Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

Add support for identityProviderMappers in KeycloakRealm CR #471

Closed
SnehaMore20 opened this issue Feb 2, 2022 · 3 comments
Closed

Add support for identityProviderMappers in KeycloakRealm CR #471

SnehaMore20 opened this issue Feb 2, 2022 · 3 comments
Labels
help wanted kind/enhancement

Comments

@SnehaMore20
Copy link

Description

Add support for identityProviderMappers field in KeycloakRealm Custom Resource.

Discussion

No response

Motivation

Currently keycloak-operator supports adding identityProviders. Providing additional support for identityProviderMappers field in KeycloakRealm CR can help map incoming tokens and assertions to user and session attributes and propagate identity information from the external IDP to your client requesting authentication.

Details

Expected CR Example:

apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: example-keycloakrealm
  labels:
    app: sso
spec:
  realm:
    id: "basic"
    realm: "basic"
    enabled: True
    displayName: "Basic"
    identityProviders:
      - alias: "gitlab"
        displayName: "Log in with Gitlab"
        providerId: "oidc"
        enabled: true
        trustEmail: true
        storeToken: false
        addReadTokenRoleOnCreate: false
        linkOnly: false
        firstBrokerLoginFlowAlias: "first broker login"
        config: 
          userInfoUrl: "https://<GIT_URL>/oauth/userinfo"
          validateSignature: "true"
          acceptsPromptNoneForwardFromClient: "false"
          clientId: "<CLIENT-ID>"
          clientSecret: "<CLIENT-SECRET>"
          tokenUrl: "https://<GIT_URL>/oauth/token"
          jwksUrl: "https://<GIT_URL>/oauth/discovery/keys"
          issuer: "https://<GIT_URL>"
          useJwksUrl: "true"
          authorizationUrl: "https://<GIT_URL>/oauth/authorize"
          clientAuthMethod: "client_secret_post"
          logoutUrl: "https://<GIT_URL>/oauth/revoke"
          clientAssertionSigningAlg: "RS256"
          syncMode: "FORCE"
          defaultScope: "read_user api email openid profile"
          guiOrder: "1"
    identityProviderMappers:
      - name: "admin-user-mapper",
        identityProviderAlias: "oidc",
        identityProviderMapper: "oidc-role-idp-mapper",
        config: 
          syncMode: "FORCE",
          claim: "groups",
          role: "admin",
          claim.value: "admin"
    verifyEmail: true
  instanceSelector:
    matchLabels:
      app: sso

Note: Jira for the same is already created https://issues.redhat.com/browse/KEYCLOAK-13098 but closed without implementing.
@iam-veeramalla
Copy link

Hi Team, We(OpenShift-GitOps) team is also looking for this fix. Let me know if you want me to contribute to this fix.

@vmuzikar
Copy link
Contributor

vmuzikar commented Feb 8, 2022

@iam-veeramalla A contribution would be much appreciated! :)

@wtam2018 wtam2018 mentioned this issue Mar 19, 2022
Merged
2 tasks
@iam-veeramalla iam-veeramalla mentioned this issue Mar 23, 2022
Merged
@vmuzikar vmuzikar removed their assignment Jul 19, 2022
@stianst
Copy link
Contributor

stianst commented Nov 16, 2022

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!

@stianst stianst closed this as completed Nov 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stianst @andreaTP @vmuzikar @SnehaMore20 @iam-veeramalla