redhat-cop
When creating Applications there's missing the sensitive part returned by the API.
Summary
The first time one creates an application, both from the WUI or through the API, it has a only-one-time response that includes the sensitive information related to the new application, as for example:
{
"id": 2,
"url": "[/api/gateway/v1/applications/2/](https://aap25.iam.lab/api/gateway/v1/applications/2/)",
"related": {
"access_tokens": "[/api/gateway/v1/applications/2/tokens/](https://aap25.iam.lab/api/gateway/v1/applications/2/tokens/)",
"activity_stream": "[/api/gateway/v1/activitystream/?content_type=36&object_id=2](https://aap25.iam.lab/api/gateway/v1/activitystream/?content_type=36&object_id=2)",
"created_by": "[/api/gateway/v1/users/2/](https://aap25.iam.lab/api/gateway/v1/users/2/)",
"modified_by": "[/api/gateway/v1/users/2/](https://aap25.iam.lab/api/gateway/v1/users/2/)",
"organization": "[/api/gateway/v1/organizations/2/](https://aap25.iam.lab/api/gateway/v1/organizations/2/)"
},
"summary_fields": {
"modified_by": {
"id": 2,
"username": "admin",
"first_name": "",
"last_name": ""
},
"created_by": {
"id": 2,
"username": "admin",
"first_name": "",
"last_name": ""
},
"organization": {
"id": 2,
"name": "Systems Engineering"
},
"tokens": {
"count": 0,
"results": []
}
},
"created": "2025-06-17T12:24:10.511806Z",
"created_by": 2,
"modified": "2025-06-17T12:24:10.511777Z",
"modified_by": 2,
"name": "test_gateway_application",
"client_id": "8eK4AHhevMnqWnLBdb2U3SGyRPd5n052RyK8Gjey",
"redirect_uris": "https://test_url/",
"post_logout_redirect_uris": "",
"algorithm": "",
"user": null,
"description": "",
"organization": 2,
"app_url": "",
"client_secret": "ePgxwNgLJ28WNFEhuMELZ1lA0qrf4vT57Bb3ZyZauitSLLxREUJGhYWfkmfLG1cO9jmusTlcFBIoKcqKWiyXPmbVjmuS7v1BlGhsI7K79RcX9zIrQK8cMyu1WOPWJndB",
"client_type": "confidential",
"skip_authorization": false,
"authorization_grant_type": "authorization-code"
}
In the output above, the field client_secret contains the secret needed to use the Application.
Without this information, the newly created application is completely useless, as no one knows it's sensitive information.
Issue Type
- Bug Report
Ansible, Collection, Controller details
Applies to all versions for this collection.
- ansible installation method: one of source, pip, OS package, EE
OS / ENVIRONMENT
N/A
Desired Behavior
infra.aap_configuration.controller_applications and infra.aap_configuration.gateway_applications roles should return the sensitive data from the API and show them to the executer so it can be consumed.
Actual Behavior
See description above.
STEPS TO REPRODUCE
See description above.
@ivarmu Is this not the issue of the Certified collections, and not the Infra collections?
I've not tested, but assuming the information is exposed by the modules (I guess it is as it is returned from the API) then this is more of a question of how we get the information out of the role. The output should be accessible in __gateway_applications_job_async_result but that's not advertised anywhere. I suppose the better question is whether each role should have an output variable where the capture the outputs?
The module ansible.controller.application was returning this information (see https://github.com/ansible/awx/pull/15045), but I see the following comment at the current version of the collection (see https://github.com/ansible/awx/tree/devel/awx_collection):
25.0.0 "token" and "application" modules have been removed as oauth is no longer supported, use basic auth instead
And the module ansible.controller.application is not available anymore at the current versions: https://github.com/ansible/awx/tree/devel/awx_collection
I wonder if this is fixed now or do we need to tweak the logic for catching errors to also catch this and print at the end? @branic