keycloak_client_rolescope: fix for issue #10342

[killianlevacher]

SUMMARY

this is a fix for issue #10342

Changelog Fragment:

This enables the community.general.keycloak_client_rolescope Ansible task to assign roles to client scopes in Keycloak, which currently fails because of a bug described in #10342

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

community.general.keycloak_client_rolescope

ADDITIONAL INFORMATION

Steps to reproduce the bug described in details in #10342

[ansibullbot]

cc @desand01 @eikef @mattock @ndclt @thomasbach-dev
click here for bot help

[russoz]

hi @killianlevacher
Thank you for the contribution! Please add a changelog fragment.

[desand01]

Hi @killianlevache, thank you for your contribution.

It seems that the integration tests are currently failing. To help find a solution that addresses your use case without breaking compatibility, would you mind adding an integration test that reproduces the scenario you are trying to support?

This would help me better understand the context.

Thanks again!

general/tests/integration/targets/keycloak_client_rolescope

TASK [keycloak_client_rolescope : Map roles to public client] ******************
fatal: [testhost]: FAILED! => {"changed": false, "msg": "Failed to retrieve client 'myrealm.backend-client-private'"}

[flvmz]

I found this yesterday and commented on the bug report, because I think this module is not ment to manage roles in the context of client scopes: #10342 (comment)

[killianlevacher]

@desand01 Apologies for only coming back to you now on this. It took me a while to dig into what was going on.

For the purpose of this conversation, I commented out my suggested fixes and reverted to the original code to demonstrate the task failing. I also added steps in the integration test main.yml to demonstrate where the step fails.

As pointed out in main.yml the step which attempts to assign a role to a client scope fails under the original code.
When client_scope_id is given instead the {{ client_name_private }} (as for the task 'Map roles to public client') this step does not fail, however no role is assigned to this scope

With the fix I am suggesting, when client_scope_id is provided with the scope_id (as opposed to a client name), the role is indeed assigned to the client scope as expected but the 'Map roles to public client' task fails probably for the reverse reasons (haven't been able to figure out why yet)

Unless mistaken, somehow the underlying code seems to be confusing the notion of a client_scope_id with that of a client_id.

For example in https://github.com/ansible-collections/community.general/blob/main/plugins/modules/keycloak_client_rolescope.py at line 205, the code checks whether client_scope_id exists or not and then calls get_client_by_clientid which obviously will fail since it is giving it a client_scope_id opposed to a client_id. This is also the reason why the code silently fails when giving a client_id to the client_scope_id

I agree with @flvmz that it seems like this mapping should be in the client_scope module to start with.

Perhaps, something which could clarify the confusion going on. Can someone explain, within the task called Map roles to public client in the integration test main.yml why are we giving a client id to a parameter called client_scope_id client_scope_id: "{{ client_name_private }}"? This seems to be the root of the problem/confusion.

[ansibullbot]

The test ansible-test sanity --test pep8 [explain] failed with 5 errors:

plugins/module_utils/identity/keycloak/keycloak.py:34:1: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:206:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:207:9: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:218:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:219:5: E265: block comment should start with '# '

The test ansible-test sanity --test pep8 [explain] failed with 5 errors:

plugins/module_utils/identity/keycloak/keycloak.py:34:1: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:206:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:207:9: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:218:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:219:5: E265: block comment should start with '# '

The test ansible-test sanity --test pep8 [explain] failed with 5 errors:

plugins/module_utils/identity/keycloak/keycloak.py:34:1: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:206:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:207:9: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:218:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:219:5: E265: block comment should start with '# '

The test ansible-test sanity --test pep8 [explain] failed with 5 errors:

plugins/module_utils/identity/keycloak/keycloak.py:34:1: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:206:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:207:9: E265: block comment should start with '# '
plugins/modules/keycloak_client_rolescope.py:218:1: W293: blank line contains whitespace
plugins/modules/keycloak_client_rolescope.py:219:5: E265: block comment should start with '# '

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

plugins/modules/keycloak_client_rolescope.py:206:0: trailing-whitespace: Trailing whitespace
plugins/modules/keycloak_client_rolescope.py:218:0: trailing-whitespace: Trailing whitespace

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

plugins/modules/keycloak_client_rolescope.py:206:0: trailing-whitespace: Trailing whitespace
plugins/modules/keycloak_client_rolescope.py:218:0: trailing-whitespace: Trailing whitespace

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

plugins/modules/keycloak_client_rolescope.py:206:0: trailing-whitespace: Trailing whitespace
plugins/modules/keycloak_client_rolescope.py:218:0: trailing-whitespace: Trailing whitespace

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

plugins/modules/keycloak_client_rolescope.py:206:0: trailing-whitespace: Trailing whitespace
plugins/modules/keycloak_client_rolescope.py:218:0: trailing-whitespace: Trailing whitespace

click here for bot help

[desand01]

Hi @killianlevache.

I believe part of the issue might be a confusion between the client-scopes endpoint (/realms/{realm}/client-scopes) and the /clients/{id}/client-scopes endpoints.

The current module is specifically intended to manage the client-side assignments (clients/{id}/client-scopes). Maybe the component could have been named more clearly to avoid this kind of ambiguity (my bad....).

To clarify, client_scope_id is not a realm-level client-scope. It refers to the client that holds the roles you want to map onto another client.

I think the support for realm-level client scopes (/realm/client-scopes) should have dedicated module.

Thanks again!

[killianlevacher]

Hi @desand01

Thanks for the clarification. So just to make sure I understand (because I'm starting to get lost now with the Keycloak terminology :D ).

Does the collection currently allow a user to assign a client role to a a client scope as is possible in the Keycloak UI? or alternatively is there a way with the collection to assign roles of any type (realm role, private/public client roles) to a client scope? And if so what module should I use?

If not, that's fine. I just want to make sure I fully understand the situation.

Thanks in advance

[flvmz]

Sorry for the late response. As far as I can tell, there is no module in the official repo that allows mapping roles to a client sope.

[desand01]

Hi @killianlevacher,
Apologies for the delay in getting back to you.

Unfortunately, I think there is currently no module in the collection that allows you to manage client scopes at the realm level.

As a workaround, you can use the keycloak_client_rolescope module to assign role scopes of another client directly to a client. However, this solution has some limitations—for example, it does not allow you to distinguish between default and optional scopes when assigning them.

If your use case requires managing reusable client scope templates at the realm level and assigning them to clients (with support for default/optional designation), I suggest opening feature requests (Issues) for two new modules (names are only suggestions):

keycloak_realm_client_scope: to manage client scope definitions and their role mappings at the realm level.
keycloak_realm_client_scopemapping: to handle the assignment of those scopes (as default or optional) to individual clients.

[desand01]

Hi @killianlevacher, maybe this is what you are looking for:
community.general.keycloak_clientscope: create your custom realm scope
community.general.keycloak_clientscope_type: assign the realm scope to a client, either Default or Optional