keycloak

pdk

Keycloak Puppet module

Project URL RSS Feed Report issues

Module Stats

70,622 downloads

456 latest version

4.9 quality score

Version information

released Aug 14th 2018

This version is compatible with:

Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
Puppet >= 4.7.0 < 6.0.0
RedHat
,
CentOS
,
Scientific
,
Debian

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'treydock-keycloak', '2.7.0'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add treydock-keycloak

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install treydock-keycloak --version 2.7.0

Documentation

treydock/keycloak — version 2.7.0 Aug 14th 2018

puppet-module-keycloak

Overview
Usage - Configuration options
Reference - Parameter and detailed reference to all options
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module

Overview

The keycloak module allows easy installation and management of Keycloak.

Usage

keycloak

Install Keycloak using default database storage.

class { 'keycloak': }

Install keycloak and use a local MySQL server for database storage

include mysql::server
class { 'keycloak':
  datasource_driver   => 'mysql',
  datasource_host     => 'localhost',
  datasource_port     => 3306,
  datasource_dbname   => 'keycloak',
  datasource_username => 'keycloak',
  datasource_password => 'foobar',
}

Configure a SSL certificate truststore and add a LDAP server's certificate to the truststore.

class { 'keycloak':
  truststore                              => true,
  truststore_password                     => 'supersecret',
  truststore_hostname_verification_policy => 'STRICT',
}
keycloak::truststore::host { 'ldap1.example.com':
  certificate => '/etc/openldap/certs/0a00000.0',
}

Setup Keycloak to proxy through Apache HTTPS.

class { 'keycloak':
  proxy_https => true
}
apache::vhost { 'idp.example.com':
  servername => 'idp.example.com',
  port        => '443',
  ssl         => true,
  manage_docroot  => false,
  docroot         => '/var/www/html',
  proxy_preserve_host => true,
  proxy_pass          => [
    {'path' => '/', 'url' => 'http://localhost:8080/'}
  ],
  request_headers     => [
    'set X-Forwarded-Proto "https"',
    'set X-Forwarded-Port "443"'
  ],
  ssl_cert            => '/etc/pki/tls/certs/idp.example.com/crt',
  ssl_key             => '/etc/pki/tls/private/idp.example.com.key',
}

Setup a host for theme development so that theme changes don't require a service restart, not recommended for production.

class { 'keycloak':
  theme_static_max_age  => -1,
  theme_cache_themes    => false,
  theme_cache_templates => false,
}

keycloak_realm

Define a Keycloak realm that uses username and not email for login and to use a local branded theme.

keycloak_realm { 'test':
  ensure                   => 'present',
  remember_me              => true,
  login_with_email_allowed => false,
  login_theme              => 'my_theme',
}

keycloak_ldap_user_provider

Define a LDAP user provider so that authentication can be performed against LDAP. The example below uses two LDAP servers, disables importing of users and assumes the SSL certificates are trusted and do not require being in the truststore.

keycloak_ldap_user_provider { 'LDAP on test':
  ensure             => 'present',
  users_dn           => 'ou=People,dc=example,dc=com',
  connection_url     => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
  import_enabled     => false,
  use_truststore_spi => 'never',
}

NOTE The Id for the above resource would be LDAP-test where the format is ${resource_name}-${realm}.

keycloak_ldap_mapper

Use the LDAP attribute 'gecos' as the full name attribute.

keycloak_ldap_mapper { 'full name for LDAP-test on test:
  ensure         => 'present',
  resource_name  => 'full name',
  type           => 'full-name-ldap-mapper',
  ldap_attribute => 'gecos',
}

keycloak_client

keycloak_client { 'www.example.com':
  ensure          => 'present',
  realm           => 'test',
  redirect_uris   => [
    "https://www.example.com/oidc",
    "https://www.example.com",
  ],
  client_template => 'oidc-clients',
  secret          => 'supersecret',
}

keycloak::client_template

Defined type that can be used to define both keycloak_client_template and keycloak_protocol_mapper resources. The example below will define a client template and several protocol mappers that are built into keycloak.

