community.general.keycloak_authentication_v2 module – Configure authentication flows in Keycloak in an idempotent and safe manner.
Note
This module is part of the community.general collection (version 12.5.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_authentication_v2.
New in community.general 12.5.0
Synopsis
This module allows the creation, deletion, and modification of Keycloak authentication flows using the Keycloak REST API.
Rather than modifying an existing flow in place, the module re-creates the flow using the Safe Swap mechanism described below.
Safe Swap mechanism - When an authentication flow needs to be updated, the module never modifies the existing flow in place. Instead it follows a multi-step swap procedure to ensure the flow is never left in an intermediate or unsafe state during the update. This is especially important when the flow is actively bound to a realm binding, a client override, or as an identity-provider login-flow or post-flow, because a partially-updated flow could inadvertently allow unauthorised access.
The Safe Swap mechanism is as follows. 1. A new flow is created under a temporary name (the original alias plus a configurable suffix, for example
myflow_tmp_for_swap). 2. All executions and their configurations are added to the new temporary flow. 3. If the existing flow is currently bound to a realm or a client, all bindings are redirected to the new temporary flow. This ensures continuity and avoids any gap in active authentication coverage. 4. The old flow is deleted. 5. The temporary flow is renamed to the original alias, restoring the expected name.Handling pre-existing temporary swap flows - If a temporary swap flow already exists (for example, from a previously interrupted run), the module can optionally delete it before proceeding. This behaviour is controlled by the
force_temporary_swap_flow_deletionoption. If the option isfalseand a temporary flow already exists, the module will fail to prevent accidental data loss.Idempotency - If the existing flow already matches the desired configuration, no changes are made. The module compares a normalised representation of the existing flow against the desired state before deciding whether to trigger the Safe Swap procedure.
A depth of 4 sub-flows is supported.
Parameters
Parameter |
Comments |
|---|---|
The name of the authentication flow. |
|
OpenID Connect Default: |
|
Client Secret to use in conjunction with |
|
URL to the Keycloak instance. |
|
Password to authenticate for API access with. |
|
Keycloak realm name to authenticate to for API access. |
|
Username to authenticate for API access with. |
|
The desired execution configuration for the flow. Executions at root level. |
|
The configuration for the execution. |
|
Name of the execution config. |
|
Options for the execution config. |
|
The execution configuration for executions within the sub-flow. Executions at sub level 1. |
|
The configuration for the execution. |
|
Name of the execution config. |
|
Options for the execution config. |
|
The execution configuration for executions within the sub-flow. Executions at sub level 2. |
|
The configuration for the execution. |
|
Name of the execution config. |
|
Options for the execution config. |
|
The execution configuration for executions within the sub-flow. Executions at sub level 3. |
|
The configuration for the execution. |
|
Name of the execution config. |
|
Options for the execution config. |
|
The execution configuration for executions within the sub-flow. Executions at sub level 4 (last sub level). |
|
The configuration for the execution. |
|
Name of the execution config. |
|
Options for the execution config. |
|
The |
|
The requirement status of the execution or sub-flow. Choices:
|
|
The |
|
The requirement status of the execution or sub-flow. Choices:
|
|
The name of the sub-flow. |
|
The type of the sub-flow. Choices:
|
|
The |
|
The requirement status of the execution or sub-flow. Choices:
|
|
The name of the sub-flow. |
|
The type of the sub-flow. Choices:
|
|
The |
|
The requirement status of the execution or sub-flow. Choices:
|
|
The name of the sub-flow. |
|
The type of the sub-flow. Choices:
|
|
The |
|
The requirement status of the execution or sub-flow. Choices:
|
|
The name of the sub-flow. |
|
The type of the sub-flow. Choices:
|
|
Controls the HTTP connections timeout period (in seconds) to Keycloak API. Default: |
|
A human-readable description of the flow. |
|
If Set this to Choices:
|
|
Configures the HTTP User-Agent header. Default: |
|
The Choices:
|
|
The name of the realm in which the authentication flow resides. |
|
Authentication refresh token for Keycloak API. |
|
Whether the authentication flow should exist or not. Choices:
|
|
The suffix appended to the alias of the temporary flow created during a Safe Swap update. The temporary flow exists only for the duration of the swap procedure and is renamed to the original alias once all bindings have been successfully transferred. Default: |
|
Authentication token for Keycloak API. |
|
Verify TLS certificates (do not disable this in production). Choices:
|
Attributes
Attribute |
Support |
Description |
|---|---|---|
Action group: community.general.keycloak |
Use |
|
Support: full |
Can run in |
|
Support: full |
Returns details on what has changed (or possibly needs changing in |
Examples
- name: Create or modify the 'My Login Flow'.
community.general.keycloak_authentication_v2:
auth_keycloak_url: http://localhost:8080/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: master
alias: My Login Flow
authenticationExecutions:
- providerId: idp-review-profile
requirement: REQUIRED
authenticationConfig:
alias: My Login Flow - review profile config
config:
update.profile.on.first.login: "missing"
- subFlow: My Login Flow - User creation or linking
requirement: REQUIRED
authenticationExecutions:
- providerId: idp-create-user-if-unique
requirement: ALTERNATIVE
authenticationConfig:
alias: My Login Flow - create unique user config
config:
require.password.update.after.registration: "true"
- providerId: auth-cookie
requirement: REQUIRED
- subFlow: My Login Flow - Handle Existing Account
requirement: ALTERNATIVE
authenticationExecutions:
- providerId: idp-confirm-link
requirement: REQUIRED
- providerId: auth-cookie
requirement: DISABLED
state: present
- name: Remove an authentication flow.
community.general.keycloak_authentication_v2:
auth_keycloak_url: http://localhost:8080/auth
auth_realm: master
auth_username: admin
auth_password: password
realm: master
alias: My Login Flow
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Representation of the authentication flow after module execution. Returned: on success Sample: |