keycloak_client add option to support client-x509 authentication (#8973)

* keycloak_client: add client-x509 option to client_authenticator_type Signed-off-by: boolman <[email protected]> * keycloak_client: add attributes for client-x509 Signed-off-by: boolman <[email protected]> * keycloak_client update description Signed-off-by: boolman <[email protected]> * keycloak_client add fragment Signed-off-by: boolman <[email protected]> * remove trailing whitespace Signed-off-by: boolman <[email protected]> * keycloak_client add example with x509 authentication Signed-off-by: boolman <[email protected]> * Update plugins/modules/keycloak_client.py Co-authored-by: Felix Fontein <[email protected]> * Update changelogs/fragments/8973-keycloak_client-add-x509-auth.yml Co-authored-by: Felix Fontein <[email protected]> * keycloak_client added type on new suboptions Signed-off-by: boolman <[email protected]> --------- Signed-off-by: boolman <[email protected]> Co-authored-by: Felix Fontein <[email protected]>
ansible-collections · Oct 7, 2024 · 464812a · 464812a
1 parent 5e6b8e5
commit 464812a
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 7 deletions.
diff --git a/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml b/changelogs/fragments/8973-keycloak_client-add-x509-auth.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - keycloak_client - add ``client-x509`` choice to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973).
diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py
@@ -108,13 +108,14 @@
 
     client_authenticator_type:
         description:
-            - How do clients authenticate with the auth server? Either V(client-secret) or
-              V(client-jwt) can be chosen. When using V(client-secret), the module parameter
-              O(secret) can set it, while for V(client-jwt), you can use the keys C(use.jwks.url),
+            - How do clients authenticate with the auth server? Either V(client-secret),
+              V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter
+              O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url),
               C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter
-              to configure its behavior.
+              to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison)
+              and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept.
             - This is 'clientAuthenticatorType' in the Keycloak REST API.
-        choices: ['client-secret', 'client-jwt']
+        choices: ['client-secret', 'client-jwt', 'client-x509']
         aliases:
             - clientAuthenticatorType
         type: str
@@ -533,7 +534,6 @@
                 description:
                     - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
 
-
             saml_force_name_id_format:
                 description:
                     - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
@@ -581,6 +581,18 @@
                     - For OpenID-Connect clients, client certificate for validating JWT issued by
                       client and signed by its key, base64-encoded.
 
+            x509.subjectdn:
+                description:
+                    - For OpenID-Connect clients, subject which will be used to authenticate the client.
+                type: str
+                version_added: 9.5.0
+
+            x509.allow.regex.pattern.comparison:
+                description:
+                    - For OpenID-Connect clients, boolean specifying whether to allow C(x509.subjectdn) as regular expression.
+                type: bool
+                version_added: 9.5.0
+
 extends_documentation_fragment:
     - community.general.keycloak
     - community.general.attributes
@@ -624,6 +636,22 @@
   delegate_to: localhost
 
 
+- name: Create or update a Keycloak client (minimal example), with x509 authentication
+  community.general.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com/auth
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: master
+    state: present
+    client_id: test
+    client_authenticator_type: client-x509
+    attributes:
+      x509.subjectdn: "CN=client"
+      x509.allow.regex.pattern.comparison: false
+
+
 - name: Create or update a Keycloak client (with all the bells and whistles)
   community.general.keycloak_client:
     auth_client_id: admin-cli
@@ -913,7 +941,7 @@ def main():
         base_url=dict(type='str', aliases=['baseUrl']),
         surrogate_auth_required=dict(type='bool', aliases=['surrogateAuthRequired']),
         enabled=dict(type='bool'),
-        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
+        client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt', 'client-x509'], aliases=['clientAuthenticatorType']),
         secret=dict(type='str', no_log=True),
         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
         default_roles=dict(type='list', elements='str', aliases=['defaultRoles']),
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- keycloak_client - add ``client-x509`` choice to ``client_authenticator_type`` (https://github.com/ansible-collections/community.general/pull/8973).