Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Difficult to manage the default keycloak_generic_protocol_mapper #1083

Open
vpapanchev opened this issue Jan 23, 2025 · 0 comments
Open

Difficult to manage the default keycloak_generic_protocol_mapper #1083

vpapanchev opened this issue Jan 23, 2025 · 0 comments

Comments

@vpapanchev
Copy link

Describe the bug

Description

In many cases, build-in protocol mappers are added to clients by default. For example, creating a keycloak_openid_client with an enabled client-credentials flow, it automatically sets a dedicated scope, to which multiple protocol mappers are added. Examples include:

  • Client Host
  • Client IP Address
    Image

This creates the new client and automatically creates a dedicated scope, to which multiple protocol mappers are added. Examples include:

  • Client Host
  • Client IP Address

Problem Statement

It's impossible to disable or configure existing protocol mappers added by default via Terraform in an automated way.

Solution via manual import

Currently, the only solution to configure the protocol mappers added by default is to import them into your Terraform state manually.
This has been suggested in #1020 and #732

Such a solution however has many drawbacks:

  • Breaks automation
  • Access to the state in all environments is required
  • Multiple terraform applies are necessary (one to create the client and thus the default mappers and a separate one to import them)

Solution via an additional Protocol Mapper

The solution we are currently employing is to add an additional protocol mapper configured with higher priority which ensures that it's executed last. Using this protocol mapper, we transform the access tokens and remove the unnecessary claims added to the tokens.

Of course, this is not a clean solution and we don't recommend using it.

Version

4.3.1

Expected behavior

It should be easily possible to configure what protocol mappers are enabled for your clients. Furthermore, you should be able to re-configure all of their attributes. This should be possible without manual steps, such as importing them into the state.

Actual behavior

No response

How to Reproduce?

Create a Keycloak client with client-credentials flow enabled:

resource "keycloak_openid_client" "example-client" {
  realm_id  = keycloak_realm.example_realm.id
  client_id = "example-m2m-client"

  access_type = "CONFIDENTIAL"
  service_accounts_enabled = true
  standard_flow_enabled    = false
}

Some protocol mappers are added to it automatically. They are also configured to include their claims into the token.
Managing those mappers via terraform is not possible without manual import in the state.

Anything else?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vpapanchev