Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 8.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'treydock-keycloak', '7.14.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-module-keycloak
Table of Contents
- Overview
- Usage - Configuration options
- Keycloak
- Deploy SPI
- keycloak_realm
- keycloak_role_mapping
- keycloak_ldap_user_provider
- keycloak_ldap_mapper
- keycloak_sssd_user_provider
- keycloak_client
- keycloak::client_scope::oidc
- keycloak::client_scope::saml
- keycloak_client_scope
- keycloak_protocol_mapper
- keycloak_client_protocol_mapper
- keycloak_identity_provider
- Keycloak Flows
- keycloak_api
- keycloak_required_action
- Reference - Parameter and detailed reference to all options
- Limitations - OS compatibility, etc.
Overview
The keycloak module allows easy installation and management of Keycloak.
Supported Versions of Keycloak
Currently this module supports Keycloak version 12.x. This module may work on earlier versions but this is the only version tested.
| Keycloak Version | Keycloak Puppet module versions |
|---|---|
| 3.x | 2.x |
| 4.x - 6.x | 3.x |
| 6.x - 8.x | 4.x - 5.x |
| 8.x - 12.x | 6.x |
| 12.x - 15.x | 7.x |
Usage
keycloak
Install Keycloak using default h2 database storage.
class { 'keycloak': }
Install a specific version of Keycloak.
class { 'keycloak':
version => '6.0.1',
datasource_driver => 'mysql',
}
Upgrading Keycloak version works by changing version parameter as long as the datasource_driver is not the default of h2. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to /opt/keycloak, applying all changes to new version and then restarting the keycloak service.
If the previous version was 6.0.1 using the following will upgrade to 7.0.0:
class { 'keycloak':
version => '7.0.0',
datasource_driver => 'mysql',
}
Install keycloak and use a local MySQL server for database storage
include mysql::server
class { 'keycloak':
datasource_driver => 'mysql',
datasource_host => 'localhost',
datasource_port => 3306,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
}
The following example can be used to configure keycloak with a local PostgreSQL server.
include postgresql::server
class { 'keycloak':
datasource_driver => 'postgresql',
datasource_host => 'localhost',
datasource_port => 5432,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
}
Configure keycloak to use a remote Oracle database.
The parameter datasource_jar_source is always required with Oracle database.
The jar is downloaded to the keycloak module dir and renamed to datasource_jar_filename or 'ojdbc8.jar' as default value.
With a special database configuration it may be more suitable to give the complete database url 'jdbc:oracle:thin:@[...]' using the parameter database_url instead of database_host, database_port and database_dbname.
The default value with Oracle database for database_host is 'localhost' and the default value for database_port is here 1521.
class { 'keycloak':
datasource_driver => 'oracle',
datasource_host => 'oracleserver.mydomain.de',
datasource_port => 1521,
datasource_dbname => 'keycloak',
datasource_username => 'keycloak',
datasource_password => 'foobar',
datasource_jar_source => 'https://oracle.com/path/to/driver.jar',
datasource_jar_filename => 'ojdbc8.jar',
}
Configure a SSL certificate truststore and add a LDAP server's certificate to the truststore.
class { 'keycloak':
truststore => true,
truststore_password => 'supersecret',
truststore_hostname_verification_policy => 'STRICT',
}
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Setup Keycloak to proxy through Apache HTTPS.
class { 'keycloak':
proxy_https => true
}
apache::vhost { 'idp.example.com':
servername => 'idp.example.com',
port => '443',
ssl => true,
manage_docroot => false,
docroot => '/var/www/html',
proxy_preserve_host => true,
proxy_pass => [
{'path' => '/', 'url' => 'http://localhost:8080/'}
],
request_headers => [
'set X-Forwarded-Proto "https"',
'set X-Forwarded-Port "443"'
],
ssl_cert => '/etc/pki/tls/certs/idp.example.com/crt',
ssl_key => '/etc/pki/tls/private/idp.example.com.key',
}
Setup a domain master. (This needs a shared database, here '1.2.3.4').
class { '::keycloak':
operating_mode => 'domain',
role => 'master',
wildfly_user => 'wildfly,
wildfly_user_password => 'changeme,
manage_datasource => false,
datasource_driver => 'postgresql',
datasource_host => '1.2.3.4,
datasource_dbname => 'keycloak,
datasource_username => 'keycloak,
datasource_password => 'changeme,
admin_user => 'admin,
admin_user_password => 'changeme,
}
Setup a domain slave. (This needs a shared database, here '1.2.3.4').
class { '::keycloak':
operating_mode => 'domain',
role => 'slave',
wildfly_user => 'wildfly,
wildfly_user_password => 'changeme,
manage_datasource => false,
datasource_driver => 'postgresql',
datasource_host => '1.2.3.4,
datasource_dbname => 'keycloak,
datasource_username => 'keycloak,
datasource_password => 'changeme,
admin_user => 'admin,
admin_user_password => 'changeme,
}
NOTE: The wilfdly user and password need to match those in domain master. These are required for authentication in a cluster.
Setup a host for theme development so that theme changes don't require a service restart, not recommended for production.
class { 'keycloak':
theme_static_max_age => -1,
theme_cache_themes => false,
theme_cache_templates => false,
}
Run Keycloak using standalone clustered mode (multicast):
class { 'keycloak':
operating_mode => 'clustered',
}
Run Keycloak using standalone clustered mode (JDBC_PING):
JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other. This module does NOT manage firewall changes.
class { 'keycloak':
operating_mode => 'clustered',
datasource_driver => 'postgresql',
enable_jdbc_ping => true,
jboss_bind_private_address => $facts['networking']['ip'],
jboss_bind_public_address => $facts['networking']['ip'],
}
# your puppet code to open port 7600
# ...
# ...
Deploy SPI
A simple example of deploying a custom SPI from a URL:
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar',
}
The source can be a URL or a file path like /tmp/foo.jar or prefixed with file:// or puppet://
The following example will deploy a custom SPI then check the Keycloak API for the resource to exist. This is useful to ensure SPI is loaded into Keycloak before attempting to add custom resources.
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
test_before => [
'Keycloak_flow[form-browser-with-duo]',
'Keycloak_flow_execution[duo-mfa-authenticator under form-browser-with-duo on test]',
],
}
keycloak_realm
Define a Keycloak realm that uses username and not email for login and to use a local branded theme.
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
NOTE: If the flow properties such as browser_flow are changed from their defaults then this value will not be set when a realm is first created. The value will also not be updated if the flow does not exist. For new realms you will have to run Puppet twice in order to create the flows then update the realm setting.
keycloak_role_mapping
Manage realm role mappings for users and groups. Example:
keycloak_role_mapping { 'roles for john on master':
realm => 'master',
name => 'john',
realm_roles => ['role1', 'role2'],
}
keycloak_role_mapping { 'roles for mygroup on master':
realm => 'master',
name => 'mygroup',
group => true,
realm_roles => ['role1'],
}
keycloak_ldap_user_provider
Define a LDAP user provider so that authentication can be performed against LDAP. The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
NOTE The Id for the above resource would be LDAP-test where the format is ${resource_name}-${realm}.
If you're using FreeIPA you can use a defined resource that wraps keycloak_ldap_user_provider:
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
keycloak_ldap_mapper
Use the LDAP attribute 'gecos' as the full name attribute.
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
resource_name => 'full name',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
If you're using FreeIPA you can use a defined resource that adds all the required attribute mappings automatically:
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
keycloak_sssd_user_provider
Define SSSD user provider. NOTE This type requires that SSSD be properly configured and Keycloak service restarted after SSSD ifp service is setup. Also requires keycloak class be called with with_sssd_support set to true.
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
keycloak_client
Register a client.
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
client_template => 'oidc-clients',
secret => 'supersecret',
}
keycloak::client_scope::oidc
Defined type that can be used to define both keycloak_client_scope and keycloak_protocol_mapper resources for OpenID Connect.
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
keycloak::client_scope::saml
Defined type that can be used to define both keycloak_client_scope and keycloak_protocol_mapper resources for SAML.
