terraform-provider-keycloak
terraform-provider-keycloak copied to clipboard
mrparkers
Support social IdP attribute import
This PR allows the keycloak_attribute_importer_identity_provider_mapper resource to control mappers on the following social identity providers:
- github
- microsoft
- paypal
- stackoverflow
It's broader than the scope defined in #471, but those are all the social identity providers where an "Attribute Importer" mapper can be configured. I tested the provider against the local instance of Keycloak and the mappers appear successfully for each of those social providers.
One of the things that are a bit less clean with this is that on social attribute importers, the field in the config is attributeName instead of attribute.name, so I documented how to leverage the extra_config fields to achieve such result. I would have liked to use the attribute_name and claim properties that are already in the struct, but that ended up messing things up more than anything. That being said, I'm pretty new to terraform providers, so any hint on how to improve this code and reuse the fields properly is more than welcome!
Fixes #471
Hello @maxlegault and @mrparkers,
I was about to create a PR to add another IDP as max did with the github provider in #471. but since this PR #472 is not merged yet, can we amend this one to add the social provider or should I create a new one ?
The one I want to add is france-connect. It is not as famous as facebook or google but it's becomming quite popular in France (22M users) They provide a module for keycloak here The providerId would be "franceconnect-particulier"
Let me know what is best for you.
Hello @maxlegault and @mrparkers,
I was about to create a PR to add another IDP as max did with the github provider in #471. but since this PR #472 is not merged yet, can we amend this one to add the social provider or should I create a new one ?
The one I want to add is france-connect. It is not as famous as facebook or google but it's becomming quite popular in France (22M users) They provide a module for keycloak here The providerId would be "franceconnect-particulier"
Let me know what is best for you.
@TCHdvlp, You could already set the france connect idp as followed:
resource "keycloak_oidc_identity_provider" "franceconnect_idp" {
realm = keycloak_realm.myrealm.id
provider_id = "franceconnect-particulier"
alias = "franceconnect"
display_name = "FranceConnect Intégration"
authorization_url = "https://app.franceconnect.gouv.fr/api/v1/authorize?acr_values=eidas1"
token_url = "https://app.franceconnect.gouv.fr/api/v1/token"
user_info_url = "https://app.franceconnect.gouv.fr/api/v1/userinfo"
logout_url = "https://app.franceconnect.gouv.fr/api/v1/logout"
client_id = "yourclientid"
client_secret = "yourclientsecret"
default_scopes = "openid profile email identite_pivot"
extra_config = {
clientAuthMethod = "client_secret_post"
syncMode = "FORCE"
//any other custom config goes here.......
}
}
Depends a bit on how your idp implementation works Any field that is required, but not used by you idp impl, you fill something in, you logic will not look at it, Keycloak admin api is very forgiving in that aspect..... (I have written our own fc idp impl, and i got it working, so you should also be able to do it)
Hello @maxlegault and @mrparkers, I was about to create a PR to add another IDP as max did with the github provider in #471. but since this PR #472 is not merged yet, can we amend this one to add the social provider or should I create a new one ? The one I want to add is france-connect. It is not as famous as facebook or google but it's becomming quite popular in France (22M users) They provide a module for keycloak here The providerId would be "franceconnect-particulier" Let me know what is best for you.
@TCHdvlp, You could already set the france connect idp as followed:
resource "keycloak_oidc_identity_provider" "franceconnect_idp" { realm = keycloak_realm.myrealm.id provider_id = "franceconnect-particulier" alias = "franceconnect" display_name = "FranceConnect Intégration" authorization_url = "https://app.franceconnect.gouv.fr/api/v1/authorize?acr_values=eidas1" token_url = "https://app.franceconnect.gouv.fr/api/v1/token" user_info_url = "https://app.franceconnect.gouv.fr/api/v1/userinfo" logout_url = "https://app.franceconnect.gouv.fr/api/v1/logout" client_id = "yourclientid" client_secret = "yourclientsecret" ui_locales = false backchannel_supported = false validate_signature = false //this might be a tricky one franceconnect does it in special way, really depends on your idp impl default_scopes = "openid profile email identite_pivot" extra_config = { clientAuthMethod = "client_secret_post" syncMode = "FORCE" //any other custom config goes here....... } }Depends a bit on how your idp implementation works Any field that is required, but not used by you idp impl, you fill something in, you logic will not look at it, Keycloak admin api is very forgiving in that aspect..... (I have written our own fc idp impl, and i got it working, so you should also be able to do it)
Thank you for the hints @tomrutsaert . Unfortunately, I have this kind of configuration for franceconnect and the issue is when I want to add a mapper to it with the resource keycloak_attribute_importer_identity_provider_mapper. I got the same error message as Max "franceconnect-particulier" identity provider is not supported yet We did try to add it in the condition here https://github.com/mrparkers/terraform-provider-keycloak/blob/fecd3a6197ac04c86bf42a99c3a9130585b5ca17/provider/resource_keycloak_attribute_importer_identity_provider_mapper.go#L75 And it worked. We do not want to have an altered version of the provider, that's why I'm suggestion this addition to the list. Regards,
Hello @maxlegault and @mrparkers, I was about to create a PR to add another IDP as max did with the github provider in #471. but since this PR #472 is not merged yet, can we amend this one to add the social provider or should I create a new one ? The one I want to add is france-connect. It is not as famous as facebook or google but it's becomming quite popular in France (22M users) They provide a module for keycloak here The providerId would be "franceconnect-particulier" Let me know what is best for you.
@TCHdvlp, You could already set the france connect idp as followed:
resource "keycloak_oidc_identity_provider" "franceconnect_idp" { realm = keycloak_realm.myrealm.id provider_id = "franceconnect-particulier" alias = "franceconnect" display_name = "FranceConnect Intégration" authorization_url = "https://app.franceconnect.gouv.fr/api/v1/authorize?acr_values=eidas1" token_url = "https://app.franceconnect.gouv.fr/api/v1/token" user_info_url = "https://app.franceconnect.gouv.fr/api/v1/userinfo" logout_url = "https://app.franceconnect.gouv.fr/api/v1/logout" client_id = "yourclientid" client_secret = "yourclientsecret" ui_locales = false backchannel_supported = false validate_signature = false //this might be a tricky one franceconnect does it in special way, really depends on your idp impl default_scopes = "openid profile email identite_pivot" extra_config = { clientAuthMethod = "client_secret_post" syncMode = "FORCE" //any other custom config goes here....... } }Depends a bit on how your idp implementation works Any field that is required, but not used by you idp impl, you fill something in, you logic will not look at it, Keycloak admin api is very forgiving in that aspect..... (I have written our own fc idp impl, and i got it working, so you should also be able to do it)
Thank you for the hints @tomrutsaert . Unfortunately, I have this kind of configuration for franceconnect and the issue is when I want to add a mapper to it with the resource keycloak_attribute_importer_identity_provider_mapper. I got the same error message as Max "franceconnect-particulier" identity provider is not supported yet We did try to add it in the condition here
https://github.com/mrparkers/terraform-provider-keycloak/blob/fecd3a6197ac04c86bf42a99c3a9130585b5ca17/provider/resource_keycloak_attribute_importer_identity_provider_mapper.go#L75
And it worked. We do not want to have an altered version of the provider, that's why I'm suggestion this addition to the list. Regards,
AH, I see, I understand