Update changelog for release 3.0.9

Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>

.ansible-lint

@@ -1,4 +1,6 @@
 # .ansible-lint
+profile: production
+
 exclude_paths:
   - .cache/
   - .github/
@@ -30,12 +32,13 @@ warn_list:
   - schema[meta]
   - key-order[task]
   - blocked_modules
+  - run-once[task]
 
 skip_list:
   - vars_should_not_be_used
   - file_is_small_enough
+  - file_has_valid_name
   - name[template]
   - var-naming[no-role-prefix]
 
 use_default_rules: true
-parseable: true

.github/workflows/ci.yml

@@ -5,14 +5,21 @@ on:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
+    inputs:
+      debug_verbosity:
+        description: 'ANSIBLE_VERBOSITY envvar value'
+        required: false
   schedule:
     - cron: '15 6 * * *'
 
 jobs:
   ci:
-    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@main
+    uses: ansible-middleware/github-actions/.github/workflows/ci.yml@rootperm
     secrets: inherit
     with:
       fqcn: 'middleware_automation/keycloak'
+      root_permission_varname: 'keycloak_install_requires_become'
+      debug_verbosity: "${{ github.event.inputs.debug_verbosity }}"
       molecule_tests: >-
-          [ "default", "overridexml", "https_revproxy", "quarkus", "quarkus-devmode", "quarkus_upgrade", "debian", "quarkus_ha" ]
+        [ "debian", "quarkus", "quarkus_ha", "quarkus_ha_remote", "quarkus_ha_26.4_below", "default", "quarkus_devmode", "quarkus_upgrade", "keycloak_modules" ]

.github/workflows/traffic.yml

@@ -0,0 +1,26 @@
+name: Collect traffic stats
+on:
+  schedule:
+    - cron: "51 23 * * 0"
+  workflow_dispatch:
+
+jobs:
+  traffic:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: "gh-pages"
+
+      - name: GitHub traffic
+        uses: sangonzal/repository-traffic-action@v.0.1.6
+        env:
+          TRAFFIC_ACTION_TOKEN: ${{ secrets.TRIGGERING_PAT }}
+
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v4
+        with:
+          author_name: Ansible Middleware
+          message: "GitHub traffic"
+          add: "./traffic/*"
+          ref: "gh-pages"

.gitignore

@@ -13,3 +13,5 @@ docs/_build/
 changelogs/.plugin-cache.yaml
 *.pem
 *.key
+*.p12
+.ansible/

.yamllint

@@ -15,7 +15,8 @@ rules:
   commas:
     max-spaces-after: -1
     level: error
-  comments: disable
+  comments:
+    min-spaces-from-content: 1
   comments-indentation: disable
   document-start: disable
   empty-lines:
@@ -31,3 +32,7 @@ rules:
     type: unix
   trailing-spaces: disable
   truthy: disable
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+

CHANGELOG.rst

@@ -6,6 +6,216 @@ middleware\_automation.keycloak Release Notes
 
 This changelog describes changes after version 0.2.6.
 
+v3.0.9
+======
+
+Bugfixes
+--------
+
+- AMW-551 Providing correct rhbk version `#344 <https://github.com/ansible-middleware/keycloak/pull/344>`_
+
+v3.0.8
+======
+
+v3.0.7
+======
+
+Major Changes
+-------------
+
+- Migrate Keycloak modules from the community.general collection to Keycloak collection. `#341 <https://github.com/ansible-middleware/keycloak/pull/341>`_
+
+Minor Changes
+-------------
+
+- Fixing common module usage `#343 <https://github.com/ansible-middleware/keycloak/pull/343>`_
+- fix #336: https://github.com/ansible-middleware/common/pull/38 `#338 <https://github.com/ansible-middleware/keycloak/pull/338>`_
+
+Bugfixes
+--------
+
+- Fix molecule tests `#339 <https://github.com/ansible-middleware/keycloak/pull/339>`_
+
+v3.0.6
+======
+
+Major Changes
+-------------
+
+- AMW-540 Fix the upstream collection requirements with common v1.2.4 `#337 <https://github.com/ansible-middleware/keycloak/pull/337>`_
+
+v3.0.5
+======
+
+Minor Changes
+-------------
+
+- AMW-528 Deployment fails in keycloak_quarkus due to missing escalation variables `#335 <https://github.com/ansible-middleware/keycloak/pull/335>`_
+
+v3.0.4
+======
+
+Major Changes
+-------------
+
+- AMW-467 Download keycloak binary from password protected HTTP location `#321 <https://github.com/ansible-middleware/keycloak/pull/321>`_
+- v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
+
+Minor Changes
+-------------
+
+- AMW-518 Validating arguments against arg spec 'main' fails unexpectedly. `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
+
+Bugfixes
+--------
+
+- Removing parseable from lint file as Additional properties are not allowed `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
+
+v3.0.3
+======
+
+Major Changes
+-------------
+
+- Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+- ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+Minor Changes
+-------------
+
+- Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+- Declared proxy_mode as deprecated, updated quarkus and realm readme `#306 <https://github.com/ansible-middleware/keycloak/pull/306>`_
+- Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+Bugfixes
+--------
+
+- keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+- keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
+v3.0.2
+======
+
+Minor Changes
+-------------
+
+- New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+- New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+- Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+- Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+Bugfixes
+--------
+
+- Fix ``keycloak_quarkus_force_install`` parameter being ignored by install `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+- Fix alternate download location being ignored (JBossNeworkAPI always used) `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+- Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+- Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+- keycloak_realm: federation default provider type should be a string `#302 <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+v3.0.1
+======
+
+Minor Changes
+-------------
+
+- Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+Bugfixes
+--------
+
+- Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+v3.0.0
+======
+
+Minor Changes
+-------------
+
+- Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+- keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+- Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+- Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+Bugfixes
+--------
+
+- Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+- Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+- Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+- Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+New Modules
+-----------
+
+- middleware_automation.keycloak.keycloak_realm - Allows administration of Keycloak realm via Keycloak API
+
+v2.4.3
+======
+
+Minor Changes
+-------------
+
+- Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
+
+v2.4.2
+======
+
+Minor Changes
+-------------
+
+- New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
+
+Bugfixes
+--------
+
+- Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
+
+v2.4.1
+======
+
+Release Summary
+---------------
+
+Internal release, documentation or test changes only.
+
+v2.4.0
+======
+
+Major Changes
+-------------
+
+- Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+- Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+v2.3.0
+======
+
+Major Changes
+-------------
+
+- Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+- Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+Minor Changes
+-------------
+
+- Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+- Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+- Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+- Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+- ``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+Bugfixes
+--------
+
+- ``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
 v2.2.2
 ======
 

CONTRIBUTING.md

@@ -1,3 +1,37 @@
+## Developing
+
+### Build and install locally
+
+Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then:
+
+    ansible-galaxy collection build .
+    ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz
+
+
+### Development environment
+
+Make sure your development machine has avilable:
+
+* python 3.11+
+* virtualenv
+* docker (or podman)
+
+In order to run setup the development environment and run the molecule tests locally, after cloning the repository:
+
+```
+# create new virtualenv using python 3
+virtualenv $PATH_TO_DEV_VIRTUALENV
+# activate the virtual env
+source $PATH_TO_DEV_VIRTUALENV/bin/activate
+# install ansible and tools onto the virtualenv
+pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.16' ansible-lint
+# install collection dependencies
+ansible-galaxy collection install -r requirements.yml
+# install python dependencies
+pip install -r requirements.txt molecule/requirements.txt
+# execute the tests (replace --all with -s subdirectory to run a single test)
+molecule test --all
+```
 
 ## Contributor's Guidelines
 

README.md

@@ -1,17 +1,18 @@
 # Ansible Collection - middleware_automation.keycloak
 
 <!--start build_status -->
-[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
+[![Build Status](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
 
-> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
+> **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
 
 <!--end build_status -->
+<!--start description -->
 Collection to install and configure [Keycloak](https://www.keycloak.org/) or [Red Hat Single Sign-On](https://access.redhat.com/products/red-hat-single-sign-on) / [Red Hat Build of Keycloak](https://access.redhat.com/products/red-hat-build-of-keycloak).
-
+<!--end description -->
 <!--start requires_ansible-->
 ## Ansible version compatibility
 
-This collection has been tested against following Ansible versions: **>=2.14.0**.
+This collection has been tested against following Ansible versions: **>=2.16.0**.
 
 Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions.
 <!--end requires_ansible-->
@@ -39,6 +40,7 @@ collections:
 The keycloak collection also depends on the following python packages to be present on the controller host:
 
 * netaddr
+* lxml
 
 A requirement file is provided to install:
 
@@ -47,23 +49,61 @@ A requirement file is provided to install:
 <!--start roles_paths -->
 ### Included roles
 
-* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
+* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing keycloak (>= 19.0.0, quarkus based).
 * [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
-* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
+* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing legacy keycloak (<= 19.0, wildfly based).
+
 <!--end roles_paths -->
 
+### Included modules
+
+All Keycloak administration modules from `community.general` are provided in this collection for Keycloak 17+ (Quarkus). Use `auth_keycloak_url` without the legacy `/auth` context path (for example `http://localhost:8080`). Set `keycloak_context` to `/auth` only when automating WildFly-based Keycloak with the `keycloak` role.
+
+* `keycloak_authentication`: manage authentication flows and executions using Keycloak Admin REST API.
+* `keycloak_authentication_flow`: manage custom authentication flows and flow executions.
+* `keycloak_authentication_required_actions`: manage required actions available in realm authentication.
+* `keycloak_authentication_v2`: manage authentication flows with newer Keycloak API handling.
+* `keycloak_authz_authorization_scope`: manage authorization scopes for a client resource server.
+* `keycloak_authz_custom_policy`: manage custom authorization policies for a client resource server.
+* `keycloak_authz_permission`: manage authorization permissions for a client resource server.
+* `keycloak_authz_permission_info`: retrieve authorization permission information for a client resource server.
+* `keycloak_client`: manage Keycloak clients (create/update/delete).
+* `keycloak_client_rolemapping`: manage client role mappings for users and groups.
+* `keycloak_client_rolescope`: manage client role scope mappings.
+* `keycloak_client_scope`: manage client scopes and protocol mappers (replaces `community.general.keycloak_clientscope`).
+* `keycloak_client_scope_type`: manage default and optional client scope assignments.
+* `keycloak_clientsecret_info`: retrieve client secret information.
+* `keycloak_clientsecret_regenerate`: regenerate a client secret.
+* `keycloak_clienttemplate`: manage legacy client templates.
+* `keycloak_component`: manage realm components.
+* `keycloak_component_info`: retrieve realm component information.
+* `keycloak_group`: manage realm groups and subgroups.
+* `keycloak_identity_provider`: manage identity provider instances and configuration.
+* `keycloak_realm`: manage realms (create/update/delete).
+* `keycloak_realm_info`: retrieve realm information.
+* `keycloak_realm_key`: manage realm key providers.
+* `keycloak_realm_keys_metadata_info`: retrieve realm keys metadata.
+* `keycloak_realm_localization`: manage realm localization texts.
+* `keycloak_realm_rolemapping`: manage realm role mappings for users and groups.
+* `keycloak_role`: manage realm and client roles.
+* `keycloak_user`: manage users (create/update/delete).
+* `keycloak_user_execute_actions_email`: trigger execute-actions emails for users.
+* `keycloak_user_federation`: manage user federation providers (for example LDAP/AD).
+* `keycloak_user_rolemapping`: manage user role mappings.
+* `keycloak_userprofile`: manage user profile configuration.
+
 ## Usage
 
+The collection provides roles to install Keycloak and modules to manage realms, clients, users, and related settings via the [Keycloak Admin REST API](https://www.keycloak.org/docs-api/latest/rest-api/index.html).
 
-### Install Playbook
-<!--start rhbk_playbook -->
-* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
-* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
+For Quarkus-based Keycloak (17+), set `auth_keycloak_url` to the server root URL without the legacy `/auth` path, for example `http://localhost:8080`. When using the legacy `keycloak` role with WildFly-based Keycloak, set `keycloak_context` to `/auth` in the `keycloak_realm` role.
 
-Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
+### Install Keycloak
 
-For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
-<!--end rhbk_playbook -->
+* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs Keycloak >= 17 using the `keycloak_quarkus` role.
+* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs legacy Keycloak (<= 19) using the `keycloak` role.
+
+For full service configuration details, refer to the [keycloak_quarkus role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md) or the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
 
 #### Install from controller node (offline)
 
@@ -84,15 +124,15 @@ keycloak_offline_install: true
 It is possible to perform downloads from alternate sources, using the `keycloak_download_url` variable; make sure the final downloaded filename matches with the source filename (ie. keycloak-legacy-x.y.zip or rh-sso-x.y.z-server-dist.zip).
 
 
-### Example installation command
+#### Example installation command
 
-Execute the following command from the source root directory
+Execute the following command from the source root directory:
 
-```
-ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
+```bash
+ansible-playbook -i <ansible_hosts> playbooks/keycloak_quarkus.yml -e keycloak_quarkus_bootstrap_admin_password=<changeme>
 ```
 
-- `keycloak_admin_password` Password for the administration console user account.
+- `keycloak_quarkus_bootstrap_admin_password` password for the administration console user account.
 - `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
 
   ```
@@ -100,18 +140,17 @@ ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e
   localhost ansible_connection=local
   ```
 
-Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in ansible_play_batch; ie. they must be targeted by the same ansible-playbook execution.
+Note: when deploying clustered configurations, all hosts belonging to the cluster must be present in `ansible_play_batch`; ie. they must be targeted by the same ansible-playbook execution.
 
+### Configure with roles
 
-## Configuration
-
-
-### Config Playbook
 <!--start rhbk_realm_playbook -->
-[`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
+* [`playbooks/keycloak_realm.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm.yml) creates or updates provided realm, user federation(s), client(s), client role(s) and client user(s).
 <!--end rhbk_realm_playbook -->
+* [`playbooks/keycloak_realm_client.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_realm_client.yml) creates a realm with clients, roles and users using the `keycloak_realm` role.
+* [`playbooks/keycloak_federation.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_federation.yml) configures user federation providers.
 
-### Example configuration command
+#### Example configuration command
 
 Execute the following command from the source root directory:
 
@@ -131,14 +170,55 @@ ansible-playbook -i <ansible_hosts> playbooks/keycloak_realm.yml -e keycloak_adm
 For full configuration details, refer to the [keycloak_realm role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md).
 <!--end rhbk_realm_readme -->
 
+### Configure with modules
+
+Module playbooks target an already running Keycloak instance. All modules use the `middleware_automation.keycloak` collection namespace.
+
+* [`playbooks/keycloak_client_scope.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_client_scope.yml) creates a client scope with protocol mappers using the `keycloak_client_scope` module.
+* [`playbooks/keycloak_authentication_flow.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_authentication_flow.yml) creates a custom authentication flow with execution steps using the `keycloak_authentication_flow` module.
+
+Example task using shared authentication defaults:
+
+```yaml
+- hosts: localhost
+  module_defaults:
+    group/middleware_automation.keycloak.keycloak:
+      auth_keycloak_url: http://localhost:8080
+      auth_realm: master
+      auth_username: admin
+      auth_password: "{{ keycloak_admin_password }}"
+  tasks:
+    - name: Create a user in a realm
+      middleware_automation.keycloak.keycloak_user:
+        realm: TestRealm
+        username: testuser
+        first_name: Test
+        last_name: User
+        email: testuser@example.com
+        enabled: true
+        state: present
+```
+
+When migrating from `community.general`, replace the collection prefix in playbooks (for example `community.general.keycloak_user` becomes `middleware_automation.keycloak.keycloak_user`) and use `keycloak_client_scope` instead of `keycloak_clientscope`.
+
+
+## Support
+
 <!--start support -->
+
+For bug reports and feature requests, use [GitHub Issues](https://github.com/ansible-middleware/keycloak/issues).
+
 <!--end support -->
 
 
+## Release and Upgrade Notes
+
+For details on changes between versions, please see the [CHANGELOG](https://github.com/ansible-middleware/keycloak/blob/main/CHANGELOG.rst) for this collection.
+
+
 ## License
 
 Apache License v2.0 or later
 <!--start license -->
-See [LICENSE](LICENSE) to view the full text.
+See [LICENSE](https://github.com/ansible-middleware/keycloak/blob/main/LICENSE) to view the full text.
 <!--end license -->
-

bindep.txt

@@ -6,4 +6,5 @@ python3-netaddr [platform:rpm platform:dpkg]
 python3-lxml [platform:rpm platform:dpkg]
 python3-jmespath [platform:rpm platform:dpkg]
 python3-requests [platform:rpm platform:dpkg]
+podman [platform:rpm platform:dpkg]
 

changelogs/changelog.yaml

@@ -532,3 +532,307 @@ releases:
     - 209.yaml
     - 210.yaml
     release_date: '2024-05-06'
+  2.3.0:
+    changes:
+      bugfixes:
+      - '``kc.sh build`` uses configured jdk `#211 <https://github.com/ansible-middleware/keycloak/pull/211>`_
+
+        '
+      major_changes:
+      - 'Allow for custom providers hosted on maven repositories `#223 <https://github.com/ansible-middleware/keycloak/pull/223>`_
+
+        '
+      - 'Restart handler strategy behaviour `#231 <https://github.com/ansible-middleware/keycloak/pull/231>`_
+
+        '
+      minor_changes:
+      - 'Add support for policy files `#225 <https://github.com/ansible-middleware/keycloak/pull/225>`_
+
+        '
+      - 'Allow to add extra custom env vars in sysconfig file `#229 <https://github.com/ansible-middleware/keycloak/pull/229>`_
+
+        '
+      - 'Download from alternate URL with optional http authentication `#220 <https://github.com/ansible-middleware/keycloak/pull/220>`_
+
+        '
+      - 'Update Keycloak to version 24.0.4 `#218 <https://github.com/ansible-middleware/keycloak/pull/218>`_
+
+        '
+      - '``proxy-header`` enhancement `#227 <https://github.com/ansible-middleware/keycloak/pull/227>`_
+
+        '
+    fragments:
+    - 211.yaml
+    - 218.yaml
+    - 220.yaml
+    - 223.yaml
+    - 225.yaml
+    - 227.yaml
+    - 229.yaml
+    - 231.yaml
+    release_date: '2024-05-20'
+  2.4.0:
+    changes:
+      major_changes:
+      - 'Enable by default health check on restart `#234 <https://github.com/ansible-middleware/keycloak/pull/234>`_
+
+        '
+      - 'Update minimum ansible-core version > 2.15 `#232 <https://github.com/ansible-middleware/keycloak/pull/232>`_
+
+        '
+    fragments:
+    - 232.yaml
+    - 234.yaml
+    release_date: '2024-06-04'
+  2.4.1:
+    changes:
+      release_summary: Internal release, documentation or test changes only.
+    fragments:
+    - v2.4.1-devel_summary.yaml
+    release_date: '2024-07-02'
+  2.4.2:
+    changes:
+      bugfixes:
+      - 'Add wait_for_port number parameter `#237 <https://github.com/ansible-middleware/keycloak/pull/237>`_
+
+        '
+      minor_changes:
+      - 'New parameter ``keycloak_quarkus_download_path``  `#239 <https://github.com/ansible-middleware/keycloak/pull/239>`_
+
+        '
+    fragments:
+    - 237.yaml
+    - 239.yaml
+    release_date: '2024-09-26'
+  2.4.3:
+    changes:
+      minor_changes:
+      - 'Update keycloak to 24.0.5 `#241 <https://github.com/ansible-middleware/keycloak/pull/241>`_
+
+        '
+    fragments:
+    - 241.yaml
+    release_date: '2024-10-16'
+  3.0.0:
+    changes:
+      breaking_changes:
+      - 'Bump major and ansible-core versions `#266 <https://github.com/ansible-middleware/keycloak/pull/266>`_
+
+        '
+      - 'Rename parameters to follow upstream `#270 <https://github.com/ansible-middleware/keycloak/pull/270>`_
+
+        '
+      - 'Update for keycloak v26 `#254 <https://github.com/ansible-middleware/keycloak/pull/254>`_
+
+        '
+      bugfixes:
+      - 'Access token lifespan is too short for ansible run `#251 <https://github.com/ansible-middleware/keycloak/pull/251>`_
+
+        '
+      - 'Load environment vars during kc rebuild `#274 <https://github.com/ansible-middleware/keycloak/pull/274>`_
+
+        '
+      - 'Rebuild config and restart service for local providers `#250 <https://github.com/ansible-middleware/keycloak/pull/250>`_
+
+        '
+      - 'Rename and honour parameter ``keycloak_quarkus_http_host`` `#271 <https://github.com/ansible-middleware/keycloak/pull/271>`_
+
+        '
+      minor_changes:
+      - 'Add theme cache invalidation handler `#252 <https://github.com/ansible-middleware/keycloak/pull/252>`_
+
+        '
+      - 'keycloak_realm: change url variables to defaults `#268 <https://github.com/ansible-middleware/keycloak/pull/268>`_
+
+        '
+    fragments:
+    - 250.yaml
+    - 251.yaml
+    - 252.yaml
+    - 254.yaml
+    - 266.yaml
+    - 268.yaml
+    - 270.yaml
+    - 271.yaml
+    - 274.yaml
+    modules:
+    - description: Allows administration of Keycloak realm via Keycloak API
+      name: keycloak_realm
+      namespace: ''
+    release_date: '2025-04-23'
+  3.0.1:
+    changes:
+      bugfixes:
+      - 'Trigger rebuild handler on envvars file change `#276 <https://github.com/ansible-middleware/keycloak/pull/276>`_
+
+        '
+      minor_changes:
+      - 'Version update to 26.0.8 / rhbk 26.0.11 `#277 <https://github.com/ansible-middleware/keycloak/pull/277>`_
+
+        '
+    fragments:
+    - 276.yaml
+    - 277.yaml
+    release_date: '2025-05-02'
+  3.0.2:
+    changes:
+      bugfixes:
+      - 'Fix ``keycloak_quarkus_force_install`` parameter being ignored by install
+        `#296 <https://github.com/ansible-middleware/keycloak/pull/296>`_
+
+        '
+      - 'Fix alternate download location being ignored (JBossNeworkAPI always used)
+        `#298 <https://github.com/ansible-middleware/keycloak/pull/298>`_
+
+        '
+      - 'Run config rebuild after SPI providers update `#285 <https://github.com/ansible-middleware/keycloak/pull/285>`_
+
+        '
+      - 'Use jdk21 as default in debian `#289 <https://github.com/ansible-middleware/keycloak/pull/289>`_
+
+        '
+      - 'keycloak_realm: federation default provider type should be a string `#302
+        <https://github.com/ansible-middleware/keycloak/pull/302>`_
+
+        '
+      minor_changes:
+      - 'New ``checksum`` property for keycloak_quarkus_providers `#280 <https://github.com/ansible-middleware/keycloak/pull/280>`_
+
+        '
+      - 'New parameter to set the jgroups host IP address `#281 <https://github.com/ansible-middleware/keycloak/pull/281>`_
+
+        '
+      - 'Session storage / distributed caches `#287 <https://github.com/ansible-middleware/keycloak/pull/287>`_
+
+        '
+      - 'Update keycloak/RHBK to v26.2.4 `#283 <https://github.com/ansible-middleware/keycloak/pull/283>`_
+
+        '
+    fragments:
+    - 280.yaml
+    - 281.yaml
+    - 283.yaml
+    - 285.yaml
+    - 287.yaml
+    - 289.yaml
+    - 296.yaml
+    - 298.yaml
+    - 302.yaml
+    release_date: '2025-07-01'
+  3.0.3:
+    changes:
+      bugfixes:
+      - 'keycloak collection CI label is showing no status `#312 <https://github.com/ansible-middleware/keycloak/pull/312>`_
+
+        '
+      - 'keycloak_realm: allow secret in keycloak_clients `#304 <https://github.com/ansible-middleware/keycloak/pull/304>`_
+
+        '
+      major_changes:
+      - 'Update to keycloak 26.3.0 `#293 <https://github.com/ansible-middleware/keycloak/pull/293>`_
+
+        '
+      - 'ansible-core 2.19 compatibility `#310 <https://github.com/ansible-middleware/keycloak/pull/310>`_
+
+        '
+      minor_changes:
+      - 'Allow to install provider jars from remote paths `#303 <https://github.com/ansible-middleware/keycloak/pull/303>`_
+
+        '
+      - 'Declared proxy_mode as deprecated, updated quarkus and realm readme `#306
+        <https://github.com/ansible-middleware/keycloak/pull/306>`_
+
+        '
+      - 'Fix config_key_store_file description to match variable name `#308 <https://github.com/ansible-middleware/keycloak/pull/308>`_
+
+        '
+    fragments:
+    - 293.yaml
+    - 303.yaml
+    - 304.yaml
+    - 306.yaml
+    - 308.yaml
+    - 310.yaml
+    - 312.yaml
+    release_date: '2025-12-16'
+  3.0.4:
+    changes:
+      bugfixes:
+      - 'Removing parseable from lint file as Additional properties are not allowed
+        `#319 <https://github.com/ansible-middleware/keycloak/pull/319>`_
+
+        '
+      major_changes:
+      - 'AMW-467 Download keycloak binary from password protected HTTP location `#321
+        <https://github.com/ansible-middleware/keycloak/pull/321>`_
+
+        '
+      - 'v26.4.x compability `#317 <https://github.com/ansible-middleware/keycloak/pull/317>`_
+
+        '
+      minor_changes:
+      - 'AMW-518 Validating arguments against arg spec ''main'' fails unexpectedly.
+        `#324 <https://github.com/ansible-middleware/keycloak/pull/324>`_
+
+        '
+    fragments:
+    - 317.yaml
+    - 319.yaml
+    - 321.yaml
+    - 324.yaml
+    release_date: '2026-05-20'
+  3.0.5:
+    changes:
+      minor_changes:
+      - 'AMW-528 Deployment fails in keycloak_quarkus due to missing escalation variables
+        `#335 <https://github.com/ansible-middleware/keycloak/pull/335>`_
+
+        '
+    fragments:
+    - 335.yaml
+    release_date: '2026-05-20'
+  3.0.6:
+    changes:
+      major_changes:
+      - 'AMW-540 Fix the upstream collection requirements with common v1.2.4 `#337
+        <https://github.com/ansible-middleware/keycloak/pull/337>`_
+
+        '
+    fragments:
+    - 337.yaml
+    release_date: '2026-05-26'
+  3.0.7:
+    changes:
+      bugfixes:
+      - 'Fix molecule tests `#339 <https://github.com/ansible-middleware/keycloak/pull/339>`_
+
+        '
+      major_changes:
+      - 'Migrate Keycloak modules from the community.general collection to Keycloak
+        collection. `#341 <https://github.com/ansible-middleware/keycloak/pull/341>`_
+
+        '
+      minor_changes:
+      - 'Fixing common module usage `#343 <https://github.com/ansible-middleware/keycloak/pull/343>`_
+
+        '
+      - 'fix #336: https://github.com/ansible-middleware/common/pull/38 `#338 <https://github.com/ansible-middleware/keycloak/pull/338>`_
+
+        '
+    fragments:
+    - 338.yaml
+    - 339.yaml
+    - 341.yaml
+    - 343.yaml
+    release_date: '2026-06-01'
+  3.0.8:
+    release_date: '2026-06-09'
+  3.0.9:
+    changes:
+      bugfixes:
+      - 'AMW-551 Providing correct rhbk version `#344 <https://github.com/ansible-middleware/keycloak/pull/344>`_
+
+        '
+    fragments:
+    - 344.yaml
+    release_date: '2026-06-11'

docs/_gh_include/footer.inc

@@ -7,7 +7,7 @@
       </div>
       <hr/>
       <div role="contentinfo">
-        <p>&#169; Copyright 2022, Red Hat, Inc.</p>
+        <p>&#169; Copyright 2024, Red Hat, Inc.</p>
       </div>
       Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
         <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>

docs/conf.py

@@ -64,7 +64,7 @@ master_doc = 'index'
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.

docs/index.rst

@@ -10,31 +10,25 @@ Welcome to Keycloak Collection documentation
    README
    plugins/index
    roles/index
+   Changelog <CHANGELOG>
 
 .. toctree::
    :maxdepth: 2
    :caption: Developer documentation
 
-   testing
-   developing
-   releasing
-
-.. toctree::
-   :maxdepth: 2
-   :caption: General
-
-   Changelog <CHANGELOG>
+   Developing <developing>
+   Testing <testing>
+   Releasing <releasing>
 
 .. toctree::
    :maxdepth: 2
    :caption: Middleware collections
 
-   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
    Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
+   Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
    Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
    Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
    ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
    Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
    Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
-   Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
    JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

docs/requirements.txt

@@ -1,7 +1,9 @@
+# ansible_basic_sphinx_ext still imports pkg_resources (removed in setuptools 82+).
+setuptools>=70.0.0,<81.0.0
 antsibull>=0.17.0
 antsibull-docs
 antsibull-changelog
-ansible-core>=2.14.1
+ansible-core>=2.16.0
 ansible-pygments
 sphinx-rtd-theme
 git+https://github.com/felixfontein/ansible-basic-sphinx-ext

docs/testing.md

@@ -4,24 +4,7 @@
 
 The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
 In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
-
-```
-pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
-molecule test --all
-```
-
-
-## Integration testing
-
-Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
-at every collection release to ensure non-breaking changes and consistent behaviour.
-
-The repository are:
-
- - [Flange demo](https://github.com/ansible-middleware/flange-demo)
-   A deployment of Wildfly cluster integrated with keycloak and infinispan.
- - [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
-   A clustered multi-regional installation of keycloak with infinispan remote caches.
+The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule).
 
 
 ## Test playbooks
@@ -29,15 +12,7 @@ The repository are:
 Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
 