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
keycloak_client_scope
Define a Client Scope of email for realm test in Keycloak:
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
keycloak_protocol_mapper
Associate a Protocol Mapper to a given Client Scope. The name in the following example will add the email protocol mapper to client scope oidc-email in the realm test.
keycloak_protocol_mapper { "email for oidc-email on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_client_protocol_mapper
Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
keycloak_identity_provider
Add cilogon identity provider to test realm
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
Keycloak Flows
The following is an example of deploying a custom Flow.
The name for the top level flow is $alias on $realm
The name for an execution is $provider under $flow on $realm.
The name for the flow under a top level flow is $alias under $flow_alias on $realm.
keycloak_flow { 'browser-with-duo on test':
ensure => 'present',
}
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}
keycloak_flow_execution { 'identity-provider-redirector under browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Identity Provider Redirector',
index => 1,
requirement => 'ALTERNATIVE',
}
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}
keycloak_api
The keycloak_api type can be used to define how this module's types access the Keycloak API if this module is only used for the types/providers and the module's kcadm-wrapper.sh is not installed.
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
The path for install_dir will be joined with bin/kcadm.sh to produce the full path to kcadm.sh.
keycloak_required_action
The keycloak_required_action type can be used to define actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For instance, change a one-time password, accept T&C, etc.
The name for an action is $alias on $realm.
Important: actions from puppet config and from a server are matched based on a combination of alias and realm, so edition of aliases is not supported.
# Minimal example
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
provider_id => 'webauthn-register',
}
# Full example
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
}
Reference
http://treydock.github.io/puppet-module-keycloak/
Limitations
This module has been tested on:
- RedHat/CentOS 7 x86_64
- RedHat/CentOS 8 x86_64
- Debian 9 x86_64
- Debian 10 x86_64
- Ubuntu 18.04 x86_64
- Ubuntu 20.04 x86_64
Reference
Table of Contents
Classes
Public Classes
keycloak: Manage Keycloakkeycloak::config: Private class.keycloak::datasource::h2: Private class.keycloak::install: Private class.keycloak::service: Private class.keycloak::sssd: Private class.
Private Classes
keycloak::datasource::mysql: Manage MySQL datasourcekeycloak::datasource::oracle: Manage Oracle datasourcekeycloak::datasource::postgresql: Manage postgresql datasourcekeycloak::resources: Define Keycloak resources
Defined types
keycloak::client_scope::oidc: Manage Keycloak OpenID Connect client scope using built-in mapperskeycloak::client_scope::saml: Manage Keycloak SAML client scope using built-in mapperskeycloak::freeipa_ldap_mappers: setup FreeIPA LDAP mappers for Keycloakkeycloak::freeipa_user_provider: setup IPA as an LDAP user provider for Keycloakkeycloak::spi_deployment: Manage Keycloak SPI deploymentkeycloak::truststore::host: Add host to Keycloak truststore
Resource types
keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client: Manage Keycloak clientskeycloak_client_protocol_mapper: Manage Keycloak protocol mapperskeycloak_client_scope: Manage Keycloak client scopeskeycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_flow: Manage a Keycloak flow Autorequireskeycloak_realmdefined forrealmparameterkeycloak_flowofflow_aliasif `top_level=falskeycloak_flow_execution: Manage a Keycloak flow Autorequireskeycloak_realmdefined forrealmparameterkeycloak_flowof value defined forflow_aliaskeycloak_identity_provider: Manage Keycloak identity providerskeycloak_ldap_mapper: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider: Manage Keycloak LDAP user providerskeycloak_protocol_mapper: Manage Keycloak client scope protocol mapperskeycloak_realm: Manage Keycloak realmskeycloak_required_action: Manage Keycloak required actionskeycloak_resource_validator: Verify that a specific Keycloak resource is availablekeycloak_role_mapping: Attach realm roles to users and groupskeycloak_sssd_user_provider: Manage Keycloak SSSD user providers
Classes
keycloak
Manage Keycloak
Examples
include ::keycloak
Parameters
The following parameters are available in the keycloak class:
manage_installversionpackage_urlinstall_dirservice_nameservice_ensureservice_enableservice_hasstatusservice_hasrestartservice_bind_addressmanagement_bind_addressjava_optsjava_opts_appendservice_extra_optsmanage_useruseruser_shellgroupuser_uidgroup_gidsystem_useradmin_useradmin_user_passwordwildfly_userwildfly_user_passwordmanage_datasourcedatasource_driverdatasource_hostdatasource_portdatasource_urldatasource_dbnamedatasource_usernamedatasource_passworddatasource_packagedatasource_jar_sourcedatasource_jar_filenamedatasource_module_sourcedatasource_xa_classmysql_database_charsetproxy_httpstruststoretruststore_hoststruststore_passwordtruststore_hostname_verification_policyhttp_porttheme_static_max_agetheme_cache_themestheme_cache_templatesrealmsrealms_mergeoidc_client_scopesoidc_client_scopes_mergesaml_client_scopessaml_client_scopes_mergeidentity_providersidentity_providers_mergeclient_protocol_mappersclient_scopesclient_scopes_mergeprotocol_mappersprotocol_mappers_mergeclientsclients_mergeflowsflows_mergeflow_executionsflow_executions_mergerequired_actionsrequired_actions_mergeldap_mappersldap_mappers_mergeldap_user_providersldap_user_providers_mergewith_sssd_supportlibunix_dbus_java_sourceinstall_libunix_dbus_java_build_dependencieslibunix_dbus_java_build_dependencieslibunix_dbus_java_libdirjna_package_namemanage_sssd_configsssd_ifp_user_attributesrestart_sssdservice_environment_fileoperating_modeenable_jdbc_pingjboss_bind_public_addressjboss_bind_private_addressroleuser_cachetech_preview_featuresauto_deploy_explodedauto_deploy_zippedspi_deploymentscustom_config_contentcustom_config_sourcemaster_addressserver_namesyslogsyslog_app_namesyslog_facilitysyslog_hostnamesyslog_levelsyslog_portsyslog_server_addresssyslog_format
manage_install
Data type: Boolean
Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.
Default value: true
version
Data type: String
Version of Keycloak to install and manage.
Default value: '12.0.4'
package_url
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
URL of the Keycloak download. Default is based on version.
Default value: undef
install_dir
Data type: Optional[Stdlib::Absolutepath]
The directory of where to install Keycloak.
Default is /opt/keycloak-${version}.
Default value: undef
service_name
Data type: String
Keycloak service name.
Default is keycloak.
Default value: 'keycloak'
service_ensure
Data type: String
Keycloak service ensure property.
Default is running.
Default value: 'running'
service_enable
Data type: Boolean
Keycloak service enable property.
Default is true.
Default value: true
service_hasstatus
Data type: Boolean
Keycloak service hasstatus parameter.
Default is true.
Default value: true
service_hasrestart
Data type: Boolean
Keycloak service hasrestart parameter.
Default is true.
Default value: true
service_bind_address
Data type: Stdlib::IP::Address
Bind address for Keycloak service. Default is '0.0.0.0'.
Default value: '0.0.0.0'
management_bind_address
Data type: Stdlib::IP::Address
Bind address for Keycloak management. Default is '0.0.0.0'.
Default value: '0.0.0.0'
java_opts
Data type: Optional[Variant[String, Array]]
Sets additional options to Java virtual machine environment variable.
Default value: undef
java_opts_append
Data type: Boolean
Determine if $JAVA_OPTS should be appended to when setting java_opts parameter
Default value: true
service_extra_opts
Data type: Optional[String]
Additional options added to the end of the service command-line.
Default value: undef
manage_user
Data type: Boolean
Defines if the module should manage the Linux user for Keycloak installation
Default value: true
user
Data type: String
Keycloak user name.
Default is keycloak.
Default value: 'keycloak'
user_shell
Data type: Stdlib::Absolutepath
Keycloak user shell.
Default value: '/sbin/nologin'
group
Data type: String
Keycloak user group name.
Default is keycloak.
Default value: 'keycloak'
user_uid
Data type: Optional[Integer]
Keycloak user UID.
Default is undef.
Default value: undef
group_gid
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef.