keycloak::client_template { 'oidc-clients':
  realm => 'test',
}

keycloak_client_template

Define a Client Template in Keycloak:

keycloak_client_template { 'oidc-clients':
  realm              => 'test',
  resource_name      => 'oidc-clients',
  protocol           => 'openid-connect',
  full_scope_allowed => true,
}

keycloak_protocol_mapper

Associate a Protocol Mapper to a given template. The name in the following example will add the email protocol mapper to client template oidc-clients in the realm test.

keycloak_protocol_mapper { "email for oidc-clients on test":
  consent_text   => '${email}',
  claim_name     => 'email',
  user_attribute => 'email',
}

keycloak_api

The keycloak_api type can be used to define how this module's types access the Keycloak API if this module is only used for the types/providers and the module's kcadm-wrapper.sh is not installed.

keycloak_api { 'keycloak'
  install_base => '/opt/keycloak',
  server       => 'http://localhost:8080/auth',
  realm        => 'master',
  user         => 'admin',
  password     => 'changeme',
}

The path for install_base will be joined with bin/kcadm.sh to produce the full path to kcadm.sh.

Reference

http://treydock.github.io/puppet-module-keycloak/

Limitations

This module has been tested on:

CentOS 7 x86_64
Debian 9 x86_64
RedHat 7 x86_64

Development

Testing

Testing requires the following dependencies:

rake
bundler

Install gem dependencies

bundle install

Run unit tests

bundle exec rake test

If you have Vagrant >= 1.2.0 installed you can run system tests

bundle exec rake beaker

Reference

Classes

Public Classes

keycloak: summary Manage Keycloak
keycloak::config: Private class.
keycloak::datasource::h2: Private class.
keycloak::install: Private class.
keycloak::params: Private class.
keycloak::service: Private class.

Private Classes

keycloak::datasource::mysql: Manage MySQL datasource

Defined types

keycloak::client_template: Manage Keycloak client template
keycloak::truststore::host: Add host to Keycloak truststore

Resource types

keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.
keycloak_client: Manage Keycloak clients
keycloak_client_template: Manage Keycloak client templates
keycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre
keycloak_ldap_mapper: Manage Keycloak LDAP attribute mappers
keycloak_ldap_user_provider: Manage Keycloak LDAP user providers
keycloak_protocol_mapper: Manage Keycloak protocol mappers
keycloak_realm: Manage Keycloak realms

Classes

keycloak

summary Manage Keycloak

Examples

include ::keycloak

Parameters

The following parameters are available in the keycloak class.

`version`

Data type: String

Version of Keycloak to install and manage. Default is 3.4.1.Final.

Default value: '3.4.1.Final'

`package_url`

Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]

URL of the Keycloak download. Default is based on version.

Default value: undef

`install_dir`

Data type: Stdlib::Absolutepath

Parent directory of where to install Keycloak. Default is /opt.

Default value: '/opt'

`service_name`

Data type: String

Keycloak service name. Default is keycloak.

Default value: $keycloak::params::service_name

`service_ensure`

Data type: String

Keycloak service ensure property. Default is running.

Default value: 'running'

`service_enable`

Data type: Boolean

Keycloak service enable property. Default is true.

Default value: true

`service_hasstatus`

Data type: Boolean

Keycloak service hasstatus parameter. Default is true.

Default value: $keycloak::params::service_hasstatus

`service_hasrestart`

Data type: Boolean

Keycloak service hasrestart parameter. Default is true.

Default value: $keycloak::params::service_hasrestart

`user`

Data type: String

Keycloak user name. Default is keycloak.

Default value: 'keycloak'

`group`

Data type: String

Keycloak user group name. Default is keycloak.

Default value: 'keycloak'

`user_uid`

Data type: Optional[Integer]

Keycloak user UID. Default is undef.

Default value: undef

`group_gid`

Data type: Optional[Integer]

Keycloak user group GID. Default is undef.

Default value: undef

`admin_user`

Data type: String

Keycloak administrative username. Default is admin.

Default value: 'admin'

`admin_user_password`

Data type: String

Keycloak administrative user password. Default is changeme.

Default value: 'changeme'

`manage_datasource`

Data type: Boolean

Boolean that determines if configured datasource will be managed. Only applies when datasource_driver is mysql. Default is true.