 ```
-# setup environment
-pip install ansible-core
-# clone the repository
-git clone https://github.com/ansible-middleware/keycloak
-cd keycloak
-# install collection dependencies
-ansible-galaxy collection install -r requirements.yml
-# install collection python deps
-pip install -r requirements.txt
+# setup environment as in developing
 # create inventory for localhost
 cat << EOF > inventory
 [keycloak]

galaxy.yml

@@ -1,13 +1,14 @@
 ---
 namespace: middleware_automation
 name: keycloak
-version: "2.3.0"
+version: "3.0.9"
 readme: README.md
 authors:
   - Romain Pelisse <rpelisse@redhat.com>
   - Guido Grazioli <ggraziol@redhat.com>
   - Pavan Kumar Motaparthi <pmotapar@redhat.com>
   - Helmut Wolf <hwo@world-direct.at>
+  - Harsha Cherukuri <hcheruku@redhat.com>
 description: Install and configure a keycloak, or Red Hat Single Sign-on, service.
 license_file: "LICENSE"
 tags:
@@ -35,7 +36,9 @@ issues: https://github.com/ansible-middleware/keycloak/issues
 build_ignore:
   - .gitignore
   - .github
+  - .ansible-lint
   - .yamllint
+  - .DS_Store
   - '*.tar.gz'
   - '*.zip'
   - molecule

meta/runtime.yml

@@ -1,2 +1,62 @@
 ---
-requires_ansible: ">=2.14.0"
+requires_ansible: ">=2.16.0"
+action_groups:
+  keycloak:
+    - keycloak_authentication
+    - keycloak_authentication_flow
+    - keycloak_authentication_required_actions
+    - keycloak_authentication_v2
+    - keycloak_authz_authorization_scope
+    - keycloak_authz_custom_policy
+    - keycloak_authz_permission
+    - keycloak_authz_permission_info
+    - keycloak_client
+    - keycloak_client_rolemapping
+    - keycloak_client_rolescope
+    - keycloak_client_scope
+    - keycloak_client_scope_type
+    - keycloak_client_scope_rolemappings
+    - keycloak_clientsecret_info
+    - keycloak_clientsecret_regenerate
+    - keycloak_clienttemplate
+    - keycloak_component
+    - keycloak_component_info
+    - keycloak_group
+    - keycloak_identity_provider
+    - keycloak_realm
+    - keycloak_realm_info
+    - keycloak_realm_key
+    - keycloak_realm_keys_metadata_info
+    - keycloak_realm_localization
+    - keycloak_realm_rolemapping
+    - keycloak_role
+    - keycloak_user
+    - keycloak_user_federation
+    - keycloak_user_rolemapping
+    - keycloak_userprofile
+    - keycloak_user_execute_actions_email
+plugin_routing:
+  modules:
+    keycloak_clientscope:
+      redirect: middleware_automation.keycloak.keycloak_client_scope
+      deprecation:
+        removal_version: 5.0.0
+        warning_text: >-
+          The module has been renamed to keycloak_client_scope for Keycloak 17+ (Quarkus).
+          Update playbooks to use middleware_automation.keycloak.keycloak_client_scope.
+
+    keycloak_clientscope_type:
+      redirect: middleware_automation.keycloak.keycloak_client_scope_type
+      deprecation:
+        removal_version: 5.0.0
+        warning_text: >-
+          The module has been renamed to keycloak_client_scope_type for Keycloak 17+ (Quarkus).
+          Update playbooks to use middleware_automation.keycloak.keycloak_client_scope_type.
+
+    keycloak_clientscope_rolemappings:
+      redirect: middleware_automation.keycloak.keycloak_client_scope_rolemappings
+      deprecation:
+        removal_version: 5.0.0
+        warning_text: >-
+          The module has been renamed to keycloak_client_scope_rolemappings for Keycloak 17+ (Quarkus).
+          Update playbooks to use middleware_automation.keycloak.keycloak_client_scope_rolemappings.

molecule/debian/converge.yml

@@ -1,41 +1,45 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_realm: TestRealm
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
     keycloak_quarkus_log: file
-    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
-    keycloak_quarkus_start_dev: True
+    keycloak_quarkus_start_dev: true
     keycloak_quarkus_proxy_mode: none
-    keycloak_client_default_roles:
-      - TestRoleAdmin
-      - TestRoleUser
-    keycloak_client_users:
-      - username: TestUser
-        password: password
-        client_roles:
-          - client: TestClient
-            role: TestRoleUser
-      - username: TestAdmin
-        password: password
-        client_roles:
-          - client: TestClient
-            role: TestRoleUser
-          - client: TestClient
-            role: TestRoleAdmin
-    keycloak_clients:
-      - name: TestClient
-        roles: "{{ keycloak_client_default_roles }}"
-        public_client: "{{ keycloak_client_public }}"
-        web_origins: "{{ keycloak_client_web_origins }}"
-        users: "{{ keycloak_client_users }}"
-        client_id: TestClient
-        attributes:
-          post.logout.redirect.uris: '/public/logout'
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
       keycloak_realm: TestRealm
-      keycloak_admin_password: "remembertochangeme"
-      keycloak_context: ''
+      keycloak_clients:
+        - name: TestClient
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient
+          attributes:
+            post.logout.redirect.uris: '/public/logout'

molecule/debian/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: ghcr.io/hspaans/molecule-containers:debian-11
+    image: ghcr.io/hspaans/molecule-containers:debian-13
     pre_build_image: true
     privileged: true
     port_bindings:

molecule/debian/prepare.yml

@@ -1,11 +1,13 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   gather_facts: yes
   tasks:
     - name: Install sudo
       ansible.builtin.apt:
         name:
           - sudo
-          - openjdk-17-jdk-headless
-        state: present
+          - openjdk-21-jdk-headless
+          - iproute2

molecule/debian/verify.yml

@@ -2,7 +2,7 @@
 - name: Verify
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
     keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
     keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
     keycloak_jboss_port_offset: 10