Default value: undef
system_user
Data type: Boolean
If keycloak user should be a system user with lower uid and gid.
Default is true
Default value: true
admin_user
Data type: String
Keycloak administrative username.
Default is admin.
Default value: 'admin'
admin_user_password
Data type: String
Keycloak administrative user password.
Default is changeme.
Default value: 'changeme'
wildfly_user
Data type: Optional[String]
Wildfly user. Required for domain mode.
Default value: undef
wildfly_user_password
Data type: Optional[String]
Wildfly user password. Required for domain mode.
Default value: undef
manage_datasource
Data type: Boolean
Boolean that determines if configured datasource will be managed.
Default is true.
Default value: true
datasource_driver
Data type: Enum['h2', 'mysql', 'oracle', 'postgresql']
Datasource driver to use for Keycloak.
Valid values are h2, mysql, 'oracle' and 'postgresql'
Default is h2.
Default value: 'h2'
datasource_host
Data type: Optional[String]
Datasource host.
Only used when datasource_driver is mysql, 'oracle' or 'postgresql'
Default is localhost for MySQL.
Default value: undef
datasource_port
Data type: Optional[Integer]
Datasource port.
Only used when datasource_driver is mysql, 'oracle' or 'postgresql'
Default is 3306 for MySQL.
Default value: undef
datasource_url
Data type: Optional[String]
Datasource url. Default datasource URLs are defined in init class.
Default value: undef
datasource_dbname
Data type: String
Datasource database name.
Default is keycloak.
Default value: 'keycloak'
datasource_username
Data type: String
Datasource user name.
Default is sa.
Default value: 'sa'
datasource_password
Data type: String
Datasource user password.
Default is sa.
Default value: 'sa'
datasource_package
Data type: Optional[String]
Package to add specified datasource support
Default value: undef
datasource_jar_source
Data type: Optional[String]
Source for datasource JDBC driver - could be puppet link or local file on the node.
Default is dependent on value for datasource_driver.
This parameter is required if datasource_driver is oracle.
Default value: undef
datasource_jar_filename
Data type: Optional[String]
Specify the filename of the destination datasource jar in the module dir of keycloak.
This parameter is only working at the moment if datasource_driver is oracle.
Default value: undef
datasource_module_source
Data type: Optional[String]
Source for datasource module.xml. Default depends on datasource_driver.
Default value: undef
datasource_xa_class
Data type: Optional[String]
MySQL Connector/J JDBC driver xa-datasource class name
Default value: undef
mysql_database_charset
Data type: String
MySQL database charset
Default value: 'utf8'
proxy_https
Data type: Boolean
Boolean that sets if HTTPS proxy should be enabled.
Set to true if proxying traffic through Apache.
Default is false.
Default value: false
truststore
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false.
Default value: false
truststore_hosts
Data type: Hash
Hash that is used to define keycloak::turststore::host resources.
Default is {}.
Default value: {}
truststore_password
Data type: String
Truststore password.
Default is keycloak.
Default value: 'keycloak'
truststore_hostname_verification_policy
Data type: Enum['WILDCARD', 'STRICT', 'ANY']
Valid values are WILDCARD, STRICT, and ANY.
Default is WILDCARD.
Default value: 'WILDCARD'
http_port
Data type: Integer
HTTP port used by Keycloak.
Default is 8080.
Default value: 8080
theme_static_max_age
Data type: Integer
Max cache age in seconds of static content.
Default is 2592000.
Default value: 2592000
theme_cache_themes
Data type: Boolean
Boolean that sets if themes should be cached.
Default is true.
Default value: true
theme_cache_templates
Data type: Boolean
Boolean that sets if templates should be cached.
Default is true.
Default value: true
realms
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}.
Default value: {}
realms_merge
Data type: Boolean
Boolean that sets if realms should be merged from Hiera.
Default value: false
oidc_client_scopes
Data type: Hash
Hash that is used to define keycloak::client_scope::oidc resources.
Default is {}.
Default value: {}
oidc_client_scopes_merge
Data type: Boolean
Boolean that sets if oidc_client_scopes should be merged from Hiera.
Default value: false
saml_client_scopes
Data type: Hash
Hash that is used to define keycloak::client_scope::saml resources.
Default is {}.
Default value: {}
saml_client_scopes_merge
Data type: Boolean
Boolean that sets if saml_client_scopes should be merged from Hiera.
Default value: false
identity_providers
Data type: Hash
Hash that is used to define keycloak_identity_provider resources.
Default value: {}
identity_providers_merge
Data type: Boolean
Boolean that sets if identity_providers should be merged from Hiera.
Default value: false
client_protocol_mappers
Data type: Hash
Hash that is used to define keycloak_client_protocol_mapper resources.
Default value: {}
client_scopes
Data type: Hash
Hash that is used to define keycloak_client_scope resources.
Default value: {}
client_scopes_merge
Data type: Boolean
Boolean that sets if client_scopes should be merged from Hiera.
Default value: false
protocol_mappers
Data type: Hash
Hash that is used to define keycloak_protocol_mapper resources.
Default value: {}
protocol_mappers_merge
Data type: Boolean
Boolean that sets if protocol_mappers should be merged from Hiera.
Default value: false
clients
Data type: Hash
Hash that is used to define keycloak_client resources.
Default value: {}
clients_merge
Data type: Boolean
Boolean that sets if clients should be merged from Hiera.
Default value: false
flows
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
flows_merge
Data type: Boolean
Boolean that sets if flows should be merged from Hiera.
Default value: false
flow_executions
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
flow_executions_merge
Data type: Boolean
Boolean that sets if flows should be merged from Hiera.
Default value: false
required_actions
Data type: Hash
Hash that is used to define keycloak_required_action resources.
Default value: {}
required_actions_merge
Data type: Boolean
Boolean that sets if required_actions should be merged from Hiera.
Default value: false
ldap_mappers
Data type: Hash
Hash that is used to define keycloak_ldap_mapper resources.
Default value: {}
ldap_mappers_merge
Data type: Boolean
Boolean that sets if ldap_mappers should be merged from Hiera.
Default value: false
ldap_user_providers
Data type: Hash
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: {}
ldap_user_providers_merge
Data type: Boolean
Boolean that sets if ldap_user_providers should be merged from Hiera.
Default value: false
with_sssd_support
Data type: Boolean
Boolean that determines if SSSD user provider support should be available
Default value: false
libunix_dbus_java_source
Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
Source URL of libunix-dbus-java
Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'
install_libunix_dbus_java_build_dependencies
Data type: Boolean
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: true
libunix_dbus_java_build_dependencies
Data type: Array
Packages needed to build libunix-dbus-java
Default value: []
libunix_dbus_java_libdir
Data type: Stdlib::Absolutepath
Path to directory to install libunix-dbus-java libraries
Default value: '/usr/lib64'
jna_package_name
Data type: String
Package name for jna
Default value: 'jna'
manage_sssd_config
Data type: Boolean
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: true
sssd_ifp_user_attributes
Data type: Array
user_attributes to define for SSSD ifp service
Default value: []
restart_sssd
Data type: Boolean
Boolean that determines if SSSD should be restarted
Default value: true
service_environment_file
Data type: Optional[Stdlib::Absolutepath]
Path to the file with environment variables for the systemd service
Default value: undef
operating_mode
Data type: Enum['standalone', 'clustered', 'domain']
Keycloak operating mode deployment
Default value: 'standalone'
enable_jdbc_ping
Data type: Boolean
Use JDBC_PING to discover the nodes and manage the replication of data
More info: http://jgroups.org/manual/#_jdbc_ping
Only applies when operating_mode is either clustered or domain
JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other
This module does not manage firewall changes
Default value: false
jboss_bind_public_address
Data type: Stdlib::IP::Address
JBoss bind public IP address
Default value: $facts['networking']['ip']
jboss_bind_private_address
Data type: Stdlib::IP::Address
JBoss bind private IP address
Default value: $facts['networking']['ip']
role
Data type: Optional[Enum['master', 'slave']]
Role when operating mode is domain.