Default value: true

`datasource_driver`

Data type: Enum['h2', 'mysql']

Datasource driver to use for Keycloak. Valid values are h2 and mysql. Default is h2.

Default value: 'h2'

`datasource_host`

Data type: Optional[String]

Datasource host. Only used when datasource_driver is mysql. Default is localhost for MySQL.

Default value: undef

`datasource_port`

Data type: Optional[Integer]

Datasource port. Only used when datasource_driver is mysql. Default is 3306 for MySQL.

Default value: undef

`datasource_dbname`

Data type: String

Datasource database name. Default is keycloak.

Default value: 'keycloak'

`datasource_username`

Data type: String

Datasource user name. Default is sa.

Default value: 'sa'

`datasource_password`

Data type: String

Datasource user password. Default is sa.

Default value: 'sa'

`proxy_https`

Data type: Boolean

Boolean that sets if HTTPS proxy should be enabled. Set to true if proxying traffic through Apache. Default is false.

Default value: false

`truststore`

Data type: Boolean

Boolean that sets if truststore should be used. Default is false.

Default value: false

`truststore_hosts`

Data type: Hash

Hash that is used to define keycloak::turststore::host resources. Default is {}.

Default value: {}

`truststore_password`

Data type: String

Truststore password. Default is keycloak.

Default value: 'keycloak'

`truststore_hostname_verification_policy`

Data type: Enum['WILDCARD', 'STRICT', 'ANY']

Valid values are WILDCARD, STRICT, and ANY. Default is WILDCARD.

Default value: 'WILDCARD'

`http_port`

Data type: Integer

HTTP port used by Keycloak. Default is 8080.

Default value: 8080

`theme_static_max_age`

Data type: Integer

Max cache age in seconds of static content. Default is 2592000.

Default value: 2592000

`theme_cache_themes`

Data type: Boolean

Boolean that sets if themes should be cached. Default is true.

Default value: true

`theme_cache_templates`

Data type: Boolean

Boolean that sets if templates should be cached. Default is true.

Default value: true

`realms`

Data type: Hash

Hash that is used to define keycloak_realm resources. Default is {}.

Default value: {}

`client_templates`

Data type: Hash

Hash that is used to define keycloak::client_template resources. Default is {}.

Default value: {}

`service_java_opts`

Data type: Variant[String, Array]

Default value: $keycloak::params::service_java_opts

keycloak::config

Private class.

keycloak::datasource::h2

Private class.

keycloak::install

Private class.

keycloak::params

Private class.

keycloak::service

Private class.

Defined types

keycloak::client_template

Manage Keycloak client template

Examples

keycloak::client_template { 'oidc-clients':
  realm => 'test',
}

Parameters

The following parameters are available in the keycloak::client_template defined type.

`realm`

Data type: String

Realm of the client template.

`resource_name`

Data type: String

Name of the client template resource

Default value: $name

`protocol`

Data type: Enum['openid-connect', 'saml']

The protocol of the client template.

Default value: 'openid-connect'

`full_scope_allowed`

Data type: Boolean

full_scope_allowed property for keycloak_client_template resource.

Default value: true

keycloak::truststore::host

Add host to Keycloak truststore

Examples

keycloak::truststore::host { 'ldap1.example.com':
  certificate => '/etc/openldap/certs/0a00000.0',
}

Parameters

The following parameters are available in the keycloak::truststore::host defined type.

`certificate`

Data type: String

Path to host certificate

`ensure`

Data type: Enum['latest', 'present', 'absent']

Host ensure value passed to java_ks resource.

Default value: 'latest'

Resource types

keycloak_api

Type that configures API connection parameters for other keycloak types that use the Keycloak API.

Examples

Define API access

keycloak_api { 'keycloak'
  install_base => '/opt/keycloak',
  server       => 'http://localhost:8080/auth',
  realm        => 'master',
  user         => 'admin',
  password     => 'changeme',
}

Parameters

The following parameters are available in the keycloak_api type.