molecule/default/converge.yml

@@ -1,62 +1,48 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_jvm_package: java-11-openjdk-headless
-    keycloak_modcluster_enabled: True
-    keycloak_modcluster_urls:
-      - host: myhost1
-        port: 16667
-      - host: myhost2
-        port: 16668
-    keycloak_jboss_port_offset: 10
-    keycloak_log_target: /tmp/keycloak
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: http://instance:8080
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: debug
+    keycloak_quarkus_log_target: /tmp/keycloak
+    keycloak_quarkus_start_dev: true
+    keycloak_quarkus_proxy_mode: none
+    keycloak_quarkus_offline_install: true
+    keycloak_quarkus_download_path: /tmp/keycloak/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m "
   roles:
-    - role: keycloak
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_client_default_roles:
-          - TestRoleAdmin
-          - TestRoleUser
-        keycloak_client_users:
-          - username: TestUser
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-          - username: TestAdmin
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-              - client: TestClient
-                role: TestRoleAdmin
-                realm: "{{ keycloak_realm }}"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient
-            roles: "{{ keycloak_client_default_roles }}"
-            realm: "{{ keycloak_realm }}"
-            public_client: "{{ keycloak_client_public }}"
-            web_origins: "{{ keycloak_client_web_origins }}"
-            users: "{{ keycloak_client_users }}"
-            client_id: TestClient
-            attributes:
-              post.logout.redirect.uris: '/public/logout'
-  pre_tasks:
-    - name: "Retrieve assets server from env"
-      ansible.builtin.set_fact:
-        assets_server: "{{ lookup('env', 'MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
-
-    - name: "Set offline when assets server from env is defined"
-      ansible.builtin.set_fact:
-        sso_offline_install: True
-      when:
-        - assets_server is defined
-        - assets_server | length > 0
+    - role: keycloak_quarkus
+    - role: keycloak_realm
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
+      keycloak_client_users:
+        - username: TestUser
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+        - username: TestAdmin
+          password: password
+          client_roles:
+            - client: TestClient
+              role: TestRoleUser
+              realm: "{{ keycloak_realm }}"
+            - client: TestClient
+              role: TestRoleAdmin
+              realm: "{{ keycloak_realm }}"
+      keycloak_realm: TestRealm
+      keycloak_clients:
+        - name: TestClient
+          realm: "{{ keycloak_realm }}"
+          public_client: "{{ keycloak_client_public }}"
+          web_origins: "{{ keycloak_client_web_origins }}"
+          users: "{{ keycloak_client_users }}"
+          client_id: TestClient

molecule/default/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
       - "8080/tcp"
       - "8443/tcp"
       - "8009/tcp"
+      - "9000/tcp"
 provisioner:
   name: ansible
   config_options:
@@ -23,11 +24,16 @@ provisioner:
     converge: converge.yml
     verify: verify.yml
   inventory:
+    group_vars:
+      all:
+        keycloak_install_requires_become: true
     host_vars:
       localhost:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
   name: ansible
 scenario:

molecule/default/prepare.yml

@@ -1,29 +1,69 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   gather_facts: yes
   vars:
     sudo_pkg_name: sudo
   tasks:
     - name: "Run preparation common to all scenario"
       ansible.builtin.include_tasks: ../prepare.yml
-      vars:
-        assets:
-          - "{{ assets_server }}/sso/7.6.0/rh-sso-7.6.0-server-dist.zip"
-          - "{{ assets_server }}/sso/7.6.1/rh-sso-7.6.1-patch.zip"
 
-    - name: Install JDK8
-      become: yes
-      ansible.builtin.yum:
-        name:
-          - java-1.8.0-openjdk
-        state: present
-      when: ansible_facts['os_family'] == "RedHat"
+    - name: Create controller directory for downloads
+      ansible.builtin.file: # noqa risky-file-permissions delegated, uses controller host user
+        path: /tmp/keycloak
+        state: directory
+        mode: '0750'
+      delegate_to: localhost
+      run_once: true
 
-    - name: Install JDK8
-      become: yes
-      ansible.builtin.apt:
-        name:
-          - openjdk-8-jdk
-        state: present
-      when: ansible_facts['os_family'] == "Debian"
+    - name: Download keycloak archive to controller directory
+      ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
+        url: https://github.com/keycloak/keycloak/releases/download/26.6.2/keycloak-26.6.2.zip
+        dest: /tmp/keycloak
+        mode: '0640'
+      delegate_to: localhost
+      run_once: true
+      ignore_errors: true
+
+    - name: Attempt RHBK download using redhat.runtimes_common collection
+      when:
+        - rhn_username is defined
+        - rhn_username | length > 0
+      block:
+        - name: Retrieve RHBK product download using Unified Downloads API
+          middleware_automation.common.product_search:
+            client_id: "{{ rhn_username }}"
+            client_secret: "{{ rhn_password }}"
+            product_type: DISTRIBUTION
+            product_version: "{{ keycloak_quarkus_version | default('26.6.2') }}"
+            product_category: "RHBK"
+          register: rhn_products
+          no_log: "{{ omit_rhn_output | default(true) }}"
+          delegate_to: localhost
+          run_once: true
+          ignore_errors: true
+
+        - name: Determine install zipfile from search results
+          ansible.builtin.set_fact:
+            rhn_matched_products: "{{ rhn_products.results | selectattr('file_name', 'match', '.*keycloak-' + (keycloak_quarkus_version | default('26.6.2')) + '.zip$') }}"
+          delegate_to: localhost
+          run_once: true
+          when:
+            - rhn_products is defined
+            - rhn_products.results is defined
+
+        - name: Download Red Hat Build of Keycloak
+          middleware_automation.common.product_download:
+            client_id: "{{ rhn_username }}"
+            client_secret: "{{ rhn_password }}"
+            product_id: "{{ (rhn_matched_products | first).id }}"
+            dest: "/tmp/keycloak/keycloak-{{ keycloak_quarkus_version | default('26.6.2') }}.zip"
+          no_log: "{{ omit_rhn_output | default(true) }}"
+          delegate_to: localhost
+          run_once: true
+          when:
+            - rhn_matched_products is defined
+            - rhn_matched_products | length > 0
+          ignore_errors: true

molecule/default/verify.yml

@@ -2,11 +2,9 @@
 - name: Verify
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_jvm_package: java-11-openjdk-headless
-    keycloak_uri: "http://localhost:{{ 8080 + ( keycloak_jboss_port_offset | default(0) ) }}"
-    keycloak_management_port: "http://localhost:{{ 9990 + ( keycloak_jboss_port_offset | default(0) ) }}"
-    keycloak_jboss_port_offset: 10
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_uri: "http://localhost:8080"
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -15,75 +13,13 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
-    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
-      ansible.builtin.shell: |
-        set -o pipefail
-        ps -ef | grep '/etc/alternatives/jre_11/' | grep -v grep
-      args:
-        executable: /bin/bash
-      changed_when: no
     - name: Verify token api call
       ansible.builtin.uri:
-        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        url: "{{ keycloak_uri }}/realms/master/protocol/openid-connect/token"
         method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_user }}&grant_type=password"
         validate_certs: no
       register: keycloak_auth_response
       until: keycloak_auth_response.status == 200
       retries: 2
       delay: 2
-    - name: Fetch openid-connect config
-      ansible.builtin.uri:
-        url: "{{ keycloak_uri }}/auth/realms/TestRealm/.well-known/openid-configuration"
-        method: GET
-        validate_certs: no
-        status_code: 200
-      register: keycloak_openid_config
-    - name: Verify expected config
-      ansible.builtin.assert:
-        that:
-          - keycloak_openid_config.json.registration_endpoint == 'http://localhost:8080/auth/realms/TestRealm/clients-registrations/openid-connect'
-    - name: Get test realm clients
-      ansible.builtin.uri:
-        url: "{{ keycloak_uri }}/auth/admin/realms/TestRealm/clients"
-        method: GET
-        validate_certs: no
-        status_code: 200
-        headers:
-          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
-      register: keycloak_query_clients
-    - name: Verify expected config
-      ansible.builtin.assert:
-        that:
-          - (keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') | first)["attributes"]["post.logout.redirect.uris"] == '/public/logout'
-    - name: "Privilege escalation as some files/folders may requires it"
-      become: yes
-      block:
-        - name: Check log folder
-          ansible.builtin.stat:
-            path: "/tmp/keycloak"
-          register: keycloak_log_folder
-        - name: Check that keycloak log folder exists and is a link
-          ansible.builtin.assert:
-            that:
-              - keycloak_log_folder.stat.exists
-              - not keycloak_log_folder.stat.isdir
-              - keycloak_log_folder.stat.islnk
-        - name: Check log file
-          ansible.builtin.stat:
-            path: "/tmp/keycloak/server.log"
-          register: keycloak_log_file
-        - name: Check if keycloak file exists
-          ansible.builtin.assert:
-            that:
-              - keycloak_log_file.stat.exists
-              - not keycloak_log_file.stat.isdir
-        - name: Check default log folder
-          ansible.builtin.stat:
-            path: "/var/log/keycloak"
-          register: keycloak_default_log_folder
-          failed_when: false
-        - name: Check that default keycloak log folder doesn't exist
-          ansible.builtin.assert:
-            that:
-              - not keycloak_default_log_folder.stat.exists

molecule/group_vars/all/vars.yml

@@ -0,0 +1,26 @@
+---
+keycloak_quarkus_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_config_store_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_rebuild_config_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_bootstrapped_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_quarkus_invalidate_theme_cache_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_systemd_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_install_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_firewalld_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_iptables_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_jdbc_driver_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_restart_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_start_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_stop_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_fastpackages_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+keycloak_rhsso_patch_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"
+molecule_prepare_require_privilege_escalation: "{{ keycloak_install_requires_become | default(true) }}"

molecule/https_revproxy/converge.yml

@@ -1,16 +1,18 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: https://proxy
     keycloak_quarkus_log: file
     keycloak_quarkus_http_enabled: True
     keycloak_quarkus_http_port: 8080
     keycloak_quarkus_proxy_mode: edge
     keycloak_quarkus_http_relative_path: /
-    keycloak_quarkus_frontend_url: https://proxy/
+    keycloak_quarkus_health_check_url: http://proxy:8080/realms/master/.well-known/openid-configuration
   roles:
     - role: keycloak_quarkus

molecule/https_revproxy/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
@@ -14,7 +14,7 @@ platforms:
     published_ports:
       - 0.0.0.0:8080:8080/tcp
   - name: proxy
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"

molecule/https_revproxy/prepare.yml

@@ -1,6 +1,8 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   tasks:
     - name: Install sudo
       ansible.builtin.dnf:
@@ -27,6 +29,8 @@
   pre_tasks:
     - name: Create certificate request
       ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      args:
+        chdir: "{{ playbook_dir }}"
       delegate_to: localhost
       changed_when: false
     - name: Make certificate directory
@@ -39,11 +43,11 @@
         src: "{{ item.name }}"
         dest: "{{ item.dest }}"
         mode: 0444
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       loop:
         - { name: 'cert.pem', dest: '/etc/nginx/tls/certificate.crt' }
         - { name: 'key.pem', dest: '/etc/nginx/tls/certificate.key' }
     - name: Update CA trust
       ansible.builtin.command: update-ca-trust
       changed_when: false
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"

molecule/keycloak_modules/converge.yml

@@ -0,0 +1,2 @@
+---
+- import_playbook: ../default/converge.yml

molecule/keycloak_modules/molecule.yml

@@ -0,0 +1,51 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "8009/tcp"
+      - "9000/tcp"
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      roles_path: ../../roles
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    group_vars:
+      all:
+        keycloak_install_requires_become: true
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/keycloak_modules/prepare.yml