Default value: undef
user_cache
Data type: Boolean
Boolean that determines if userCache is enabled
Default value: true
tech_preview_features
Data type: Array
List of technology Preview features to enable
Default value: []
auto_deploy_exploded
Data type: Boolean
Set if exploded deployements will be auto deployed
Default value: false
auto_deploy_zipped
Data type: Boolean
Set if zipped deployments will be auto deployed
Default value: true
spi_deployments
Data type: Hash
Hash used to define keycloak::spi_deployment resources
Default value: {}
custom_config_content
Data type: Optional[String]
Custom configuration content to be added to config.cli
Default value: undef
custom_config_source
Data type: Optional[Variant[String, Array]]
Custom configuration source file to be added to config.cli
Default value: undef
master_address
Data type: Optional[Stdlib::Host]
IP address of the master in domain mode
Default value: undef
server_name
Data type: String
Server name in domain mode. Defaults to hostname.
Default value: $facts['hostname']
syslog
Data type: Boolean
Enable syslog. Default false.
Default value: false
syslog_app_name
Data type: String
Syslog app name. Default 'keycloak'.
Default value: 'keycloak'
syslog_facility
Data type: String
Syslog facility. Default 'user-level'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html
Default value: 'user-level'
syslog_hostname
Data type: Stdlib::Host
Syslog hostname of the server. Default $facts['fqdn'].
Default value: $facts['fqdn']
syslog_level
Data type: String
Syslog level. Default 'INFO'. See https://docs.jboss.org/author/display/AS72/Logging%20Configuration.html
Default value: 'INFO'
syslog_port
Data type: Stdlib::Port
The port the syslog server is listening on. Default '514'.
Default value: 514
syslog_server_address
Data type: Stdlib::Host
The address of the syslog server. Default 'localhost'.
Default value: 'localhost'
syslog_format
Data type: Enum['RFC3164', 'RFC5424']
Syslog format. Either 'RFC3164' or 'RFC5424' Default 'RFC3164'.
Default value: 'RFC3164'
keycloak::config
Private class.
keycloak::datasource::h2
Private class.
keycloak::install
Private class.
keycloak::service
Private class.
keycloak::sssd
Private class.
Defined types
keycloak::client_scope::oidc
Manage Keycloak OpenID Connect client scope using built-in mappers
Examples
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_scope::oidc defined type:
realm
Data type: String
Realm of the client scope.
resource_name
Data type: String
Name of the client scope resource
Default value: $name
keycloak::client_scope::saml
Manage Keycloak SAML client scope using built-in mappers
Examples
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
Parameters
The following parameters are available in the keycloak::client_scope::saml defined type:
realm
Data type: String
Realm of the client scope.
resource_name
Data type: String
Name of the client scope resource
Default value: $name
keycloak::freeipa_ldap_mappers
setup FreeIPA LDAP mappers for Keycloak
Examples
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
Parameters
The following parameters are available in the keycloak::freeipa_ldap_mappers defined type:
realm
Data type: String
Keycloak realm
groups_dn
Data type: String
Groups DN
roles_dn
Data type: String
Roles DN
parent_id
Data type: Optional[String]
Identifier (parentId) for the LDAP provider to add this mapper to. Will be passed to the $ldap parameter in keycloak_ldap_mapper.
Default value: undef
keycloak::freeipa_user_provider
setup IPA as an LDAP user provider for Keycloak
Examples
Add FreeIPA as a user provider
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
Parameters
The following parameters are available in the keycloak::freeipa_user_provider defined type:
ensureidipa_hostrealmbind_dnbind_credentialusers_dnpriorityldapsfull_sync_periodchanged_sync_period
ensure
Data type: Enum['present', 'absent']
LDAP user provider status
Default value: 'present'
id
Data type: Optional[String]
ID to use for user provider
Default value: undef
ipa_host
Data type: Stdlib::Host
Hostname of the FreeIPA server (e.g. ipa.example.org)
Default value: $title
realm
Data type: String
Keycloak realm
bind_dn
Data type: String
LDAP bind dn
bind_credential
Data type: String
LDAP bind password
users_dn
Data type: String
The DN for user search
priority
Data type: Integer
Priority for this user provider
Default value: 10
ldaps
Data type: Boolean
Use LDAPS protocol instead of LDAP
Default value: false
full_sync_period
Data type: Optional[Integer]
Synchronize all users this often (fullSyncPeriod)
Default value: undef
changed_sync_period
Data type: Optional[Integer]
Synchronize changed users this often (changedSyncPeriod)
Default value: undef
keycloak::spi_deployment
}
Examples
Add Duo SPI
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
Add Duo SPI and check API for existance of resources before going onto dependenct resources
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],
Parameters
The following parameters are available in the keycloak::spi_deployment defined type:
ensure
Data type: Enum['present', 'absent']
State of the deployment
Default value: 'present'
deployed_name
Data type: String[1]
Name of the file to be deployed. Defaults to $name.
Default value: $name
source
Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
test_url
Data type: Optional[String]
URL to test for existance of resources created by this SPI
Default value: undef
test_key
Data type: Optional[String]
Key of resource when testing for resource created by this SPI
Default value: undef
test_value
Data type: Optional[String]
Value of the test_key when testing for resources created by this SPI
Default value: undef
test_realm
Data type: Optional[String]
Realm to query when looking for resources created by this SPI
Default value: undef
test_before
Data type: Optional[Array]
Setup autorequires for validator dependent resources
Default value: undef
keycloak::truststore::host
Add host to Keycloak truststore
Examples
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
Parameters
The following parameters are available in the keycloak::truststore::host defined type:
certificate
Data type: String
Path to host certificate
ensure
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks resource.
Default value: 'latest'
Resource types
keycloak_api
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
Examples
Define API access
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080/auth',
realm => 'master',
user => 'admin',
password => 'changeme',
}
Parameters
The following parameters are available in the keycloak_api type.
install_dir
Install location of Keycloak
Default value: /opt/keycloak
name
namevar
Keycloak API config
password
Password for authentication
Default value: changeme
realm
Realm for authentication
Default value: master
server
Auth URL for Keycloak server
Default value: http://localhost:8080/auth
use_wrapper
Valid values: true, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
user
User for authentication
Default value: admin
keycloak_client
Manage Keycloak clients
Examples
Add a OpenID Connect client
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
Properties
The following properties are available in the keycloak_client type.
access_token_lifespan
access.token.lifespan
authorization_services_enabled
Valid values: true, false
authorizationServicesEnabled
Default value: false
backchannel_logout_url
backchannel.logout.url
base_url
baseUrl
bearer_only
Valid values: true, false
bearerOnly
Default value: false
browser_flow
authenticationFlowBindingOverrides.browser (Use flow alias, not ID)
Default value: absent
client_authenticator_type
clientAuthenticatorType
Default value: client-secret
default_client_scopes
defaultClientScopes
Default value: []
direct_access_grants_enabled
Valid values: true, false
enabled
Default value: true
direct_grant_flow
authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)
Default value: absent
enabled
Valid values: true, false
enabled
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
full_scope_allowed
Valid values: true, false
fullScopeAllowed
Default value: true
implicit_flow_enabled
Valid values: true, false
implicitFlowEnabled
Default value: false
login_theme
login_theme
Default value: absent
optional_client_scopes
optionalClientScopes
Default value: []
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
public_client
Valid values: true, false
enabled
Default value: false
redirect_uris
redirectUris
Default value: []
roles
roles
Default value: []
root_url
rootUrl
secret
secret
service_accounts_enabled
Valid values: true, false
serviceAccountsEnabled
Default value: false
standard_flow_enabled
Valid values: true, false
standardFlowEnabled
Default value: true
web_origins
webOrigins
Default value: []
Parameters
The following parameters are available in the keycloak_client type.
client_id
clientId. Defaults to name.
id
Id. Defaults to client_id
name
namevar
The client name
provider
The specific backend to use for this keycloak_client resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
realm
realm
keycloak_client_protocol_mapper
Manage Keycloak protocol mappers
Examples
Add email protocol mapper to test.example.com client in realm test
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_client_protocol_mapper type.
access_token_claim
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
attribute_name
attribute.name Default to resource_name for type saml-user-property-mapper.
attribute_nameformat
attribute.nameformat
claim_name
claim.name
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
friendly_name
friendly.name. Default to resource_name for type saml-user-property-mapper.
full_path
Valid values: true, false
full.path. Default to false for type oidc-group-membership-mapper.
id_token_claim
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
included_client_audience
included.client.audience Required for type of oidc-audience-mapper
json_type_label
json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
script
Script, only valid for type of saml-javascript-mapper'
Array values will be joined with newlines. Strings will be kept unchanged.
single
Valid values: true, false
single. Default to false for type saml-role-list-mapper.
user_attribute
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
userinfo_token_claim
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.