`name`

namevar

Keycloak API config

`install_base`

Install location of Keycloak

`server`

Auth URL for Keycloak server

Default value: http://localhost:8080/auth

`realm`

Realm for authentication

Default value: master

`user`

User for authentication

Default value: admin

`password`

Password for authentication

Default value: changeme

`use_wrapper`

Valid values: true, false

Boolean that determines if kcadm_wrapper.sh should be used

Default value: false

keycloak_client

Manage Keycloak clients

Examples

Add a OpenID Connect client

keycloak_client { 'www.example.com':
  ensure          => 'present',
  realm           => 'test',
  redirect_uris   => [
    "https://www.example.com/oidc",
    "https://www.example.com",
  ],
  client_template => 'oidc-clients',
  secret          => 'supersecret',
}

Properties

The following properties are available in the keycloak_client type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`protocol`

Valid values: openid-connect, saml

protocol

Default value: openid-connect

`client_authenticator_type`

clientAuthenticatorType

Default value: client-secret

`client_template`

clientTemplate

`enabled`

Valid values: true, false

enabled

Default value: true

`direct_access_grants_enabled`

Valid values: true, false

enabled

Default value: true

`public_client`

Valid values: true, false

enabled

Default value: false

`redirect_uris`

redirectUris

Default value: []

`web_origins`

webOrigins

Default value: []

Parameters

The following parameters are available in the keycloak_client type.

`name`

namevar

The client name

`client_id`

clientId

`id`

`realm`

realm

`secret`

secret

keycloak_client_template

Manage Keycloak client templates

Examples

Define a OpenID Connect client template in the test realm

keycloak_client_template { 'oidc-clients on test':
  protocol           => 'openid-connect',
  full_scope_allowed => true,
}

Properties

The following properties are available in the keycloak_client_template type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`protocol`

Valid values: openid-connect, saml

protocol

Default value: openid-connect

`full_scope_allowed`

Valid values: true, false

fullScopeAllowed

Default value: true

Parameters

The following parameters are available in the keycloak_client_template type.

`name`

namevar

The client template name

`resource_name`

The client template name

`id`

`realm`

realm

keycloak_conn_validator

Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.

Properties

The following properties are available in the keycloak_conn_validator type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the keycloak_conn_validator type.

`name`

namevar

An arbitrary name used as the identity of the resource.

`keycloak_server`

The DNS name or IP address of the server where keycloak should be running.

Default value: localhost

`keycloak_port`

The port that the keycloak server should be listening on.

Default value: 8080

`use_ssl`

Whether the connection will be attemped using https

Default value: false

`test_url`

URL to use for testing if the Keycloak database is up

Default value: /auth/admin/serverinfo

`timeout`

The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.

Default value: 30

keycloak_ldap_mapper

Manage Keycloak LDAP attribute mappers

Examples

Add full name attribute mapping

keycloak_ldap_mapper { 'full name for LDAP-test on test:
  ensure         => 'present',
  type           => 'full-name-ldap-mapper',
  ldap_attribute => 'gecos',
}

Properties

The following properties are available in the keycloak_ldap_mapper type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`ldap_attribute`

ldapAttribute

`user_model_attribute`

userModelAttribute

`is_mandatory_in_ldap`

is.mandatory.in.ldap

`always_read_value_from_ldap`

Valid values: true, false

always.read.value.from.ldap

`read_only`

Valid values: true, false

readOnly

Default value: true

`write_only`

Valid values: true, false

writeOnly

Default value: false

Parameters

The following parameters are available in the keycloak_ldap_mapper type.

`name`

namevar

The LDAP mapper name

`id`

`resource_name`

The LDAP mapper name

`type`

Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper

providerId

Default value: user-attribute-ldap-mapper

`realm`

realm

`ldap`

parentId

keycloak_ldap_user_provider

Manage Keycloak LDAP user providers

Examples

Add LDAP user provider to test realm

keycloak_ldap_user_provider { 'LDAP on test':
  ensure             => 'present',
  users_dn           => 'ou=People,dc=example,dc=com',
  connection_url     => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
  import_enabled     => false,
  use_truststore_spi => 'never',
}

Properties

The following properties are available in the keycloak_ldap_user_provider type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`auth_type`

