galaxy collection list community.general
Collection Version
community.general 11.1.0
Configuration
$ ansible-config dump --only-changed
COLLECTIONS_PATHS(/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg) = ['/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/collections']
CONFIG_FILE() = /Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg
DEFAULT_HOST_LIST(/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg) = ['/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/inventory/local/znext.yaml']
DEFAULT_ROLES_PATH(/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg) = ['/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/playbooks/roles']
DEPRECATION_WARNINGS(/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg) = False
DISPLAY_SKIPPED_HOSTS(/Users/killianlevacher/go/src/github.ibm.com/decentralized-trust-research/cbdc-platform-deployment/ansible.cfg) = False
INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = /opt/homebrew/opt/[email protected]/bin/python3
PAGER(env: PAGER) = less
GALAXY_SERVERS:
OS / Environment
MacOS 15.4.1
Steps to Reproduce
- name: Create or update Keycloak realm
middleware_automation.keycloak.keycloak_realm:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
id: "{{ keycloak_realm_id }}"
realm: "{{ keycloak_realm_name }}"
state: present
- name: Create or update onboarding_repository Keycloak client
middleware_automation.keycloak.keycloak_client:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
realm: "{{ keycloak_realm_name }}"
client_id: "{{ keycloak_client_id }}"
name: "{{ keycloak_client_name }}"
client_authenticator_type: client-secret
enabled: true
public_client: false
full_scope_allowed: false
state: present
register: onb_client
- name: Retrieve client secret for onboarding_repository
community.general.keycloak_clientsecret_info:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
realm: "{{ keycloak_realm_name }}"
client_id: "{{ keycloak_client_id }}"
no_log: true
register: client_secret_info
- name: Step 3 Create client admin_role role
community.general.keycloak_role:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
realm: "{{ keycloak_realm_name }}"
client_id: "{{ keycloak_client_id }}"
name: "{{ keycloak_admin_role_name }}"
state: present
- name: Step 4 Create/update onboarding_repository_admin client scope
community.general.keycloak_clientscope:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
realm: "{{ keycloak_realm_name }}"
name: "{{ keycloak_client_scope_name }}"
description: "Scope for onboarding_repository admin"
protocol: openid-connect
attributes:
"include.in.token.scope": "true"
"display.on.consent.screen": "false"
state: present
register: onboarding_scope
- name: DEBUG STEP PRE - 5 - CURRENT STAGE
ansible.builtin.debug:
msg: "This is a debug message secret {{ client_secret_info.clientsecret_info.value }} client {{ keycloak_container_name }} scope scopeid - {{onboarding_scope.end_state.id}} - id {{ onb_client.end_state.id }}"
debugger: always
- name: Step 5 Assign admin role to client scope
community.general.keycloak_client_rolescope:
auth_client_id: "{{ keycloak_auth_client_id }}"
auth_keycloak_url: "{{ keycloak_url }}"
auth_realm: "{{ keycloak_auth_realm }}"
auth_username: "{{ keycloak_username }}"
auth_password: "{{ keycloak_password }}"
realm: "{{ keycloak_realm_name }}"
client_scope_id: "{{ onboarding_scope.end_state.id}}"
client_id: "{{ keycloak_client_id }}"
role_names:
- "{{ keycloak_admin_role_name }}"
state: present
Expected Results
Expected a role to be assigned to the client_scope.
Actual Results
Instead user gets fatal: FAILED! => {"changed": false, "msg": "Failed to retrive client 'test_realm_1.a0e7d204-14ea-45c5-83a0-5773d6a5344b'"} error
Code of Conduct
- I agree to follow the Ansible Code of Conduct