Parameters
The following parameters are available in the keycloak_client_protocol_mapper type.
client
client
id
Id.
name
namevar
The protocol mapper name
provider
The specific backend to use for this keycloak_client_protocol_mapper resource. You will seldom need to specify this
--- Puppet will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The protocol mapper name. Defaults to name.
type
Valid values: oidc-usermodel-client-role-mapper, oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
keycloak_client_scope
Manage Keycloak client scopes
Examples
Define a OpenID Connect client scope in the test realm
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
Properties
The following properties are available in the keycloak_client_scope type.
consent_screen_text
consent.screen.text
display_on_consent_screen
Valid values: true, false
display.on.consent.screen
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
Parameters
The following parameters are available in the keycloak_client_scope type.
id
Id. Defaults to resource_name.
name
namevar
The client scope name
provider
The specific backend to use for this keycloak_client_scope resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The client scope name. Defaults to name.
keycloak_conn_validator
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
Properties
The following properties are available in the keycloak_conn_validator type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_conn_validator type.
keycloak_port
The port that the keycloak server should be listening on.
Default value: 8080
keycloak_server
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
name
namevar
An arbitrary name used as the identity of the resource.
provider
The specific backend to use for this keycloak_conn_validator resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
test_url
URL to use for testing if the Keycloak database is up
Default value: /auth/admin/serverinfo
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
use_ssl
Whether the connection will be attemped using https
Default value: false
keycloak_flow
Manage a Keycloak flow Autorequires
keycloak_realmdefined forrealmparameterkeycloak_flowofflow_aliasiftop_level=falsekeycloak_flowofflow_aliasif otherindexis lower and iftop_level=falsekeycloak_flow_executionifflow_aliasis the same and otherindexis lower and iftop_level=false
Examples
Add custom flow
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}
Add a flow execution to existing browser-with-duo flow
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}
Properties
The following properties are available in the keycloak_flow type.
description
description
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
index
execution index, only applied to top_level=false, required for top_level=false
requirement
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement, only applied to top_level=false and defaults to DISABLED
Parameters
The following parameters are available in the keycloak_flow type.
alias
Alias. Default to name.
flow_alias
flowAlias, required for top_level=false
id
Id. Default to $alias-$realm when top_level is true. Only applies to top_level=true
name
namevar
The flow name
provider
The specific backend to use for this keycloak_flow resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
provider_id
Valid values: basic-flow, form-flow
providerId
Default value: basic-flow
realm
realm
top_level
Valid values: true, false
topLevel
Default value: true
type
sub-flow execution provider, default to registration-page-form for top_level=false and does not apply to
top_level=true
keycloak_flow_execution
Manage a Keycloak flow Autorequires
keycloak_realmdefined forrealmparameterkeycloak_flowof value defined forflow_aliaskeycloak_flowif they share sameflow_aliasvalue and the other resourceindexis lowerkeycloak_flow_executionifflow_aliasis the same and otherindexis lower
Examples
Add an execution to a flow
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}
Add an execution to a execution flow that is one level deeper than top level
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}
Add an execution with a configuration
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}
Properties
The following properties are available in the keycloak_flow_execution type.
config
execution config
configurable
Valid values: true, false
configurable
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
index
execution index
requirement
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement
Default value: DISABLED
Parameters
The following parameters are available in the keycloak_flow_execution type.
alias
alias
config_id
read-only config ID
display_name
displayName
flow_alias
flowAlias
id
read-only Id
name
namevar
The flow execution name
provider
The specific backend to use for this keycloak_flow_execution resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
provider_id
provider
realm
realm
keycloak_identity_provider
Manage Keycloak identity providers
Examples
Add CILogon identity provider to test realm
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
Properties
The following properties are available in the keycloak_identity_provider type.
add_read_token_role_on_create
Valid values: true, false
addReadTokenRoleOnCreate
Default value: false
allowed_clock_skew
allowedClockSkew
authenticate_by_default
Valid values: true, false
authenticateByDefault
Default value: false
authorization_url
authorizationUrl
backchannel_supported
Valid values: true, false
backchannelSupported
Default value: false
client_auth_method
Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt
clientAuthMethod
Default value: client_secret_post
client_id
clientId
client_secret
clientSecret
default_scope
default_scope
disable_user_info
Valid values: true, false
disableUserInfo
Default value: false
display_name
displayName
enabled
Valid values: true, false
enabled
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
first_broker_login_flow_alias
firstBrokerLoginFlowAlias
Default value: first broker login
forward_parameters
forwardParameters
gui_order
guiOrder
hide_on_login_page
Valid values: true, false
hideOnLoginPage
Default value: false
issuer
issuer
jwks_url
jwksUrl
link_only
Valid values: true, false
linkOnly
Default value: false
login_hint
Valid values: true, false
loginHint
Default value: false
logout_url
logoutUrl
post_broker_login_flow_alias
postBrokerLoginFlowAlias
prompt
Valid values: none, consent, login, select_account
prompt
store_token
Valid values: true, false
storeToken
Default value: false
sync_mode
Valid values: IMPORT, LEGACY, FORCE
syncMode
Default value: IMPORT
token_url
tokenUrl
trust_email
Valid values: true, false
trustEmail
Default value: false
ui_locales
Valid values: true, false
uiLocales
Default value: false
update_profile_first_login_mode
Valid values: on, off
updateProfileFirstLoginMode
Default value: on
use_jwks_url
Valid values: true, false
useJwksUrl
Default value: true
user_info_url
userInfoUrl
validate_signature
Valid values: true, false
validateSignature
Default value: false
Parameters
The following parameters are available in the keycloak_identity_provider type.
alias
The identity provider name. Defaults to name.
internal_id
internalId. Defaults to "alias-realm"
name
namevar
The identity provider name
provider
The specific backend to use for this keycloak_identity_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
provider_id
Valid values: oidc, keycloak-oidc
providerId
Default value: oidc
realm
realm
keycloak_ldap_mapper
Manage Keycloak LDAP attribute mappers
Examples
Add full name attribute mapping
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
Properties
The following properties are available in the keycloak_ldap_mapper type.
always_read_value_from_ldap
Valid values: true, false
always.read.value.from.ldap. Defaults to true if type is user-attribute-ldap-mapper.
client_id
client.id, only for type of role-ldap-mapper
drop_non_existing_groups_during_sync
Valid values: true, false
drop.non.existing.groups.during.sync, only for type of group-ldap-mapper
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
group_name_ldap_attribute
group.name.ldap.attribute, only for type of group-ldap-mapper
group_object_classes
group.object.classes, only for type of group-ldap-mapper
groups_dn
groups.dn, only for type of group-ldap-mapper
groups_ldap_filter
groups.ldap.filter, only for type of group-ldap-mapper
ignore_missing_groups
Valid values: true, false
ignore.missing.groups, only for type of group-ldap-mapper
is_mandatory_in_ldap
is.mandatory.in.ldap. Defaults to false unless type is full-name-ldap-mapper.
ldap_attribute
ldap.attribute
mapped_group_attributes
mapped.group.attributes, only for type of group-ldap-mapper
memberof_ldap_attribute
memberof.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
membership_attribute_type
Valid values: DN, UID
membership.attribute.type, only for type of group-ldap-mapper and role-ldap-mapper
membership_ldap_attribute
membership.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
membership_user_ldap_attribute
membership.user.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
mode
Valid values: READ_ONLY, LDAP_ONLY
mode, only for type of group-ldap-mapper and role-ldap-mapper
preserve_group_inheritance
Valid values: true, false
preserve.group.inheritance, only for type of group-ldap-mapper
read_only
Valid values: true, false
read.only
role_name_ldap_attribute
role.name.ldap.attribute, only for type of role-ldap-mapper
role_object_classes
role.object.classes, only for type of role-ldap-mapper
roles_dn
roles.dn, only for type of role-ldap-mapper
roles_ldap_filter
roles.ldap.filter, only for type of role-ldap-mapper
use_realm_roles_mapping
Valid values: true, false
use.realm.roles.mapping, only for type of role-ldap-mapper
user_model_attribute
user.model.attribute
user_roles_retrieve_strategy
Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY
user.roles.retrieve.strategy, only for type of group-ldap-mapper and role-ldap-mapper
write_only
Valid values: true, false
write.only. Defaults to false if type is full-name-ldap-mapper.