Valid values: none, simple

authType

Default value: none

`edit_mode`

Valid values: READ_ONLY, WRITABLE, UNSYNCED

editMode

Default value: READ_ONLY

`vendor`

Valid values: ad, rhds, tivoli, eDirectory, other

vendor

Default value: other

`use_truststore_spi`

Valid values: always, ldapsOnly, never

useTruststoreSpi

Default value: ldapsOnly

`users_dn`

usersDn

`connection_url`

connectionUrl

`priority`

priority

Default value: 0

`batch_size_for_sync`

batchSizeForSync

Default value: 1000

`username_ldap_attribute`

usernameLdapAttribute

Default value: uid

`rdn_ldap_attribute`

rdnLdapAttribute

Default value: uid

`uuid_ldap_attribute`

uuidLdapAttribute

Default value: entryUUID

`bind_dn`

bindDn

`bind_credential`

bindCredential

`import_enabled`

Valid values: true, false

importEnabled

Default value: true

`use_kerberos_for_password_authentication`

Valid values: true, false

useKerberosForPasswordAuthentication

`user_object_classes`

userObjectClasses

Default value: ['inetOrgPerson', 'organizationalPerson']

`search_scope`

Valid values: one, one_level, subtree, 1, 2, 1, 2

searchScope

`custom_user_search_filter`

Valid values: /.*/, absent

customUserSearchFilter

Default value: absent

Parameters

The following parameters are available in the keycloak_ldap_user_provider type.

`name`

namevar

The LDAP user provider name

`resource_name`

The LDAP user provider name

`id`

`realm`

parentId

keycloak_protocol_mapper

Manage Keycloak protocol mappers

Examples

Add email protocol mapper to oidc-client client template in realm test

keycloak_protocol_mapper { "email for oidc-clients on test":
  consent_text   => '${email}',
  claim_name     => 'email',
  user_attribute => 'email',
}

Properties

The following properties are available in the keycloak_protocol_mapper type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`protocol`

Valid values: openid-connect, saml

protocol

Default value: openid-connect

`user_attribute`

user.attribute

`json_type_label`

json.type.label

`friendly_name`

friendly.name

`attribute_name`

attribute.name

`consent_text`

consentText

`claim_name`

claim.name

`consent_required`

Valid values: true, false

consentRequired

Default value: true

`id_token_claim`

Valid values: true, false

id.token.claim

`access_token_claim`

Valid values: true, false

access.token.claim

`userinfo_token_claim`

Valid values: true, false

userinfo.token.claim

`attribute_nameformat`

attribute.nameformat

`single`

Valid values: true, false

single

Parameters

The following parameters are available in the keycloak_protocol_mapper type.

`name`

namevar

The protocol mapper name

`id`

`resource_name`

The protocol mapper name

`client_template`

client template

`realm`

realm

`type`

Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, saml-user-property-mapper, saml-role-list-mapper

protocolMapper

keycloak_realm

Manage Keycloak realms

Examples

Add a realm with a custom theme

keycloak_realm { 'test':
  ensure                   => 'present',
  remember_me              => true,
  login_with_email_allowed => false,
  login_theme              => 'my_theme',
}

Properties

The following properties are available in the keycloak_realm type.

`ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

`display_name`

displayName

`display_name_html`

displayNameHtml

`login_theme`

loginTheme

Default value: keycloak

`account_theme`

accountTheme

Default value: keycloak

`admin_theme`

adminTheme

Default value: keycloak

`email_theme`

emailTheme

Default value: keycloak

`enabled`

Valid values: true, false

enabled

Default value: true

`remember_me`

Valid values: true, false

rememberMe

Default value: false

`login_with_email_allowed`

Valid values: true, false

loginWithEmailAllowed

Default value: true

Parameters

The following parameters are available in the keycloak_realm type.

`name`

namevar

The realm name

`id`

Types in this module release

keycloak_conn_validator

Parameters
ensure
keycloak_port	The port that the keycloak server should be listening on.
keycloak_server	The DNS name or IP address of the server where keycloak should be running.
name	An arbitrary name used as the identity of the resource.
provider
test_url	URL to use for testing if the Keycloak database is up
timeout	The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
use_ssl	Whether the connection will be attemped using https

Providers
puppet_https	A provider for the resource type `keycloak_conn_validator`, which validates the keycloak connection by attempting an http(s) connection to the keycloak server. Uses the puppet SSL certificate setup from the local puppet environment to authenticate if use_ssl is set to true.

keycloak_client_template

Manage Keycloak client templates @example Define a OpenID Connect client template in the test realm keycloak_client_template { 'oidc-clients on test': protocol => 'openid-connect', full_scope_allowed => true, }

Parameters
ensure
id	Id. Defaults to `resource_name`.
name	The client template name
provider
realm	realm
resource_name	The client template name. Defaults to `name`.

