terraform-provider-keycloak icon indicating copy to clipboard operation
terraform-provider-keycloak copied to clipboard

Published 20 hours ago verified publisher icon mrparkers

Add support for social identity providers attribute import

Open maxlegault opened this issue 3 years ago • 3 comments

I'm trying to replicate an Identity Provider Mapper configuration I have where I import the avatar_url field from my github idp, but it seems like only saml and oidc are currently supported as provider ids for attribute imports. It would be very useful for me to be able to configure attribute importers for the non-oidc social providers.

Here's the resource I'm trying to create:

resource "keycloak_oidc_identity_provider" "github" {
  realm = keycloak_realm.my-realm.realm
  alias = "github"
  provider_id = "github"
  // ... other config elements
}

resource "keycloak_attribute_importer_identity_provider_mapper" "github_avatar_url" {
  realm = keycloak_realm.test-realm.realm
  name = "Avatar URL"
  claim_name = "avatar_url"
  user_attribute = "avatar_url"
  identity_provider_alias = keycloak_oidc_identity_provider.github.alias
  extra_config = {
    syncMode = "FORCE"
  }
}

The plan outputs the expected info:

  # keycloak_attribute_importer_identity_provider_mapper.github_avatar_url will be created
  + resource "keycloak_attribute_importer_identity_provider_mapper" "github_avatar_url" {
      + claim_name              = "avatar_url"
      + extra_config            = {
          + "syncMode" = "FORCE"
        }
      + id                      = (known after apply)
      + identity_provider_alias = "github"
      + name                    = "Avatar URL"
      + realm                   = "test"
      + user_attribute          = "avatar_url"
    }

But then when applying, I get this error message:

Error: provider.keycloak: keycloak_attribute_importer_identity_provider_mapper: Avatar URL: "github" identity provider is not supported yet

maxlegault avatar Jan 26 '21 14:01 maxlegault

I'd be glad to make a contribution, from what I see we'd need to check not only for "oidc" but also "github" on this line here to get the claim https://github.com/mrparkers/terraform-provider-keycloak/blob/18bdbd60144feeea0c1637560743d3c0347f8027/provider/resource_keycloak_attribute_importer_identity_provider_mapper.go#L69

I'm guessing we'd probably want to add support for all other social providers that are using OIDC behind the scenes, though I'm not sure if it's all the social identity providers that should be using this mechanism.

maxlegault avatar Jan 26 '21 15:01 maxlegault

I think checking for "github" there is fine for now. I usually add support for this on a case by case basis since it's hard to test some of these without having a bit more knowledge about the provider itself. I should be able to test the GitHub one just fine though.

I'd be willing to merge a PR that makes this change if you're willing to submit it 🚀

mrparkers avatar Jan 26 '21 15:01 mrparkers

@mrparkers I just created PR #472 to address this issue.

maxlegault avatar Jan 26 '21 18:01 maxlegault