Parameters
The following parameters are available in the keycloak_ldap_mapper type.
id
Id.
ldap
parentId
name
namevar
The LDAP mapper name
provider
The specific backend to use for this keycloak_ldap_mapper resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The LDAP mapper name. Defaults to name
type
Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
keycloak_ldap_user_provider
Manage Keycloak LDAP user providers
Examples
Add LDAP user provider to test realm
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
Properties
The following properties are available in the keycloak_ldap_user_provider type.
auth_type
Valid values: none, simple
authType
Default value: none
batch_size_for_sync
batchSizeForSync
Default value: 1000
bind_credential
bindCredential
bind_dn
bindDn
changed_sync_period
changedSyncPeriod
Default value: -1
connection_url
connectionUrl
custom_user_search_filter
Valid values: %r{.*}, absent
customUserSearchFilter
Default value: absent
edit_mode
Valid values: READ_ONLY, WRITABLE, UNSYNCED
editMode
Default value: READ_ONLY
enabled
Valid values: true, false
enabled
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
full_sync_period
fullSyncPeriod
Default value: -1
import_enabled
Valid values: true, false
importEnabled
Default value: true
priority
priority
Default value: 0
rdn_ldap_attribute
rdnLdapAttribute
Default value: uid
search_scope
Valid values: one, one_level, subtree, 1, 2, 1, 2
searchScope
trust_email
Valid values: true, false
trustEmail
Default value: false
use_kerberos_for_password_authentication
Valid values: true, false
useKerberosForPasswordAuthentication
use_truststore_spi
Valid values: always, ldapsOnly, never
useTruststoreSpi
Default value: ldapsOnly
user_object_classes
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
username_ldap_attribute
usernameLdapAttribute
Default value: uid
users_dn
usersDn
uuid_ldap_attribute
uuidLdapAttribute
Default value: entryUUID
vendor
Valid values: ad, rhds, tivoli, eDirectory, other
vendor
Default value: other
Parameters
The following parameters are available in the keycloak_ldap_user_provider type.
id
Id. Defaults to "resource_name-realm"
name
namevar
The LDAP user provider name
provider
The specific backend to use for this keycloak_ldap_user_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
parentId
resource_name
The LDAP user provider name. Defaults to name.
keycloak_protocol_mapper
Manage Keycloak client scope protocol mappers
Examples
Add email protocol mapper to oidc-client client scope in realm test
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
Properties
The following properties are available in the keycloak_protocol_mapper type.
access_token_claim
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
attribute_name
attribute.name Default to resource_name for type saml-user-property-mapper.
attribute_nameformat
attribute.nameformat
claim_name
claim.name
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
friendly_name
friendly.name. Default to resource_name for type saml-user-property-mapper.
full_path
Valid values: true, false
full.path. Default to false for type oidc-group-membership-mapper.
id_token_claim
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
included_client_audience
included.client.audience Required for type of oidc-audience-mapper
json_type_label
json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.
protocol
Valid values: openid-connect, saml
protocol
Default value: openid-connect
script
Script, only valid for type of saml-javascript-mapper'
Array values will be joined with newlines. Strings will be kept unchanged.
single
Valid values: true, false
single. Default to false for type saml-role-list-mapper or saml-javascript-mapper.
user_attribute
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
userinfo_token_claim
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.
Parameters
The following parameters are available in the keycloak_protocol_mapper type.
client_scope
client scope
id
Id.
name
namevar
The protocol mapper name
provider
The specific backend to use for this keycloak_protocol_mapper resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
realm
resource_name
The protocol mapper name. Defaults to name.
type
Valid values: oidc-usermodel-property-mapper, oidc-usermodel-attribute-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-group-membership-mapper, saml-user-property-mapper, saml-user-attribute-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
keycloak_realm
Manage Keycloak realms
Examples
Add a realm with a custom theme
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
Properties
The following properties are available in the keycloak_realm type.
access_code_lifespan
accessCodeLifespan
access_code_lifespan_login
accessCodeLifespanLogin
access_code_lifespan_user_action
accessCodeLifespanUserAction
access_token_lifespan
accessTokenLifespan
access_token_lifespan_for_implicit_flow
accessTokenLifespanForImplicitFlow
account_theme
accountTheme
Default value: keycloak
action_token_generated_by_admin_lifespan
actionTokenGeneratedByAdminLifespan
action_token_generated_by_user_lifespan
actionTokenGeneratedByUserLifespan
admin_events_details_enabled
Valid values: true, false
adminEventsDetailsEnabled
Default value: false
admin_events_enabled
Valid values: true, false
adminEventsEnabled
Default value: false
admin_theme
adminTheme
Default value: keycloak
browser_flow
browserFlow
Default value: browser
brute_force_protected
Valid values: true, false
bruteForceProtected
client_authentication_flow
clientAuthenticationFlow
Default value: clients
content_security_policy
contentSecurityPolicy
Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
custom_properties
custom properties to pass as realm configurations
default_client_scopes
Default Client Scopes
direct_grant_flow
directGrantFlow
Default value: direct grant
display_name
displayName
display_name_html
displayNameHtml
docker_authentication_flow
dockerAuthenticationFlow
Default value: docker auth
edit_username_allowed
Valid values: true, false
editUsernameAllowed
Default value: false
email_theme
emailTheme
Default value: keycloak
enabled
Valid values: true, false
enabled
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
events_enabled
Valid values: true, false
eventsEnabled
Default value: false
events_expiration
eventsExpiration
events_listeners
eventsListeners
Default value: ['jboss-logging']
internationalization_enabled
Valid values: true, false
internationalizationEnabled
Default value: false
login_theme
loginTheme
Default value: keycloak
login_with_email_allowed
Valid values: true, false
loginWithEmailAllowed
Default value: true
offline_session_idle_timeout
offlineSessionIdleTimeout
offline_session_max_lifespan
offlineSessionMaxLifespan
offline_session_max_lifespan_enabled
Valid values: true, false
offlineSessionMaxLifespanEnabled
Default value: false
optional_client_scopes
Optional Client Scopes
registration_allowed
Valid values: true, false
registrationAllowed
Default value: false
registration_flow
registrationFlow
Default value: registration
remember_me
Valid values: true, false
rememberMe
Default value: false
reset_credentials_flow
resetCredentialsFlow
Default value: reset credentials
reset_password_allowed
Valid values: true, false
resetPasswordAllowed
Default value: false
roles
roles
Default value: ['offline_access', 'uma_authorization']
smtp_server_auth
Valid values: true, false
smtpServer auth
smtp_server_envelope_from
smtpServer envelope_from
smtp_server_from
smtpServer from
smtp_server_from_display_name
smtpServer fromDisplayName
smtp_server_host
smtpServer host
smtp_server_password
smtpServer password
smtp_server_port
smtpServer port
smtp_server_reply_to
smtpServer replyto
smtp_server_reply_to_display_name
smtpServer replyToDisplayName
smtp_server_ssl
Valid values: true, false
smtpServer ssl
smtp_server_starttls
Valid values: true, false
smtpServer starttls
smtp_server_user
smtpServer user
ssl_required
Valid values: none, all, external
sslRequired
Default value: external
sso_session_idle_timeout
ssoSessionIdleTimeout
sso_session_idle_timeout_remember_me
ssoSessionIdleTimeoutRememberMe
sso_session_max_lifespan
ssoSessionMaxLifespan
sso_session_max_lifespan_remember_me
ssoSessionMaxLifespanRememberMe
supported_locales
Supported Locales
user_managed_access_allowed
Valid values: true, false
userManagedAccessAllowed
Default value: false
verify_email
Valid values: true, false
verifyEmail
Default value: false
Parameters
The following parameters are available in the keycloak_realm type.
id
Id. Default to name.
manage_roles
Valid values: true, false
Manage realm roles
Default value: true
name
namevar
The realm name
provider
The specific backend to use for this keycloak_realm resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
keycloak_required_action
Manage Keycloak required actions
Examples
Enable Webauthn Register and make it default
keycloak_required_action { 'webauthn-register on master':
ensure => present,
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
alias => 'webauthn',
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
provider_id => 'webauthn-register',
}
Properties
The following properties are available in the keycloak_required_action type.
alias
Alias. Default to provider_id.
config
Required action config
default
Valid values: true, false
If the required action is a default one. Default to false
Default value: false
display_name
Displayed name. Default to provider_id
enabled
Valid values: true, false
If the required action is enabled. Default to true.