@@ -0,0 +1,2 @@
+---
+- import_playbook: ../default/prepare.yml

molecule/keycloak_modules/verify.yml

@@ -0,0 +1,657 @@
+---
+- name: Verify migrated Keycloak modules
+  hosts: all
+  vars:
+    auth_keycloak_url: http://instance:8080
+    auth_realm: master
+    auth_username: remembertochangeme
+    auth_password: remembertochangeme
+    target_realm: TestRealm
+    role: molecule-role
+    client_role: molecule-client-role
+    client: molecule-client
+    scope: molecule-scope
+    group: molecule-group
+    user: molecule-user
+    flow: molecule-flow
+    flow_v2: molecule-flow-v2
+    auth_copy: molecule-auth-copy
+    idp: molecule-idp
+    ephemeral_realm: molecule-realm
+    template: molecule-template
+    realm_key: molecule-aes-key
+    authz_scope: molecule-authz-scope
+    authz_permission: molecule-authz-perm
+    federation: molecule-federation
+    component: molecule-component
+    migrated_keycloak_modules:
+      - keycloak_authentication
+      - keycloak_authentication_flow
+      - keycloak_authentication_required_actions
+      - keycloak_authentication_v2
+      - keycloak_authz_authorization_scope
+      - keycloak_authz_custom_policy
+      - keycloak_authz_permission
+      - keycloak_authz_permission_info
+      - keycloak_client
+      - keycloak_client_rolemapping
+      - keycloak_client_rolescope
+      - keycloak_client_scope
+      - keycloak_client_scope_type
+      - keycloak_client_scope_rolemappings
+      - keycloak_clientsecret_info
+      - keycloak_clientsecret_regenerate
+      - keycloak_clienttemplate
+      - keycloak_component
+      - keycloak_component_info
+      - keycloak_group
+      - keycloak_identity_provider
+      - keycloak_realm
+      - keycloak_realm_info
+      - keycloak_realm_key
+      - keycloak_realm_keys_metadata_info
+      - keycloak_realm_localization
+      - keycloak_realm_rolemapping
+      - keycloak_role
+      - keycloak_user
+      - keycloak_user_execute_actions_email
+      - keycloak_user_federation
+      - keycloak_user_rolemapping
+      - keycloak_userprofile
+
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: Service not running
+
+    - name: Verify migrated modules are discoverable by ansible-doc # noqa command-instead-of-module
+      ansible.builtin.command:
+        cmd: "ansible-doc -t module middleware_automation.keycloak.{{ item }}"
+      loop: "{{ migrated_keycloak_modules }}"
+      delegate_to: localhost
+      register: docs_check
+      changed_when: false
+
+    - name: Ensure module docs check succeeded
+      ansible.builtin.assert:
+        that:
+          - docs_check is not failed
+
+    - name: Provision shared test fixtures
+      module_defaults:
+        group/middleware_automation.keycloak.keycloak:
+          auth_keycloak_url: "{{ auth_keycloak_url }}"
+          auth_realm: "{{ auth_realm }}"
+          auth_username: "{{ auth_username }}"
+          auth_password: "{{ auth_password }}"
+      block:
+        - name: Reset fixtures from a previous verify run
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            state: absent
+          failed_when: false
+
+        - name: keycloak_role — create realm role for module tests
+          middleware_automation.keycloak.keycloak_role:
+            realm: "{{ target_realm }}"
+            name: "{{ role }}"
+            state: present
+
+        - name: keycloak_client — create confidential client for module tests
+          middleware_automation.keycloak.keycloak_client:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ client }}"
+            enabled: true
+            public_client: false
+            standard_flow_enabled: true
+            client_authenticator_type: client-secret
+            secret: molecule-client-secret
+            state: present
+
+        - name: keycloak_client — enable authorization services on test client
+          middleware_automation.keycloak.keycloak_client:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            service_accounts_enabled: true
+            authorization_services_enabled: true
+            full_scope_allowed: false
+            state: present
+
+        - name: keycloak_role — create client role for rolemapping tests
+          middleware_automation.keycloak.keycloak_role:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ client_role }}"
+            state: present
+
+        - name: keycloak_client_scope — create client scope
+          middleware_automation.keycloak.keycloak_client_scope:
+            realm: "{{ target_realm }}"
+            name: "{{ scope }}"
+            state: present
+
+        - name: keycloak_group — create group
+          middleware_automation.keycloak.keycloak_group:
+            realm: "{{ target_realm }}"
+            name: "{{ group }}"
+            state: present
+
+        - name: keycloak_user — create user
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            first_name: Molecule
+            last_name: User
+            email: molecule-user@example.invalid
+            enabled: true
+            state: present
+
+        - name: keycloak_authentication_flow — create browser-style flow
+          middleware_automation.keycloak.keycloak_authentication_flow:
+            realm: "{{ target_realm }}"
+            alias: "{{ flow }}"
+            description: Molecule module test authentication flow
+            executions:
+              - provider_id: auth-cookie
+                requirement: REQUIRED
+            state: present
+
+    - name: keycloak_realm_info — query TestRealm (public endpoint, no admin auth)
+      middleware_automation.keycloak.keycloak_realm_info:
+        auth_keycloak_url: "{{ auth_keycloak_url }}"
+        realm: "{{ target_realm }}"
+
+    - name: Exercise migrated modules against running Keycloak
+      module_defaults:
+        group/middleware_automation.keycloak.keycloak:
+          auth_keycloak_url: "{{ auth_keycloak_url }}"
+          auth_realm: "{{ auth_realm }}"
+          auth_username: "{{ auth_username }}"
+          auth_password: "{{ auth_password }}"
+      block:
+        - name: keycloak_realm_keys_metadata_info — query realm keys
+          middleware_automation.keycloak.keycloak_realm_keys_metadata_info:
+            realm: "{{ target_realm }}"
+
+        - name: keycloak_component_info — list realm components
+          middleware_automation.keycloak.keycloak_component_info:
+            realm: "{{ target_realm }}"
+
+        - name: keycloak_realm — create ephemeral realm
+          middleware_automation.keycloak.keycloak_realm:
+            id: "{{ ephemeral_realm }}"
+            realm: "{{ ephemeral_realm }}"
+            enabled: true
+            state: present
+
+        - name: keycloak_realm_localization — set locale override
+          middleware_automation.keycloak.keycloak_realm_localization:
+            parent_id: "{{ target_realm }}"
+            locale: en
+            state: present
+            overrides:
+              - key: molecule.module.test
+                value: molecule module test
+
+        - name: keycloak_realm_key — create generated AES key component
+          middleware_automation.keycloak.keycloak_realm_key:
+            parent_id: "{{ target_realm }}"
+            name: "{{ realm_key }}"
+            provider_id: aes-generated
+            state: present
+
+        - name: keycloak_authentication — copy browser flow
+          middleware_automation.keycloak.keycloak_authentication:
+            realm: "{{ target_realm }}"
+            alias: "{{ auth_copy }}"
+            copyFrom: browser
+            state: present
+
+        - name: keycloak_authentication_v2 — manage flow with safe-swap semantics
+          middleware_automation.keycloak.keycloak_authentication_v2:
+            realm: "{{ target_realm }}"
+            alias: "{{ flow_v2 }}"
+            description: Molecule module test flow v2
+            authenticationExecutions:
+              - requirement: REQUIRED
+                providerId: auth-cookie
+            state: present
+
+        - name: keycloak_authentication_required_actions — ensure VERIFY_EMAIL is enabled
+          middleware_automation.keycloak.keycloak_authentication_required_actions:
+            realm: "{{ target_realm }}"
+            state: present
+            required_actions:
+              - alias: VERIFY_EMAIL
+                enabled: true
+
+        - name: keycloak_userprofile — set unmanaged attribute policy
+          middleware_automation.keycloak.keycloak_userprofile:
+            parent_id: "{{ target_realm }}"
+            state: present
+            config:
+              kc_user_profile_config:
+                - unmanagedAttributePolicy: ENABLED
+
+        - name: keycloak_identity_provider — create OIDC broker stub
+          middleware_automation.keycloak.keycloak_identity_provider:
+            realm: "{{ target_realm }}"
+            alias: "{{ idp }}"
+            provider_id: oidc
+            enabled: false
+            config:
+              authorizationUrl: http://localhost:8080/realms/master/protocol/openid-connect/auth
+              tokenUrl: http://localhost:8080/realms/master/protocol/openid-connect/token
+              clientId: molecule-idp-client
+            state: present
+
+        - name: keycloak_clienttemplate — create client template
+          middleware_automation.keycloak.keycloak_clienttemplate:
+            realm: "{{ target_realm }}"
+            name: "{{ template }}"
+            protocol: openid-connect
+            state: present
+          register: clienttemplate_result
+          failed_when:
+            - clienttemplate_result is failed
+            - "'404' not in (clienttemplate_result.msg | default(''))"
+            - "'Not Found' not in (clienttemplate_result.msg | default(''))"
+
+        - name: keycloak_client_scope_type — attach scope as optional on realm
+          middleware_automation.keycloak.keycloak_client_scope_type:
+            realm: "{{ target_realm }}"
+            optional_client_scopes:
+              - "{{ scope }}"
+
+        - name: keycloak_user_rolemapping — assign realm role to user
+          middleware_automation.keycloak.keycloak_user_rolemapping:
+            realm: "{{ target_realm }}"
+            target_username: "{{ user }}"
+            state: present
+            roles:
+              - name: "{{ role }}"
+
+        - name: keycloak_realm_rolemapping — assign realm role to group
+          middleware_automation.keycloak.keycloak_realm_rolemapping:
+            realm: "{{ target_realm }}"
+            group_name: "{{ group }}"
+            state: present
+            roles:
+              - name: "{{ role }}"
+
+        - name: keycloak_client_rolemapping — assign client role to group
+          middleware_automation.keycloak.keycloak_client_rolemapping:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            group_name: "{{ group }}"
+            state: present
+            roles:
+              - name: "{{ client_role }}"
+
+        - name: keycloak_client_rolescope — restrict realm role on client
+          middleware_automation.keycloak.keycloak_client_rolescope:
+            realm: "{{ target_realm }}"
+            target_client_id: "{{ client }}"
+            role_names:
+              - "{{ role }}"
+            state: present
+
+        - name: keycloak_client_scope_rolemappings — map client roles to client scope
+          middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            client_scope_id: "{{ scope }}"
+            role_names:
+              - "{{ client_role }}"
+          register: client_scope_rolemappings_result
+
+        - name: Assert client scope role mappings were created
+          ansible.builtin.assert:
+            that:
+              - client_scope_rolemappings_result is changed
+              - client_scope_rolemappings_result.end_state | length == 1
+
+        - name: keycloak_client_scope_rolemappings — remap client role (idempotency)
+          middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            client_scope_id: "{{ scope }}"
+            role_names:
+              - "{{ client_role }}"
+          register: client_scope_rolemappings_idempotent_result
+
+        - name: Assert client scope role mappings are idempotent
+          ansible.builtin.assert:
+            that:
+              - client_scope_rolemappings_idempotent_result is not changed
+              - client_scope_rolemappings_idempotent_result.end_state | length == 1
+
+        - name: keycloak_client_scope_rolemappings — map realm role to client scope
+          middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+            realm: "{{ target_realm }}"
+            client_scope_id: "{{ scope }}"
+            role_names:
+              - "{{ role }}"
+          register: client_scope_realm_rolemappings_result
+
+        - name: Assert realm role was mapped to client_scope
+          ansible.builtin.assert:
+            that:
+              - client_scope_realm_rolemappings_result is changed
+              - client_scope_realm_rolemappings_result.end_state | length == 1
+
+        - name: keycloak_user — set email_verified explicitly
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            email_verified: true
+            state: present
+          register: user_email_verified_result
+
+        - name: Assert email_verified was set
+          ansible.builtin.assert:
+            that:
+              - user_email_verified_result is changed
+              - user_email_verified_result.end_state.emailVerified == true
+
+        - name: keycloak_user — leave email_verified unchanged with no_defaults
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            email_verified_behavior: no_defaults
+            state: present
+          register: user_email_verified_idempotent_result
+
+        - name: Assert email_verified is unchanged
+          ansible.builtin.assert:
+            that:
+              - user_email_verified_idempotent_result is not changed
+              - user_email_verified_idempotent_result.end_state.emailVerified == true
+
+        - name: keycloak_user — set required actions
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            required_actions:
+              - UPDATE_PASSWORD
+              - VERIFY_EMAIL
+            state: present
+          register: user_required_actions_result
+
+        - name: Assert required actions were set
+          ansible.builtin.assert:
+            that:
+              - user_required_actions_result is changed
+              - "'UPDATE_PASSWORD' in user_required_actions_result.end_state.requiredActions"
+              - "'VERIFY_EMAIL' in user_required_actions_result.end_state.requiredActions"
+
+        - name: keycloak_user — leave required actions unchanged when omitted
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            state: present
+          register: user_required_actions_idempotent_result
+
+        - name: Assert required actions are unchanged
+          ansible.builtin.assert:
+            that:
+              - user_required_actions_idempotent_result is not changed
+              - "'UPDATE_PASSWORD' in user_required_actions_idempotent_result.end_state.requiredActions"
+              - "'VERIFY_EMAIL' in user_required_actions_idempotent_result.end_state.requiredActions"
+
+        - name: keycloak_clientsecret_info — read client secret
+          middleware_automation.keycloak.keycloak_clientsecret_info:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+          no_log: true
+
+        - name: keycloak_clientsecret_regenerate — rotate client secret
+          middleware_automation.keycloak.keycloak_clientsecret_regenerate:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+          no_log: true
+
+        - name: keycloak_authz_authorization_scope — create authorization scope
+          middleware_automation.keycloak.keycloak_authz_authorization_scope:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ authz_scope }}"
+            display_name: Molecule module test scope
+            state: present
+
+        - name: keycloak_authz_permission — create scope permission
+          middleware_automation.keycloak.keycloak_authz_permission:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ authz_permission }}"
+            permission_type: scope
+            scopes:
+              - "{{ authz_scope }}"
+            state: present
+
+        - name: keycloak_authz_permission_info — query scope permission
+          middleware_automation.keycloak.keycloak_authz_permission_info:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ authz_permission }}"
+
+        - name: keycloak_authz_custom_policy — requires deployed policy provider on server
+          middleware_automation.keycloak.keycloak_authz_custom_policy:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: molecule-script-policy
+            policy_type: script-policy.js
+            state: present
+          register: authz_custom_policy_result
+          failed_when:
+            - authz_custom_policy_result is failed
+            - "'No policy provider' not in (authz_custom_policy_result.msg | default(''))"
+            - "'Policy provider' not in (authz_custom_policy_result.msg | default(''))"
+            - "'405' not in (authz_custom_policy_result.msg | default(''))"
+            - "'Method Not Allowed' not in (authz_custom_policy_result.msg | default(''))"
+            - "'not found' not in (authz_custom_policy_result.msg | default('') | lower)"
+
+        - name: keycloak_user_execute_actions_email — trigger execute-actions email
+          middleware_automation.keycloak.keycloak_user_execute_actions_email:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            actions:
+              - VERIFY_EMAIL
+          register: execute_actions_email_result
+          failed_when:
+            - execute_actions_email_result is failed
+            - "'Connection refused' in (execute_actions_email_result.msg | default(''))"
+            - "'Failed to send' in (execute_actions_email_result.msg | default(''))"
+
+        - name: keycloak_user_federation — remove non-existent federation (module API test)
+          middleware_automation.keycloak.keycloak_user_federation:
+            realm: "{{ target_realm }}"
+            name: "{{ federation }}"
+            state: absent
+
+        - name: keycloak_component — remove non-existent component (module API test)
+          middleware_automation.keycloak.keycloak_component:
+            parent_id: "{{ target_realm }}"
+            name: "{{ component }}"
+            provider_id: ldap
+            provider_type: org.keycloak.storage.UserStorageProvider
+            state: absent
+
+    - name: Remove shared test fixtures
+      module_defaults:
+        group/middleware_automation.keycloak.keycloak:
+          auth_keycloak_url: "{{ auth_keycloak_url }}"
+          auth_realm: "{{ auth_realm }}"
+          auth_username: "{{ auth_username }}"
+          auth_password: "{{ auth_password }}"
+      block:
+        - name: keycloak_authz_custom_policy — remove custom policy if created
+          middleware_automation.keycloak.keycloak_authz_custom_policy:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: molecule-script-policy
+            policy_type: script-policy.js
+            state: absent
+          failed_when: false
+
+        - name: keycloak_authz_permission — remove scope permission
+          middleware_automation.keycloak.keycloak_authz_permission:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ authz_permission }}"
+            permission_type: scope
+            state: absent
+
+        - name: keycloak_authz_authorization_scope — remove authorization scope
+          middleware_automation.keycloak.keycloak_authz_authorization_scope:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ authz_scope }}"
+            state: absent
+
+        - name: keycloak_client_scope_rolemappings — remove realm role from client scope
+          middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+            realm: "{{ target_realm }}"
+            client_scope_id: "{{ scope }}"
+            role_names:
+              - "{{ role }}"
+            state: absent
+
+        - name: keycloak_client_scope_rolemappings — remove client role from client scope
+          middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            client_scope_id: "{{ scope }}"
+            role_names:
+              - "{{ client_role }}"
+            state: absent
+
+        - name: keycloak_client_rolescope — remove role scope mapping
+          middleware_automation.keycloak.keycloak_client_rolescope:
+            realm: "{{ target_realm }}"
+            target_client_id: "{{ client }}"
+            role_names:
+              - "{{ role }}"
+            state: absent
+
+        - name: keycloak_client_rolemapping — remove group client role mapping
+          middleware_automation.keycloak.keycloak_client_rolemapping:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            group_name: "{{ group }}"
+            state: absent
+            roles:
+              - name: "{{ client_role }}"
+
+        - name: keycloak_realm_rolemapping — remove group realm role mapping
+          middleware_automation.keycloak.keycloak_realm_rolemapping:
+            realm: "{{ target_realm }}"
+            group_name: "{{ group }}"
+            state: absent
+            roles:
+              - name: "{{ role }}"
+
+        - name: keycloak_user_rolemapping — remove user role mapping
+          middleware_automation.keycloak.keycloak_user_rolemapping:
+            realm: "{{ target_realm }}"
+            target_username: "{{ user }}"
+            state: absent
+            roles:
+              - name: "{{ role }}"
+
+        - name: keycloak_identity_provider — remove OIDC provider
+          middleware_automation.keycloak.keycloak_identity_provider:
+            realm: "{{ target_realm }}"
+            alias: "{{ idp }}"
+            state: absent
+
+        - name: keycloak_authentication_v2 — remove flow
+          middleware_automation.keycloak.keycloak_authentication_v2:
+            realm: "{{ target_realm }}"
+            alias: "{{ flow_v2 }}"
+            state: absent
+
+        - name: keycloak_authentication — remove copied flow
+          middleware_automation.keycloak.keycloak_authentication:
+            realm: "{{ target_realm }}"
+            alias: "{{ auth_copy }}"
+            state: absent
+
+        - name: keycloak_realm_key — remove generated key
+          middleware_automation.keycloak.keycloak_realm_key:
+            parent_id: "{{ target_realm }}"
+            name: "{{ realm_key }}"
+            provider_id: aes-generated
+            state: absent
+
+        - name: keycloak_realm_localization — remove locale override
+          middleware_automation.keycloak.keycloak_realm_localization:
+            parent_id: "{{ target_realm }}"
+            locale: en
+            state: absent
+            overrides:
+              - key: molecule.module.test
+
+        - name: keycloak_realm — remove ephemeral realm
+          middleware_automation.keycloak.keycloak_realm:
+            id: "{{ ephemeral_realm }}"
+            realm: "{{ ephemeral_realm }}"
+            state: absent
+
+        - name: keycloak_clienttemplate — remove client template
+          middleware_automation.keycloak.keycloak_clienttemplate:
+            realm: "{{ target_realm }}"
+            name: "{{ template }}"
+            state: absent
+          failed_when: false
+
+        - name: keycloak_authentication_flow — remove authentication flow
+          middleware_automation.keycloak.keycloak_authentication_flow:
+            realm: "{{ target_realm }}"
+            alias: "{{ flow }}"
+            state: absent
+
+        - name: keycloak_user — remove user
+          middleware_automation.keycloak.keycloak_user:
+            realm: "{{ target_realm }}"
+            username: "{{ user }}"
+            state: absent
+
+        - name: keycloak_group — remove group
+          middleware_automation.keycloak.keycloak_group:
+            realm: "{{ target_realm }}"
+            name: "{{ group }}"
+            state: absent
+
+        - name: keycloak_role — remove client role
+          middleware_automation.keycloak.keycloak_role:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            name: "{{ client_role }}"
+            state: absent
+
+        - name: keycloak_client — remove confidential client
+          middleware_automation.keycloak.keycloak_client:
+            realm: "{{ target_realm }}"
+            client_id: "{{ client }}"
+            state: absent
+
+        - name: keycloak_client_scope — remove client scope
+          middleware_automation.keycloak.keycloak_client_scope:
+            realm: "{{ target_realm }}"
+            name: "{{ scope }}"
+            state: absent
+
+        - name: keycloak_role — remove realm role
+          middleware_automation.keycloak.keycloak_role:
+            realm: "{{ target_realm }}"
+            name: "{{ role }}"
+            state: absent

