community.general.keycloak_realm – Allows administration of Keycloak realm via Keycloak API
Note
This plugin is part of the community.general collection (version 3.8.1).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_realm.
New in version 3.0.0: of community.general
Synopsis
- This module allows the administration of Keycloak realm via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at https://www.keycloak.org/docs-api/8.0/rest-api/index.html. Aliases are provided so camelCased versions can be used as well.
- The Keycloak API does not always sanity check inputs e.g. you can set SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful. If you do not specify a setting, usually a sensible default is chosen.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| access_code_lifespan
integer
|
The realm access code lifespan.
aliases: accessCodeLifespan |
|
| access_code_lifespan_login
integer
|
The realm access code lifespan login.
aliases: accessCodeLifespanLogin |
|
| access_code_lifespan_user_action
integer
|
The realm access code lifespan user action.
aliases: accessCodeLifespanUserAction |
|
| access_token_lifespan
integer
|
The realm access token lifespan.
aliases: accessTokenLifespan |
|
| access_token_lifespan_for_implicit_flow
integer
|
The realm access token lifespan for implicit flow.
aliases: accessTokenLifespanForImplicitFlow |
|
| account_theme
string
|
The realm account theme.
aliases: accountTheme |
|
| action_token_generated_by_admin_lifespan
integer
|
The realm action token generated by admin lifespan.
aliases: actionTokenGeneratedByAdminLifespan |
|
| action_token_generated_by_user_lifespan
integer
|
The realm action token generated by user lifespan.
aliases: actionTokenGeneratedByUserLifespan |
|
| admin_events_details_enabled
boolean
|
|
The realm admin events details enabled.
aliases: adminEventsDetailsEnabled |
| admin_events_enabled
boolean
|
|
The realm admin events enabled.
aliases: adminEventsEnabled |
| admin_theme
string
|
The realm admin theme.
aliases: adminTheme |
|
| attributes
dictionary
|
The realm attributes.
|
|
| auth_client_id
string
|
Default:
"admin-cli"
|
OpenID Connect client_id to authenticate to the API with.
|
| auth_client_secret
string
|
Client Secret to use in conjunction with auth_client_id (if required).
|
|
| auth_keycloak_url
string / required
|
URL to the Keycloak instance.
aliases: url |
|
| auth_password
string
|
Password to authenticate for API access with.
aliases: password |
|
| auth_realm
string
|
Keycloak realm name to authenticate to for API access.
|
|
| auth_username
string
|
Username to authenticate for API access with.
aliases: username |
|
| browser_flow
string
|
The realm browser flow.
aliases: browserFlow |
|
| browser_security_headers
dictionary
|
The realm browser security headers.
aliases: browserSecurityHeaders |
|
| brute_force_protected
boolean
|
|
The realm brute force protected.
aliases: bruteForceProtected |
| client_authentication_flow
string
|
The realm client authentication flow.
aliases: clientAuthenticationFlow |
|
| client_scope_mappings
dictionary
|
The realm client scope mappings.
aliases: clientScopeMappings |
|
| default_default_client_scopes
list / elements=dictionary
|
The realm default default client scopes.
aliases: defaultDefaultClientScopes |
|
| default_groups
list / elements=dictionary
|
The realm default groups.
aliases: defaultGroups |
|
| default_locale
string
|
The realm default locale.
aliases: defaultLocale |
|
| default_optional_client_scopes
list / elements=dictionary
|
The realm default optional client scopes.
aliases: defaultOptionalClientScopes |
|
| default_roles
list / elements=dictionary
|
The realm default roles.
aliases: defaultRoles |
|
| default_signature_algorithm
string
|
The realm default signature algorithm.
aliases: defaultSignatureAlgorithm |
|
| direct_grant_flow
string
|
The realm direct grant flow.
aliases: directGrantFlow |
|
| display_name
string
|
The realm display name.
aliases: displayName |
|
| display_name_html
string
|
The realm display name HTML.
aliases: displayNameHtml |
|
| docker_authentication_flow
string
|
The realm docker authentication flow.
aliases: dockerAuthenticationFlow |
|
| duplicate_emails_allowed
boolean
|
|
The realm duplicate emails allowed option.
aliases: duplicateEmailsAllowed |
| edit_username_allowed
boolean
|
|
The realm edit username allowed option.
aliases: editUsernameAllowed |
| email_theme
string
|
The realm email theme.
aliases: emailTheme |
|
| enabled
boolean
|
|
The realm enabled option.
|
| enabled_event_types
list / elements=string
|
The realm enabled event types.
aliases: enabledEventTypes |
|
| events_enabled
boolean
added in 3.6.0 of community.general
|
|
Enables or disables login events for this realm.
aliases: eventsEnabled |
| events_expiration
integer
|
The realm events expiration.
aliases: eventsExpiration |
|
| events_listeners
list / elements=string
|
The realm events listeners.
aliases: eventsListeners |
|
| failure_factor
integer
|
The realm failure factor.
aliases: failureFactor |
|
| id
string
|
The realm to create.
|
|
| internationalization_enabled
boolean
|
|
The realm internationalization enabled option.
aliases: internationalizationEnabled |
| login_theme
string
|
The realm login theme.
aliases: loginTheme |
|
| login_with_email_allowed
boolean
|
|
The realm login with email allowed option.
aliases: loginWithEmailAllowed |
| max_delta_time_seconds
integer
|
The realm max delta time in seconds.
