Configure KeycloakOIDC via API

SUSE Rancher Prime
1

I’m in the process of configure KeycloakOIDC as authentication provider via Ansible using the API, but when I try to send the POST to testAndApply, it requires an authorization code I cannot retrieve without a browser.

Is there anyway to fully configure KeycloakOIDC via API?

  - name: Configure Keycloak Authentication
    ansible.builtin.uri:
      url: "https://{{ ansible_fqdn }}/v3/keyCloakOIDCConfigs/keycloakoidc?action=configureTest"
      method: POST
      headers:
        Authorization: "Bearer {{ rancher_api_token }}"
        Content-Type: "application/json"
      body:
        accessMode: "unrestricted"
        enabled: true
        type: "keyCloakOIDCConfig"
        uuid: "fe651219-adbc-427a-bf1f-ac1f8257fce1"
        clientId: "rancher"
        clientSecret: "QzkGBXod9B6LSbRdFH5HT6dr7b0FPyIT"
        authEndpoint: "https://test-1:8443/realms/master/protocol/openid-connect/auth"
        tokenEndpoint: "https://test-1:8443/realms/master/protocol/openid-connect/token"
        issuer: "https://test-1:8443/realms/master"
        rancherUrl: "https://rancher.test.gi/verify-auth"
        scope: "openid profile email"
      body_format: json
      validate_certs: no
    register: response


  - name: Enable Keycloak
    ansible.builtin.uri:
      url: "https://{{ ansible_fqdn }}/v3/keyCloakOIDCConfigs/keycloakoidc?action=testAndApply"
      method: POST
      headers:
        Authorization: "Bearer {{ rancher_api_token }}"
        Content-Type: "application/json"
      body_format: json
      body:
        code: "{{ THIS IS THE MISSING CODE }}"
        enabled: true
        oidcConfig:
          tokenEndpoint: "https://test-1:8443/realms/master/protocol/openid-connect/token"
          accessMode: "unrestricted"
          groupSearchEnabled: true
          groupsClaim: "groups"
          enabled: true
          baseType: "authConfig"
          type: "keyCloakOIDCConfig"
          logoutAllSupported: false
          rancherUrl: "https://rancher.test.gi/verify-auth"
          id: "keycloakoidc"
          clientId: "rancher"
          uuid: "fe651219-adbc-427a-bf1f-ac1f8257fce1"
          clientSecret: "QzkGBXod9B6LSbRdFH5HT6dr7b0FPyIT"
          scope: "openid profile email"
          authEndpoint: "https:/test-1:8443/realms/master/protocol/openid-connect/auth"
          issuer: "https://test-1:8443/realms/master"
      validate_certs: no
    register: response
2

First: You just published important secrets for you keyclaok instance, you should rotate your client secret immediatly.

The code is part of the oidc flow and would come from the redirect that should get returned. As it requires user interaction (a login on the keycloak server) this endpoint is probably not suitable here. You need one that just applies the configuration (without the testing…)

3

actually, the enabled=true in you first POST request should probably be enough.

4

or just create the appropriate custom resources (and the secret for the client-secret), as it is k8s anyway and that seems the better way to handle it.

kind: AuthConfig
_type: keyCloakOIDCConfig
accessMode: required
allowedPrincipalIds: []
apiVersion: management.cattle.io/v3
authEndpoint: ...
clientId: ...
clientSecret: cattle-global-data:yoursecretname
enabled: true
groupSearchEnabled: true
issuer: ....
logoutAllSupported: false
metadata:
  name: ....
rancherUrl: ....
scope: openid profile email offline_access
userInfoEndpoint: ...
5

Thank you for your reply. I finally achieved just setting the default role for the just login users.

About the code, this is a dev environment VM air gapped.

Thank you so much.