molecule/overridexml/converge.yml

@@ -1,8 +1,14 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
+    rhn_username: "{{ lookup('env', 'rhn_username') | default('4278e994-7f90-46eb-b99c-90f2815b845f', true) }}"
+    rhn_password: "{{ lookup('env', 'rhn_password') | default('AHOLJo08ursGdWVm0F66iDR5Owk0CwpL', true) }}"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
     keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://instance:8080"
     keycloak_config_override_template: custom.xml.j2
     keycloak_http_port: 8081
     keycloak_management_http_port: 19990

molecule/overridexml/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
       - "8080/tcp"
       - "8443/tcp"
       - "8009/tcp"
+      - "9000/tcp"
 provisioner:
   name: ansible
   config_options:

molecule/overridexml/prepare.yml

@@ -1,6 +1,8 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   gather_facts: yes
   vars:
     sudo_pkg_name: sudo

molecule/prepare.yml

@@ -25,11 +25,12 @@
     fail_msg: "sudo is not installed on target system"
 
 - name: "Install iproute"
-  become: true
   ansible.builtin.yum:
     name:
       - iproute
     state: present
+  when:
+    - ansible_user_id == 'root'
 
 - name: "Retrieve assets server from env"
   ansible.builtin.set_fact:

molecule/quarkus/converge.yml

@@ -1,11 +1,14 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
     keycloak_realm: TestRealm
-    keycloak_quarkus_host: instance
+    keycloak_quarkus_hostname: https://instance:8443
     keycloak_quarkus_log: file
     keycloak_quarkus_log_level: debug # needed for the verify step
     keycloak_quarkus_https_key_file_enabled: true
@@ -21,6 +24,12 @@
     keycloak_quarkus_systemd_wait_for_timeout: 20
     keycloak_quarkus_systemd_wait_for_delay: 2
     keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_restart_health_check: false # would fail because of self-signed cert
+    keycloak_quarkus_version: 26.6.2
+    keycloak_quarkus_java_heap_opts: "-Xms1024m -Xmx1024m"
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
     keycloak_quarkus_providers:
       - id: http-client
         spi: connections
@@ -30,27 +39,32 @@
           - key: default-connection-pool-size
             value: 10
       - id: spid-saml
-        url: https://github.com/italia/spid-keycloak-provider/releases/download/24.0.2/spid-provider.jar
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/26.5.6/spid-provider.jar
+      - id: spid-saml-w-checksum
+        url: https://github.com/italia/spid-keycloak-provider/releases/download/26.5.6/spid-provider.jar
+        checksum: sha256:2ddafc389a5f017d8665bfdfa2f72b3784fc74b9f3a482e796fa89a5ba5cc95b
       - id: keycloak-kerberos-federation
         maven:
           repository_url: https://repo1.maven.org/maven2/ # https://mvnrepository.com/artifact/org.keycloak/keycloak-kerberos-federation/24.0.4
           group_id: org.keycloak
           artifact_id: keycloak-kerberos-federation
-          version: 24.0.4 # optional
+          version: 26.6.3 # optional
           # username: myUser # optional
           # password: myPAT # optional
       # - id: my-static-theme
       #   local_path: /tmp/my-static-theme.jar
     keycloak_quarkus_policies:
-      - name: "xato-net-10-million-passwords.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords.txt"
-      - name: "xato-net-10-million-passwords-10.txt"
-        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/xato-net-10-million-passwords-10.txt"
+      - name: "cain-and-abel.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/cain-and-abel.txt"
+      - name: "john-the-ripper.txt"
+        url: "https://github.com/danielmiessler/SecLists/raw/master/Passwords/Software/john-the-ripper.txt"
         type: password-blacklists
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: http://instance:8080
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_default_roles:
         - TestRoleAdmin
         - TestRoleUser

molecule/quarkus/molecule.yml

@@ -3,7 +3,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
@@ -11,6 +11,7 @@ platforms:
       - "8080/tcp"
       - "8443/tcp"
       - "8009/tcp"
+      - "9000/tcp"
     published_ports:
       - 0.0.0.0:8443:8443/tcp
 provisioner:
@@ -30,6 +31,9 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
   name: ansible
 scenario:

molecule/quarkus/prepare.yml

@@ -1,6 +1,8 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   tasks:
     - name: "Display hera_home if defined."
       ansible.builtin.set_fact:
@@ -11,34 +13,38 @@
 
     - name: Create certificate request
       ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
       delegate_to: localhost
-      changed_when: False
+      changed_when: false
 