aliases: maxDeltaTimeSeconds |
|
| max_failure_wait_seconds
integer
|
The realm max failure wait in seconds.
aliases: maxFailureWaitSeconds |
|
| minimum_quick_login_wait_seconds
integer
|
The realm minimum quick login wait in seconds.
aliases: minimumQuickLoginWaitSeconds |
|
| not_before
integer
|
The realm not before.
aliases: notBefore |
|
| offline_session_idle_timeout
integer
|
The realm offline session idle timeout.
aliases: offlineSessionIdleTimeout |
|
| offline_session_max_lifespan
integer
|
The realm offline session max lifespan.
aliases: offlineSessionMaxLifespan |
|
| offline_session_max_lifespan_enabled
boolean
|
|
The realm offline session max lifespan enabled option.
aliases: offlineSessionMaxLifespanEnabled |
| otp_policy_algorithm
string
|
The realm otp policy algorithm.
aliases: otpPolicyAlgorithm |
|
| otp_policy_digits
integer
|
The realm otp policy digits.
aliases: otpPolicyDigits |
|
| otp_policy_initial_counter
integer
|
The realm otp policy initial counter.
aliases: otpPolicyInitialCounter |
|
| otp_policy_look_ahead_window
integer
|
The realm otp policy look ahead window.
aliases: otpPolicyLookAheadWindow |
|
| otp_policy_period
integer
|
The realm otp policy period.
aliases: otpPolicyPeriod |
|
| otp_policy_type
string
|
The realm otp policy type.
aliases: otpPolicyType |
|
| otp_supported_applications
list / elements=string
|
The realm otp supported applications.
aliases: otpSupportedApplications |
|
| password_policy
string
|
The realm password policy.
aliases: passwordPolicy |
|
| permanent_lockout
boolean
|
|
The realm permanent lockout.
aliases: permanentLockout |
| quick_login_check_milli_seconds
integer
|
The realm quick login check in milliseconds.
aliases: quickLoginCheckMilliSeconds |
|
| realm
string
|
The realm name.
|
|
| refresh_token_max_reuse
integer
|
The realm refresh token max reuse.
aliases: refreshTokenMaxReuse |
|
| registration_allowed
boolean
|
|
The realm registration allowed option.
aliases: registrationAllowed |
| registration_email_as_username
boolean
|
|
The realm registration email as username option.
aliases: registrationEmailAsUsername |
| registration_flow
string
|
The realm registration flow.
aliases: registrationFlow |
|
| remember_me
boolean
|
|
The realm remember me option.
aliases: rememberMe |
| reset_credentials_flow
string
|
The realm reset credentials flow.
aliases: resetCredentialsFlow |
|
| reset_password_allowed
boolean
|
|
The realm reset password allowed option.
aliases: resetPasswordAllowed |
| revoke_refresh_token
boolean
|
|
The realm revoke refresh token option.
aliases: revokeRefreshToken |
| smtp_server
dictionary
|
The realm smtp server.
aliases: smtpServer |
|
| ssl_required
string
|
|
The realm ssl required option.
aliases: sslRequired |
| sso_session_idle_timeout
integer
|
The realm sso session idle timeout.
aliases: ssoSessionIdleTimeout |
|
| sso_session_idle_timeout_remember_me
integer
|
The realm sso session idle timeout remember me.
aliases: ssoSessionIdleTimeoutRememberMe |
|
| sso_session_max_lifespan
integer
|
The realm sso session max lifespan.
aliases: ssoSessionMaxLifespan |
|
| sso_session_max_lifespan_remember_me
integer
|
The realm sso session max lifespan remember me.
aliases: ssoSessionMaxLifespanRememberMe |
|
| state
string
|
|
State of the realm.
On
present, the realm will be created (or updated if it exists already).
On absent, the realm will be removed if it exists.
|
| supported_locales
list / elements=string
|
The realm supported locales.
aliases: supportedLocales |
|
| token
string
added in 3.0.0 of community.general
|
Authentication token for Keycloak API.
|
|
| user_managed_access_allowed
boolean
|
|
The realm user managed access allowed option.
aliases: userManagedAccessAllowed |
| validate_certs
boolean
|
|
Verify TLS certificates (do not disable this in production).
|
| verify_email
boolean
|
|
The realm verify email option.
aliases: verifyEmail |
| wait_increment_seconds
integer
|
The realm wait increment in seconds.
aliases: waitIncrementSeconds |
Examples
- name: Create or update Keycloak realm (minimal example)
community.general.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
id: realm
state: present
- name: Delete a Keycloak realm
community.general.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
id: test
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| end_state
dictionary
|
always |
realm representation of realm after module execution (sample is truncated)
Sample:
{'adminUrl': 'http://www.example.com/admin_url', 'attributes': {'request.object.signature.alg': 'RS256'}}
|
| existing
dictionary
|
always |
realm representation of existing realm (sample is truncated)
Sample:
{'adminUrl': 'http://www.example.com/admin_url', 'attributes': {'request.object.signature.alg': 'RS256'}}
|
| msg
string
|
always |
Message as to what action was taken
Sample:
Realm testrealm has been updated
|
| proposed
dictionary
|
always |
realm representation of proposed changes to realm
Sample:
{'id': 'test'}
|
Authors
- Christophe Gilles (@kris2kris)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_realm_module.html