Properties
full_scope_allowed	fullScopeAllowed
protocol	protocol

Providers
kcadm

keycloak_api

Type that configures API connection parameters for other keycloak types that use the Keycloak API. @example Define API access keycloak_api { 'keycloak' install_base => '/opt/keycloak', server => 'http://localhost:8080/auth', realm => 'master', user => 'admin', password => 'changeme', }

Parameters
install_base	Install location of Keycloak
name	Keycloak API config
password	Password for authentication
realm	Realm for authentication
server	Auth URL for Keycloak server
use_wrapper	Boolean that determines if kcadm_wrapper.sh should be used
user	User for authentication

keycloak_realm

Manage Keycloak realms @example Add a realm with a custom theme keycloak_realm { 'test': ensure => 'present', remember_me => true, login_with_email_allowed => false, login_theme => 'my_theme', }

Parameters
ensure
id	Id. Default to `name`.
name	The realm name
provider

Properties
account_theme	accountTheme
admin_theme	adminTheme
display_name	displayName
display_name_html	displayNameHtml
email_theme	emailTheme
enabled	enabled
login_theme	loginTheme
login_with_email_allowed	loginWithEmailAllowed
remember_me	rememberMe

Providers
kcadm

keycloak_ldap_user_provider

Manage Keycloak LDAP user providers @example Add LDAP user provider to test realm keycloak_ldap_user_provider { 'LDAP on test': ensure => 'present', users_dn => 'ou=People,dc=example,dc=com', connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636', import_enabled => false, use_truststore_spi => 'never', }

Parameters
ensure
id	Id. Defaults to "`resource_name`-`realm`"
name	The LDAP user provider name
provider
realm	parentId
resource_name	The LDAP user provider name. Defaults to `name`.

Properties
auth_type	authType
batch_size_for_sync	batchSizeForSync
bind_credential	bindCredential
bind_dn	bindDn
connection_url	connectionUrl
custom_user_search_filter	customUserSearchFilter
edit_mode	editMode
import_enabled	importEnabled
priority	priority
rdn_ldap_attribute	rdnLdapAttribute
search_scope	searchScope
use_kerberos_for_password_authentication	useKerberosForPasswordAuthentication
use_truststore_spi	useTruststoreSpi
user_object_classes	userObjectClasses
username_ldap_attribute	usernameLdapAttribute
users_dn	usersDn
uuid_ldap_attribute	uuidLdapAttribute
vendor	vendor

Providers
kcadm

keycloak_client

Manage Keycloak clients @example Add a OpenID Connect client keycloak_client { 'www.example.com': ensure => 'present', realm => 'test', redirect_uris => [ "https://www.example.com/oidc", "https://www.example.com", ], client_template => 'oidc-clients', secret => 'supersecret', }

Parameters
client_id	clientId. Defaults to `name`.
ensure
id	Id. Defaults to `client_id`
name	The client name
provider
realm	realm
secret	secret

Properties
client_authenticator_type	clientAuthenticatorType
client_template	clientTemplate
direct_access_grants_enabled	enabled
enabled	enabled
protocol	protocol
public_client	enabled
redirect_uris	redirectUris
web_origins	webOrigins

Providers
kcadm

keycloak_ldap_mapper

Manage Keycloak LDAP attribute mappers @example Add full name attribute mapping keycloak_ldap_mapper { 'full name for LDAP-test on test: ensure => 'present', type => 'full-name-ldap-mapper', ldap_attribute => 'gecos', }

Parameters
ensure
id	Id. Defaults to UUID generated from `name`.
ldap	parentId
name	The LDAP mapper name
provider
realm	realm
resource_name	The LDAP mapper name. Defaults to `name`
type	providerId