     - name: Create vault directory
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.file:
         state: directory
         path: "/opt/keycloak/vault"
-        mode: 0755
+        mode: '0755'
 
     - name: Make sure a jre is available (for keytool to prepare keystore)
       delegate_to: localhost
       ansible.builtin.package:
-        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        name: java-21-openjdk-headless
         state: present
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       failed_when: false
 
     - name: Create vault keystore
       ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
       delegate_to: localhost
       register: keytool_cmd
       changed_when: False
       failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
 
     - name: Copy certificates and vault
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.copy:
         src: keystore.p12
         dest: /opt/keycloak/vault/keystore.p12
-        mode: 0444
+        mode: '0444'

molecule/quarkus/verify.yml

@@ -1,6 +1,11 @@
 ---
 - name: Verify
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -33,10 +38,10 @@
         - name: Verify endpoint URLs
           ansible.builtin.assert:
             that:
-              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
-              - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'
-              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/auth'
-              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance/realms/master/protocol/openid-connect/token'
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance:8443/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://instance:8443/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://instance:8443/realms/master/protocol/openid-connect/token'
           delegate_to: localhost
 
     - name: Check log folder
@@ -53,7 +58,7 @@
         fail_msg: "Service log symlink not correctly created"
 
     - name: Check log file
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.stat:
         path: /tmp/keycloak/keycloak.log
       register: keycloak_log_file
@@ -65,7 +70,7 @@
           - not keycloak_log_file.stat.isdir
 
     - name: Check default log folder
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.stat:
         path: /var/log/keycloak
       register: keycloak_default_log_folder
@@ -77,10 +82,49 @@
           - not keycloak_default_log_folder.stat.exists
 
     - name: Verify vault SPI in logfile
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.shell: |
         set -o pipefail
         zgrep 'Configured KeystoreVaultProviderFactory with the keystore file' /opt/keycloak/keycloak-*/data/log/keycloak.log*zip
       changed_when: false
       failed_when: slurped_log.rc != 0
       register: slurped_log
+
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "https://instance:8443/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username={{ keycloak_quarkus_bootstrap_admin_user }}&password={{ keycloak_quarkus_bootstrap_admin_password}}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2
+
+    - name: "Get Clients"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_clients
+
+    - name: Get client uuid
+      ansible.builtin.set_fact:
+        keycloak_client_uuid: "{{ ((keycloak_clients.json | selectattr('clientId', '==', 'TestClient')) | first).id }}"
+
+    - name: "Get Client {{ keycloak_client_uuid }}"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_test_client
+
+    - name: "Get Client roles"
+      ansible.builtin.uri:
+        url: "https://instance:8443/admin/realms/TestRealm/clients/{{ keycloak_client_uuid }}/roles"
+        validate_certs: false
+        headers:
+          Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
+      register: keycloak_test_client_roles

molecule/quarkus_devmode/converge.yml

@@ -1,19 +1,26 @@
 ---
 - name: Converge
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
     keycloak_realm: TestRealm
     keycloak_quarkus_log: file
-    keycloak_quarkus_frontend_url: 'http://localhost:8080/'
+    keycloak_quarkus_hostname: 'http://localhost:8080'
     keycloak_quarkus_start_dev: True
     keycloak_quarkus_proxy_mode: none
     keycloak_quarkus_java_home: /opt/openjdk/
+    keycloak_quarkus_java_heap_opts: "-Xms640m -Xmx640m"
+
   roles:
     - role: keycloak_quarkus
     - role: keycloak_realm
-      keycloak_context: ''
+      keycloak_url: "{{ keycloak_quarkus_hostname }}"
+      keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
+      keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_default_roles:
         - TestRoleAdmin
         - TestRoleUser

molecule/quarkus_devmode/molecule.yml

@@ -3,15 +3,17 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
     privileged: true
     command: "/usr/sbin/init"
     port_bindings:
       - "8080/tcp"
       - "8009/tcp"
+      - "9000/tcp"
     published_ports:
       - 0.0.0.0:8080:8080/tcp
+      - 0.0.0.0:9000:9000/TCP
 provisioner:
   name: ansible
   config_options:
@@ -29,6 +31,8 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
   name: ansible
 scenario:

molecule/quarkus_devmode/prepare.yml

@@ -1,6 +1,8 @@
 ---
 - name: Prepare
   hosts: all
+  vars_files:
+    - ../group_vars/all/vars.yml
   tasks:
     - name: Install sudo
       ansible.builtin.apt:
@@ -15,7 +17,7 @@
       ansible.builtin.include_tasks: ../prepare.yml
 
     - name: Install JDK17
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.yum:
         name:
           - java-17-openjdk-headless
@@ -24,7 +26,7 @@
         - ansible_facts.os_family == 'RedHat'
 
     - name: Link default logs directory
-      become: yes
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.file:
         state: link
         src: "{{ item }}"

molecule/quarkus_ha/converge.yml

@@ -1,11 +1,13 @@
 ---
 - name: Converge
   hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_realm: TestRealm
-    keycloak_quarkus_host: "{{ inventory_hostname }}"
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
     keycloak_quarkus_log: file
     keycloak_quarkus_log_level: info
     keycloak_quarkus_https_key_file_enabled: true
@@ -24,6 +26,6 @@
     keycloak_quarkus_restart_strategy: restart/serial.yml
     keycloak_quarkus_db_user: keycloak
     keycloak_quarkus_db_pass: mysecretpass
-    keycloak_quarkus_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
   roles:
     - role: keycloak_quarkus

molecule/quarkus_ha/molecule.yml

@@ -14,6 +14,7 @@ platforms:
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
+      - "9000/tcp"
   - name: instance2
     image: registry.access.redhat.com/ubi9/ubi-init:latest
     pre_build_image: true
@@ -26,6 +27,7 @@ platforms:
     port_bindings:
       - "8080/tcp"
       - "8443/tcp"
+      - "9000/tcp"
   - name: postgres
     image: ubuntu/postgres:14-22.04_beta
     pre_build_image: true
@@ -40,7 +42,7 @@ platforms:
     mounts:
       - type: bind
         target: /etc/postgresql/postgresql.conf
-        source: ${PWD}/molecule/quarkus_ha/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
     env:
       POSTGRES_USER: keycloak
       POSTGRES_PASSWORD: mysecretpass
@@ -63,6 +65,7 @@ provisioner:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
   env:
     ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
 verifier:
   name: ansible
 scenario:

molecule/quarkus_ha/prepare.yml

@@ -1,6 +1,8 @@
 ---
 - name: Prepare
   hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
   tasks:
     - name: "Display hera_home if defined."
       ansible.builtin.set_fact:
@@ -11,11 +13,13 @@
 
     - name: Create certificate request
       ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
       delegate_to: localhost
       changed_when: False
 
     - name: Create vault directory
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.file:
         state: directory
         path: "/opt/keycloak/vault"
@@ -26,7 +30,7 @@
       ansible.builtin.package:
         name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
         state: present
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       failed_when: false
 
     - name: Create vault keystore
@@ -37,7 +41,7 @@
       failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
 
     - name: Copy certificates and vault
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.copy:
         src: keystore.p12
         dest: /opt/keycloak/vault/keystore.p12

molecule/quarkus_ha/verify.yml

@@ -1,6 +1,8 @@
 ---
 - name: Verify
   hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -17,7 +19,7 @@
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
     - name: Check log file
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
       ansible.builtin.stat:
         path: /var/log/keycloak/keycloak.log
       register: keycloak_log_file

molecule/quarkus_ha_26.4_below/converge.yml

@@ -0,0 +1,32 @@
+---
+- name: Converge
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 20
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_version: 26.3.5
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_ha_26.4_below/molecule.yml

@@ -0,0 +1,82 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: instance2
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_ha_26.4_below/postgresql/postgresql.conf

@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

molecule/quarkus_ha_26.4_below/prepare.yml

@@ -0,0 +1,48 @@
+---
+- name: Prepare
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus_ha_26.4_below/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_ha_26.4_below/verify.yml

@@ -0,0 +1,31 @@
+---
+- name: Verify
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir

molecule/quarkus_ha_remote/converge.yml

@@ -0,0 +1,70 @@
+---
+- name: Converge
+  hosts: infinispan
+  vars_files:
+    - ../group_vars/all/vars.yml
+  vars:
+    ansible_become: "{{ keycloak_install_requires_become | default(true) }}"
+  roles:
+    - role: middleware_automation.infinispan.infinispan
+      infinispan_service_name: infinispan
+      infinispan_supervisor_password: remembertochangeme
+      infinispan_keycloak_caches: true
+      infinispan_keycloak_persistence: False
+      infinispan_jgroups_discovery: TCPPING
+      infinispan_jdbc_engine: postgres
+      infinispan_jdbc_url: jdbc:postgresql://postgres:5432/keycloak
+      infinispan_jdbc_driver_version: 9.4.1212
+      infinispan_jdbc_user: keycloak
+      infinispan_jdbc_pass: mysecretpass
+      infinispan_bind_address: 0.0.0.0
+      infinispan_users:
+        - { name: 'testuser', password: 'test', roles: 'observer' }
+
+- name: Converge
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  pre_tasks:
+    - name: Wait for Infinispan Hot Rod port before starting Keycloak
+      ansible.builtin.wait_for:
+        host: infinispan1
+        port: 11222
+        timeout: 120
+  vars:
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_user: "remembertochangeme"
+    keycloak_quarkus_hostname: "http://{{ inventory_hostname }}:8080"
+    keycloak_quarkus_log: file
+    keycloak_quarkus_log_level: info
+    keycloak_quarkus_https_key_file_enabled: true
+    keycloak_quarkus_key_file_copy_enabled: true
+    keycloak_quarkus_key_content: "{{ lookup('file', inventory_hostname + '.key') }}"
+    keycloak_quarkus_cert_file_copy_enabled: true
+    keycloak_quarkus_cert_file_src: "{{ inventory_hostname }}.pem"
+    keycloak_quarkus_ks_vault_enabled: true
+    keycloak_quarkus_ks_vault_file: "/opt/keycloak/vault/keystore.p12"
+    keycloak_quarkus_ks_vault_pass: keystorepassword
+    keycloak_quarkus_systemd_wait_for_port: true
+    keycloak_quarkus_systemd_wait_for_timeout: 120
+    keycloak_quarkus_systemd_wait_for_delay: 2
+    keycloak_quarkus_systemd_wait_for_log: true
+    keycloak_quarkus_ha_enabled: true
+    keycloak_quarkus_restart_strategy: restart/serial.yml
+    keycloak_quarkus_db_user: keycloak
+    keycloak_quarkus_db_pass: mysecretpass
+    keycloak_quarkus_db_url: jdbc:postgresql://postgres:5432/keycloak
+    keycloak_quarkus_cache_remote: true
+    keycloak_quarkus_cache_remote_username: supervisor
+    keycloak_quarkus_cache_remote_password: remembertochangeme
+    keycloak_quarkus_cache_remote_host: "infinispan1"
+    keycloak_quarkus_cache_remote_port: 11222
+    keycloak_quarkus_cache_remote_tls_enabled: false
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES
+        value: clusterless
+      - key: KC_FEATURES_DISABLED
+        value: persistent-user-sessions
+  roles:
+    - role: keycloak_quarkus

molecule/quarkus_ha_remote/molecule.yml

@@ -0,0 +1,80 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: keycloak1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - keycloak
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "8080/tcp"
+      - "8443/tcp"
+      - "9000/tcp"
+  - name: infinispan1
+    image: registry.access.redhat.com/ubi9/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    groups:
+      - infinispan
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "11222/tcp"
+  - name: postgres
+    image: ubuntu/postgres:14-22.04_beta
+    pre_build_image: true
+    privileged: true
+    command: postgres
+    groups:
+      - database
+    networks:
+      - name: rhbk
+    port_bindings:
+      - "5432/tcp"
+    mounts:
+      - type: bind
+        target: /etc/postgresql/postgresql.conf
+        source: ${MOLECULE_PROJECT_DIRECTORY}/molecule/quarkus_ha_remote/postgresql/postgresql.conf
+    env:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: mysecretpass
+      POSTGRES_DB: keycloak
+      POSTGRES_HOST_AUTH_METHOD: trust
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PYTHONHTTPSVERIFY: 0
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy

molecule/quarkus_ha_remote/postgresql/postgresql.conf

@@ -0,0 +1,750 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+#max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+#dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C'			# locale for system error message
+					# strings
+#lc_monetary = 'C'			# locale for monetary formatting
+#lc_numeric = 'C'			# locale for number formatting
+#lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here

molecule/quarkus_ha_remote/prepare.yml

@@ -0,0 +1,50 @@
+---
+- name: Prepare
+  hosts: 'keycloak:infinispan'
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Create certificate request
+      ansible.builtin.command: "openssl req -x509 -newkey rsa:4096 -keyout {{ inventory_hostname }}.key -out {{ inventory_hostname }}.pem -sha256 -days 365 -nodes -subj '/CN={{ inventory_hostname }}'"
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Create vault directory
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.file:
+        state: directory
+        path: "/opt/keycloak/vault"
+        mode: 0755
+
+    - name: Make sure a jre is available (for keytool to prepare keystore)
+      delegate_to: localhost
+      ansible.builtin.package:
+        name: "{{ 'java-17-openjdk-headless' if hera_home | length > 0 else 'openjdk-17-jdk-headless' }}"
+        state: present
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      failed_when: false
+
+    - name: Create vault keystore
+      ansible.builtin.command: keytool -importpass -alias TestRealm_testalias -keystore keystore.p12 -storepass keystorepassword
+      args:
+        chdir: "{{ playbook_dir }}"
+      delegate_to: localhost
+      register: keytool_cmd
+      changed_when: False
+      failed_when: not 'already exists' in keytool_cmd.stdout and keytool_cmd.rc != 0
+
+    - name: Copy certificates and vault
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.copy:
+        src: keystore.p12
+        dest: /opt/keycloak/vault/keystore.p12
+        mode: 0444

molecule/quarkus_ha_remote/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_ha_remote/verify.yml