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
priority
Required action priority
Parameters
The following parameters are available in the keycloak_required_action type.
name
namevar
The required action name
provider
The specific backend to use for this keycloak_required_action resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
provider_id
providerId of the required action
realm
realm
keycloak_resource_validator
Verify that a specific Keycloak resource is available
Properties
The following properties are available in the keycloak_resource_validator type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Parameters
The following parameters are available in the keycloak_resource_validator type.
dependent_resources
Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]
name
namevar
An arbitrary name used as the identity of the resource.
provider
The specific backend to use for this keycloak_resource_validator resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
Realm to query
test_key
Key to lookup
test_url
URL to use for testing if the Keycloak database is up
test_value
Value to lookup
timeout
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
keycloak_role_mapping
Attach realm roles to users and groups
Examples
Ensure that a user has the defined realm roles
keycloak_role_mapping { 'john-offline_access':
realm => 'test',
name => 'john',
realm_roles => ['offline_access'],
}
Properties
The following properties are available in the keycloak_role_mapping type.
realm_roles
realm roles
Default value: []
Parameters
The following parameters are available in the keycloak_role_mapping type.
group
Valid values: true, false
is this a group instead of a user
Default value: false
name
namevar
--uusername/--gname
provider
The specific backend to use for this keycloak_role_mapping resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
realm
keycloak_sssd_user_provider
Manage Keycloak SSSD user providers
Examples
Add SSSD user provider to test realm
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
Properties
The following properties are available in the keycloak_sssd_user_provider type.
cache_policy
Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE
cachePolicy
Default value: DEFAULT
enabled
Valid values: true, false
enabled
Default value: true
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
eviction_day
evictionDay
eviction_hour
evictionHour
eviction_minute
evictionMinute
max_lifespan
maxLifespan
priority
priority
Default value: 0
Parameters
The following parameters are available in the keycloak_sssd_user_provider type.
id
Id. Defaults to "resource_name-realm"
name
namevar
The SSSD user provider name
provider
The specific backend to use for this keycloak_sssd_user_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
parentId
resource_name
The SSSD user provider name. Defaults to name.
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v7.14.0 (2022-03-14)
UNCATEGORIZED PRS; GO LABEL THEM
v7.13.0 (2022-02-10)
Added
v7.12.2 (2022-02-08)
Fixed
v7.12.1 (2022-01-18)
Fixed
- Quota datasource username and password #235 (treydock)
- Fix issues with install_base /opt/keycloak #232 (dmaes)
v7.12.0 (2021-11-24)
Added
v7.11.1 (2021-11-24)
Fixed
- Further fix to set description on keycloak_flow when not top_level flow #227 (treydock)
- Fix to set description on keycloak_flow when not top_level flow #226 (treydock)
v7.11.0 (2021-11-05)
Added
- Replace CentOS 8 support with Rocky 8 #221 (treydock)
- Support stdlib 8.x, mysql 12.x and use puppet/systemd #220 (treydock)
- Add id parameter to keycloak::freeipa_user_provider #219 (treydock)
v7.10.0 (2021-09-22)
Added
Fixed
v7.9.1 (2021-09-16)
Fixed
- set keycloak_server in keycloak_conn_validator from 'localhost' to $service_bind_address #216 (hugendudel)
v7.9.0 (2021-09-08)
Added
- Remove Scientific Linux from metadata.json, still supported #213 (treydock)
- add saml-user-attribute-mapper support #212 (aba-rechsteiner)
Fixed
- Fix centos/7 in Vagrant failing #210 (rdcuzins)
- Fix invalid module dependency versions #209 (rdcuzins)
v7.8.0 (2021-09-01)
Added
v7.7.1 (2021-08-23)
Fixed
v7.7.0 (2021-08-16)
Added
v7.6.0 (2021-08-13)
Added
v7.5.1 (2021-08-03)
Fixed
v7.5.0 (2021-07-12)
Added
- Update dependency version ranges #200 (treydock)
- Support Keycloak 14 #199 (treydock)
- Fix Ubuntu acceptance tests #198 (treydock)
v7.4.1 (2021-07-10)
Fixed
v7.4.0 (2021-06-03)
Added
v7.3.0 (2021-06-02)
Added
v7.2.2 (2021-04-23)
Fixed
v7.2.1 (2021-04-17)
Fixed
v7.2.0 (2021-03-26)
Added
v7.1.0 (2021-03-25)
Added
v7.0.0 (2021-03-10)
Changed
- Change default Keycloak version to 12.0.4 #188 (treydock)
- Drop Puppet 5, support Puppet 7 #184 (treydock)
Added
- Split config.cli templates into smaller files, use epp templates #187 (treydock)
- Support Ubuntu 20.04, bump dependency requirements #186 (treydock)
v6.26.0 (2021-03-06)
Added
Fixed
v6.25.2 (2021-02-09)
Fixed
v6.25.1 (2021-01-07)
Fixed
- Ensure systemd logging for Keycloak uses more meaningful syslog identifier #179 (treydock)
- Fix keycloak_client to not warn when theme is not set #178 (treydock)
v6.25.0 (2020-12-30)
Added
v6.24.0 (2020-12-22)
Added
v6.23.0 (2020-12-08)
Added
- Support saml-group-membership-mapper #171 (mattock)
- Add convenience define for setting up FreeIPA LDAP mappers #170 (mattock)
- PDK Update - Use Github Actions #169 (treydock)
- Add convenience wrapper for setting up FreeIPA ldap user providers #135 (mattock)
Fixed
v6.22.0 (2020-11-23)
Added
Fixed
v6.21.0 (2020-10-30)
Added
v6.20.0 (2020-10-27)
Added
- add oidc-usermodel-attribute-mapper #166 (aba-rechsteiner)
- Support oidc-usermodel-client-role-mapper type in client protocol mapper #165 (mattock)
v6.19.0 (2020-10-07)
Added
- Enable roles management at realm and client level #164 (anlambert)
- Add more realm login related properties #163 (anlambert)
v6.18.0 (2020-09-25)
Added
- Support flow overrides on clients #161 (treydock)
- Add registration_allowed to keycloak_realm #160 (anlambert)
- Have realms and identity providers auto require their configured flows #159 (treydock)
Fixed
v6.17.0 (2020-09-24)
Added
- Improved unit and acceptance tests for recent changes #158 (treydock)
- add bruteForceProtected #157 (aba-rechsteiner)
- add trustEmail #156 (aba-rechsteiner)
- add keycloak-oidc providerid and other new parameters #155 (aba-rechsteiner)
v6.16.0 (2020-08-21)
Added
v6.15.0 (2020-08-14)
Added
- add resources #151 (aba-rechsteiner)
v6.14.0 (2020-08-11)
Added
- add proxy-address-forwarding for https-listener #149 (aba-rechsteiner)
- Add support for required actions #148 (ZloeSabo)