Properties
always_read_value_from_ldap	always.read.value.from.ldap. Defaults to `true` if `type` is `user-attribute-ldap-mapper`.
is_mandatory_in_ldap	is.mandatory.in.ldap. Defaults to `false` unless `type` is `full-name-ldap-mapper`.
ldap_attribute	ldapAttribute
read_only	readOnly
user_model_attribute	userModelAttribute
write_only	writeOnly

Providers
kcadm

keycloak_protocol_mapper

Manage Keycloak protocol mappers @example Add email protocol mapper to oidc-client client template in realm test keycloak_protocol_mapper { "email for oidc-clients on test": consent_text => '${email}', claim_name => 'email', user_attribute => 'email', }

Parameters
client_template	client template
ensure
id	Id. Defaults to UUID based on `name`.
name	The protocol mapper name
provider
realm	realm
resource_name	The protocol mapper name. Defaults to `name`.
type	protocolMapper. Default is `oidc-usermodel-property-mapper` for `protocol` `openid-connect` and `saml-user-property-mapper` for `protocol` `saml`.

Properties
access_token_claim	access.token.claim. Default to `true` for `protocol` `openid-connect`.
attribute_name	attribute.name Default to `resource_name` for `type` `saml-user-property-mapper`.
attribute_nameformat	attribute.nameformat
claim_name	claim.name
consent_required	consentRequired
consent_text	consentText
friendly_name	friendly.name. Default to `resource_name` for `type` `saml-user-property-mapper`.
id_token_claim	id.token.claim. Default to `true` for `protocol` `openid-connect`.
json_type_label	json.type.label. Default to `String` for `type` `oidc-usermodel-property-mapper`.
protocol	protocol
single	single. Default to `false` for `type` `saml-role-list-mapper`.
user_attribute	user.attribute. Default to `resource_name` for `type` `oidc-usermodel-property-mapper` or `saml-user-property-mapper`
userinfo_token_claim	userinfo.token.claim. Default to `true` for `protocol` `openid-connect`.

Providers
kcadm

treydock-keycloak changelog

2.7.0 (2018-08-14)

Full Changelog

Implemented enhancements:

Oracle support #33 (cborisa)

2.6.0 (2018-07-20)

Full Changelog

Implemented enhancements:

Add search_scope and custom_user_search_filter properties to keycloak_ldap_user_provider type #29 (treydock)

Closed issues:

Support customUserSearchFilter #25

Merged pull requests:

Use puppet-strings for documentation #30 (treydock)
Fix for keycloak_protocol_mapper type property and type unit test improvements #28 (treydock)
Explicitly define all type properties #27 (treydock)
Improve acceptance tests #26 (treydock)

2.5.0 (2018-07-18)

Full Changelog

Implemented enhancements:

Support setting auth_type=simple related properties for keycloak_ldap_user_provider type #24 (treydock)

Closed issues:

bindDn and bindCredential for keycloak_ldap_user_provider #23

2.4.0 (2018-06-04)

Full Changelog

Implemented enhancements:

Add keycloak_api configuration type #22 (treydock)

Closed issues:

Are the types in this module compatible with biemond/wildfly? #20

2.3.1 (2018-03-10)

Full Changelog

Fixed bugs:

Fix title patterns that use procs are not supported #21 (alexjfisher)

2.3.0 (2018-03-08)

Full Changelog

Implemented enhancements:

Allow keycloak_protocol_mapper attribute_nameformat to be simpler values #18 (treydock)
Add SAML username protocol mapper to keycloak::client_template #17 (treydock)
Support SAML role list protocol mapper #16 (treydock)
Add SAML support to keycloak_protocol_mapper and keycloak::client_template #15 (treydock)

Fixed bugs:

Fix SAML username protocol mapper to match keycloak code #19 (treydock)

2.2.1 (2018-02-27)

Full Changelog

Fixed bugs:

Do not show diff of files that may contain passwords #14 (treydock)

2.2.0 (2018-02-26)

Full Changelog

Implemented enhancements:

Make management of the MySQL database optional #13 (treydock)

2.1.0 (2018-02-22)

Full Changelog

Implemented enhancements:

Increase minimum java dependency to 2.2.0 to to support Debian 9. Update unit tests to test all supported OSes #12 (treydock)
Symlink instead of copy mysql connector. puppetlabs/mysql 5 compatibility #11 (NITEMAN)
Add support for http port configuration #9 (NITEMAN)
Add Debian 9 support #8 (NITEMAN)