v6.13.1 (2020-08-03)
Fixed
v6.13.0 (2020-07-07)
Added
- Concat custom code fragment to config.cli #145 (danifr)
- Update usage of deprecated function postgresql_password #143 (Karlinde)
v6.12.0 (2020-07-02)
Added
- Emit warning if configured theme does not exist #140 (treydock)
- Add support for JGroups JDBC_PING mode in clustered mode #139 (danifr)
UNCATEGORIZED PRS; GO LABEL THEM
v6.11.0 (2020-05-22)
Added
UNCATEGORIZED PRS; GO LABEL THEM
- Add support for defining smtpServer from realms #131 (mattock)
- Allow enabling/disabling client authorization services #127 (mattock)
v6.10.0 (2020-03-14)
Added
v6.9.0 (2020-02-14)
Added
v6.8.0 (2020-02-14)
Added
v6.7.0 (2020-02-14)
Added
v6.6.0 (2020-02-10)
Added
v6.5.0 (2020-02-07)
Added
- Add root_url and base_url properties to keycloak_client #121 (treydock)
- Allow enabling/disabling realm internationalization #119 (mattock)
v6.4.1 (2020-02-06)
Fixed
v6.4.0 (2020-02-03)
Added
v6.3.0 (2020-01-16)
Added
v6.2.0 (2020-01-09)
Added
- Support managing authentication flows #115 (treydock)
- Support disabling the user cache #114 (treydock)
- Support Keycloak SPI deployments #113 (treydock)
- Add content_security_policy to keycloak_realm #112 (treydock)
- Improve handling of realm flow assignment to avoid errors #111 (treydock)
- Support managing realm flow properties #110 (treydock)
Fixed
v6.1.0 (2019-12-31)
Added
- Add support for access.token.lifespan client attribute #109 (mattock)
- Add two new realm properties #108 (mattock)
v6.0.0 (2019-12-18)
Changed
- Change default Keycloak version to 8.0.1 #106 (treydock)
- Change JAVA_OPTS behavior for Keycloak #105 (treydock)
- Change how install_dir is defined, default behavior remains the same #90 (treydock)
v5.10.0 (2019-12-10)
Added
v5.9.0 (2019-12-09)
Added
v5.8.0 (2019-12-06)
Added
- Test against Keycloak 8.0.1 #100 (treydock)
- Add option to enable tech preview features #99 (treydock)
- Add login_theme property to keycloak_client #98 (treydock)
- Add support for more client switches #96 (mattock)
- Add option to enable tech preview features #95 (danifr)
Fixed
v5.7.0 (2019-10-29)
Added
v5.6.0 (2019-10-10)
Added
v5.5.0 (2019-09-26)
Added
- Allow managing Keycloak installation from outside this module #87 (mattock)
- Enable passing extra options to Keycloak in the systemd unit file #86 (mattock)
- Enable defining bind address for the Keycloak systemd service #85 (mattock)
v5.4.0 (2019-09-05)
Added
v5.3.2 (2019-09-03)
Fixed
v5.3.1 (2019-09-03)
Fixed
v5.3.0 (2019-08-30)
Added
v5.2.0 (2019-08-29)
Added
v5.1.0 (2019-08-28)
Added
v5.0.1 (2019-08-27)
Fixed
v5.0.0 (2019-08-27)
Changed
v4.2.0 (2019-08-27)
Added
- Support group-ldap-mapper and role-ldap-mapper #73 (treydock)
- Support saml-javascript-mapper for keycloak_client_protocol_mapper #72 (treydock)
v4.1.1 (2019-08-26)
Fixed
v4.1.0 (2019-08-26)
Added
- Add clients parameter #69 (treydock)
- Simplify how keycloak_client_protocol_mapper and keycloak_protcol_mapper are queried during prefetch #68 (treydock)
- Support managing protocl mapper saml-javascript-mapper #67 (treydock)
- Update module dependency version requirements #66 (treydock)
- Use iteration and added parameters to define resources #65 (treydock)
- Add keycloak_identity_provider type #64 (treydock)
v4.0.0 (2019-06-12)
Changed
- Simplify and consolidate datasource parameters #63 (treydock)
- Set default Keycloak version to 6.0.1 #61 (treydock)
Added
v3.8.0 (2019-05-23)
Added
- Expand postgresql support to behave more like mysql support, simplified a bit #60 (treydock)
- Use PDK #58 (treydock)
3.7.0 (2019-05-20)
Added
3.6.1 (2019-05-13)
Fixed
3.6.0 (2019-05-06)
Added
3.5.0 (2019-04-09)
Added
3.4.0 (2019-02-25)
Added
- JAVA_OPTS via systemd unit Environment variable #51 (danifr)
- Add option for service environment file #50 (asieraguado)
3.3.0 (2019-01-28)
Added
- Better ID handling #47 (treydock)
- Test against Keycloak 4.8.1.Final and document version handling and upgrade #43 (treydock)
Fixed
- Fix keycloak_ldap_mapper id handling and write_only property #46 (treydock)
- Fix PuppetX usage for keycloak_ldap_mapper #45 (treydock)
3.2.0 (2018-12-21)
Added
- Support SSSD User Provider #42 (treydock)
- Add enabled property to keycloak_ldap_user_provider #41 (treydock)
3.1.0 (2018-12-13)
Added
- Bump dependency ranges for stdlib and mysql #40 (treydock)
- Support Puppet 6 and drop support for Puppet 4 #39 (treydock)
- Use beaker 4.x #37 (treydock)
Fixed
3.0.0 (2018-08-14)
Added
2.7.1 (2018-08-14)
Fixed
2.7.0 (2018-08-14)
Added
2.6.0 (2018-07-20)
Added
- Use puppet-strings for documentation #30 (treydock)
- Add search_scope and custom_user_search_filter properties to keycloak_ldap_user_provider type #29 (treydock)
- Explicitly define all type properties #27 (treydock)
- Improve acceptance tests #26 (treydock)
Fixed
2.5.0 (2018-07-18)
Added
- Support setting auth_type=simple related properties for keycloak_ldap_user_provider type #24 (treydock)
2.4.0 (2018-06-04)
Added
2.3.1 (2018-03-10)
Fixed
- Fix title patterns that use procs are not supported #21 (alexjfisher)
2.3.0 (2018-03-08)
Added
- Allow keycloak_protocol_mapper attribute_nameformat to be simpler values #18 (treydock)
- Add SAML username protocol mapper to keycloak::client_template #17 (treydock)
- Support SAML role list protocol mapper #16 (treydock)
- Add SAML support to keycloak_protocol_mapper and keycloak::client_template #15 (treydock)
Fixed
2.2.1 (2018-02-27)
Fixed
2.2.0 (2018-02-26)
Added
2.1.0 (2018-02-22)
Added
- Increase minimum java dependency to 2.2.0 to to support Debian 9. Update unit tests to test all supported OSes #12 (treydock)
- Symlink instead of copy mysql connector. puppetlabs/mysql 5 compatibility #11 (NITEMAN)
- Add support for http port configuration #9 (NITEMAN)
- Add Debian 9 support #8 (NITEMAN)
Fixed
2.0.1 (2017-12-18)
Fixed
2.0.0 (2017-12-11)
Changed
- BREAKING: Remove deprecated defined types #6 (treydock)
- BREAKING: Set default version to 3.4.1.Final #4 (treydock)
- BREAKING: Drop Puppet 3 support #3 (treydock)
Added
1.0.0 (2017-09-05)
Added
0.0.1 (2017-08-11)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.25.0 <9.0.0)
- puppetlabs/mysql (>= 10.3.0 <13.0.0)
- puppetlabs/postgresql (>= 6.6.0 <8.0.0)
- puppetlabs/java (>= 7.3.0 <8.0.0)
- puppetlabs/java_ks (>= 1.0.0 <5.0.0)
- puppetlabs/augeas_core (>= 1.0.0 <2.0.0)
- puppetlabs/yumrepo_core (>= 1.0.0 <2.0.0)
- puppet/archive (>= 0.5.1 <7.0.0)
- puppet/systemd (>= 0.4.0 <4.0.0)
Copyright (C) 2017 <FULL NAME> <EMAIL>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.