Fixed bugs:

Fix ownership of install dir #10 (NITEMAN)

2.0.1 (2017-12-18)

Full Changelog

Fixed bugs:

Fix configuration order when proxy_https is true #7 (treydock)

2.0.0 (2017-12-11)

Full Changelog

Implemented enhancements:

BREAKING: Remove deprecated defined types #6 (treydock)
Add always_read_value_from_ldap property to keycloak_ldap_mapper #5 (treydock)
BREAKING: Set default version to 3.4.1.Final #4 (treydock)
BREAKING: Drop Puppet 3 support #3 (treydock)

1.0.0 (2017-09-05)

Full Changelog

Initial release using custom types and providers

Changes since 0.0.1:

Add keycloak_realm type that deprecates keycloak::realm
Add keycloak_ldap_user_provider that deprecates keycloak::user_federation::ldap
Add keycloak_ldap_mapper that deprecates keycloak::user_federation::ldap_mapper
Add keycloak_client that deprecates keycloak::client
Add keycloak_client_template and keycloak_protocol_mapper types
Update keycloak::client_template to use keycloak_client_template and keycloak_protocol_mapper types
Add symlink /opt/keycloak that points to currently managed keycloak install
Add kcadm-wrapper.sh to install's bin directory which is used by custom types/providers

0.0.1 (2017-08-11)

Initial release

 Copyright (C) 2017 <FULL NAME> <EMAIL>

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

keycloak

Version information

This version is compatible with:

Start using this module

Documentation

puppet-module-keycloak

Table of Contents

Overview

Usage

keycloak

keycloak_realm

keycloak_ldap_user_provider

keycloak_ldap_mapper

keycloak_client

keycloak::client_template

keycloak_client_template

keycloak_protocol_mapper

keycloak_api

Reference

Limitations

Development

Testing

Reference

Table of Contents

Classes

keycloak

Examples

Parameters

version

package_url

install_dir

service_name

service_ensure

service_enable

service_hasstatus

service_hasrestart

user

group

user_uid

group_gid

admin_user

admin_user_password

manage_datasource

datasource_driver

datasource_host

datasource_port

datasource_dbname

datasource_username

datasource_password

proxy_https

truststore

truststore_hosts

truststore_password

truststore_hostname_verification_policy

http_port

theme_static_max_age

theme_cache_themes

theme_cache_templates

realms

client_templates

service_java_opts

keycloak::config

keycloak::datasource::h2

keycloak::install

keycloak::params

keycloak::service

Defined types

keycloak::client_template

Examples

Parameters

realm

resource_name

protocol

full_scope_allowed

keycloak::truststore::host

Examples

Parameters

certificate

ensure

Resource types

`version`

`package_url`

`install_dir`

`service_name`

`service_ensure`

`service_enable`

`service_hasstatus`

`service_hasrestart`

`user`

`group`

`user_uid`

`group_gid`

`admin_user`

`admin_user_password`

`manage_datasource`

`datasource_driver`

`datasource_host`

`datasource_port`

`datasource_dbname`

`datasource_username`

`datasource_password`

`proxy_https`

`truststore`

`truststore_hosts`

`truststore_password`

`truststore_hostname_verification_policy`

`http_port`

`theme_static_max_age`

`theme_cache_themes`

`theme_cache_templates`

`realms`

`client_templates`

`service_java_opts`

`realm`

`resource_name`

`protocol`

`full_scope_allowed`

`certificate`

`ensure`

`name`

`install_base`

`server`

`realm`

`user`

`password`

`use_wrapper`

`ensure`

`protocol`

`client_authenticator_type`

`client_template`

`enabled`

`direct_access_grants_enabled`

`public_client`

`redirect_uris`

`web_origins`

`name`

`client_id`

`id`

`realm`

`secret`

`ensure`

`protocol`

`full_scope_allowed`

`name`

`resource_name`

`id`

`realm`

`ensure`

`name`

`keycloak_server`

`keycloak_port`

`use_ssl`

`test_url`

`timeout`

`ensure`

`ldap_attribute`

`user_model_attribute`

`is_mandatory_in_ldap`