@@ -0,0 +1,31 @@
+---
+- name: Verify
+  hosts: keycloak
+  vars_files:
+    - ../group_vars/all/vars.yml
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+        fail_msg: "Service not running"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Check log file
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"
+      ansible.builtin.stat:
+        path: /var/log/keycloak/keycloak.log
+      register: keycloak_log_file
+
+    - name: Check if keycloak file exists
+      ansible.builtin.assert:
+        that:
+          - keycloak_log_file.stat.exists
+          - not keycloak_log_file.stat.isdir

molecule/quarkus_upgrade/converge.yml

@@ -2,8 +2,13 @@
 - name: Converge
   hosts: all
   vars_files:
+    - ../group_vars/all/vars.yml
     - vars.yml
   vars:
-    keycloak_quarkus_version: 24.0.3
+    keycloak_quarkus_show_deprecation_warnings: false
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: ciba,device-flow,impersonation,kerberos,docker
+    keycloak_quarkus_version: 26.6.2
   roles:
     - role: keycloak_quarkus

molecule/quarkus_upgrade/molecule.yml

@@ -13,8 +13,10 @@ platforms:
     privileged: true
     port_bindings:
       - 8080:8080
+      - "9000/tcp"
     published_ports:
       - 0.0.0.0:8080:8080/TCP
+      - 0.0.0.0:9000:9000/TCP
 provisioner:
   name: ansible
   playbooks:
@@ -25,6 +27,10 @@ provisioner:
     host_vars:
       localhost:
         ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    PROXY: "${PROXY}"
+    NO_PROXY: "${NO_PROXY}"
 verifier:
   name: ansible
 scenario:

molecule/quarkus_upgrade/prepare.yml

@@ -2,10 +2,14 @@
 - name: Prepare
   hosts: all
   vars_files:
+    - ../group_vars/all/vars.yml
     - vars.yml
   vars:
     sudo_pkg_name: sudo
-    keycloak_quarkus_version: 23.0.7
+    keycloak_quarkus_version: 26.6.1
+    keycloak_quarkus_additional_env_vars:
+      - key: KC_FEATURES_DISABLED
+        value: impersonation,kerberos
   pre_tasks:
     - name: Install sudo
       ansible.builtin.apt:
@@ -40,13 +44,16 @@
 
     - name: Create certificate request
       ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+      args:
+        chdir: "{{ playbook_dir }}"
       delegate_to: localhost
       changed_when: false
   roles:
     - role: keycloak_quarkus
+
   post_tasks:
     - name: "Delete custom fact"
       ansible.builtin.file:
         path: /etc/ansible/facts.d/keycloak.fact
         state: absent
-      become: true
+      become: "{{ molecule_prepare_require_privilege_escalation | default(true) }}"

molecule/quarkus_upgrade/roles

@@ -0,0 +1 @@
+../../roles

molecule/quarkus_upgrade/vars.yml

@@ -1,9 +1,8 @@
 ---
 keycloak_quarkus_offline_install: false
-keycloak_quarkus_admin_password: "remembertochangeme"
-keycloak_quarkus_admin_pass: "remembertochangeme"
+keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
 keycloak_quarkus_realm: TestRealm
-keycloak_quarkus_host: instance
+keycloak_quarkus_hostname: http://instance:8080
 keycloak_quarkus_log: file
 keycloak_quarkus_https_key_file_enabled: true
 keycloak_quarkus_log_target: /tmp/keycloak

molecule/quarkus_upgrade/verify.yml

@@ -2,7 +2,7 @@
 - name: Verify
   hosts: instance
   vars:
-    keycloak_quarkus_admin_password: "remembertochangeme"
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
     keycloak_quarkus_port: http://localhost:8080
   tasks:
     - name: Populate service facts
@@ -14,19 +14,18 @@
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
 
-    - name: Verify we are running on requested jvm
-      ansible.builtin.shell: |
-        set -eo pipefail
-        ps -ef | grep 'etc/alternatives/.*17' | grep -v grep
+    - name: Verify Java 21 runtime is installed (UBI/RHEL)
+      ansible.builtin.command:
+        cmd: rpm -q java-21-openjdk-headless
       changed_when: false
 
     - name: Verify token api call
       ansible.builtin.uri:
         url: "{{ keycloak_quarkus_port }}/realms/master/protocol/openid-connect/token"
         method: POST
-        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_admin_password }}&grant_type=password"
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_quarkus_bootstrap_admin_password }}&grant_type=password"
         validate_certs: no
       register: keycloak_auth_response
       until: keycloak_auth_response.status == 200
-      retries: 2
-      delay: 2
+      retries: 45
+      delay: 5

molecule/requirements.yml

@@ -2,10 +2,13 @@
 collections:
   - name: middleware_automation.common
   - name: middleware_automation.jbcs
+  - name: middleware_automation.infinispan
   - name: community.general
   - name: ansible.posix
   - name: community.docker
     version: ">=3.8.0"
+  - name: containers.podman
+    version: ">=1.8.1"
 
 roles:
   - name: elan.simple_nginx_reverse_proxy

playbooks/keycloak_authentication_flow.yml

@@ -0,0 +1,27 @@
+---
+- name: Playbook for Keycloak Authentication Flow Configuration
+  hosts: all
+  vars:
+    keycloak_admin_user: admin
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_url: "http://localhost:8080"
+    keycloak_realm: TestRealm
+  tasks:
+    - name: Create authentication flow with executions
+      middleware_automation.keycloak.keycloak_authentication_flow:
+        auth_keycloak_url: "{{ keycloak_url }}"
+        auth_realm: master
+        auth_username: "{{ keycloak_admin_user }}"
+        auth_password: "{{ keycloak_admin_password }}"
+        realm: "{{ keycloak_realm }}"
+        alias: my-browser-flow
+        description: "Custom browser authentication flow"
+        provider_id: basic-flow
+        executions:
+          - provider_id: auth-cookie
+            requirement: ALTERNATIVE
+          - provider_id: auth-password
+            requirement: REQUIRED
+          - provider_id: auth-otp-form
+            requirement: ALTERNATIVE
+        state: present

playbooks/keycloak_client_scope.yml

@@ -0,0 +1,48 @@
+---
+- name: Playbook for Keycloak Client Scope Configuration
+  hosts: all
+  vars:
+    keycloak_admin_user: admin
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_url: "http://localhost:8080"
+    keycloak_realm: TestRealm
+  tasks:
+    - name: Create client scope with protocol mappers
+      middleware_automation.keycloak.keycloak_client_scope:
+        auth_keycloak_url: "{{ keycloak_url }}"
+        auth_realm: master
+        auth_username: "{{ keycloak_admin_user }}"
+        auth_password: "{{ keycloak_admin_password }}"
+        realm: "{{ keycloak_realm }}"
+        name: TestClientScope
+        description: "Client scope created via Ansible"
+        protocol: openid-connect
+        protocol_mappers:
+          - name: email
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: email
+              claim.name: email
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+          - name: firstName
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: firstName
+              claim.name: given_name
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+          - name: username
+            protocolMapper: oidc-usermodel-attribute-mapper
+            config:
+              user.attribute: username
+              claim.name: preferred_username
+              jsonType.label: String
+              id.token.claim: "true"
+              access.token.claim: "true"
+              userinfo.token.claim: "true"
+        state: present

playbooks/keycloak_quarkus.yml

@@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts with HTTPS enabled
   hosts: all
   vars:
-    keycloak_quarkus_admin_pass: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
     keycloak_quarkus_port: 8443
     keycloak_quarkus_log: file
     keycloak_quarkus_proxy_mode: none

playbooks/keycloak_quarkus_dev.yml

@@ -2,8 +2,8 @@
 - name: Playbook for Keycloak X Hosts in develop mode
   hosts: all
   vars:
-    keycloak_admin_password: "remembertochangeme"
-    keycloak_quarkus_host: localhost
+    keycloak_quarkus_bootstrap_admin_password: "remembertochangeme"
+    keycloak_quarkus_hostname: http://localhost
     keycloak_quarkus_port: 8080
     keycloak_quarkus_log: file
     keycloak_quarkus_start_dev: true

playbooks/keycloak_realm_client.yml

@@ -0,0 +1,39 @@
+---
+- name: Playbook for Keycloak Realm and Client Configuration
+  hosts: all
+  tasks:
+    - name: Keycloak Realm Role
+      ansible.builtin.include_role:
+        name: middleware_automation.keycloak.keycloak_realm
+      vars:
+        keycloak_admin_password: "remembertochangeme"
+        keycloak_realm: TestRealm
+        keycloak_client_default_roles:
+          - TestRoleAdmin
+          - TestRoleUser
+        keycloak_client_users:
+          - username: TestUser
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestRoleUser
+                realm: TestRealm
+          - username: TestAdmin
+            password: password
+            client_roles:
+              - client: TestClient1
+                role: TestRoleUser
+                realm: TestRealm
+              - client: TestClient1
+                role: TestRoleAdmin
+                realm: TestRealm
+        keycloak_clients:
+          - name: TestClient1
+            client_id: TestClient1
+            roles: "{{ keycloak_client_default_roles }}"
+            realm: TestRealm
+            public_client: true
+            web_origins:
+              - http://testclient1origin/application
+              - http://testclient1origin/other
+            users: "{{ keycloak_client_users }}"

plugins/doc_fragments/actiongroup_keycloak.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    DOCUMENTATION = r'''
+options: {}
+attributes:
+  action_group:
+    description: Use C(group/middleware_automation.keycloak.keycloak) in C(module_defaults) to set defaults for this module.
+    support: full
+    membership:
+      - middleware_automation.keycloak.keycloak
+'''

plugins/doc_fragments/keycloak.py

@@ -55,7 +55,11 @@ options:
         description:
             - Authentication token for Keycloak API.
         type: str
-        version_added: 3.0.0
+
+    refresh_token:
+        description:
+            - Authentication refresh token for Keycloak API.
+        type: str
 
     validate_certs:
         description:
@@ -68,11 +72,9 @@ options:
             - Controls the HTTP connections timeout period (in seconds) to Keycloak API.
         type: int
         default: 10
-        version_added: 4.5.0
     http_agent:
         description:
             - Configures the HTTP User-Agent header.
         type: str
         default: Ansible
-        version_added: 5.4.0
 '''

plugins/module_utils/identity/keycloak/_keycloak_utils.py

@@ -0,0 +1,32 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+
+def merge_settings_without_absent_nulls(
+    existing_settings: dict[str, t.Any], desired_settings: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    """
+    Merges existing and desired settings into a new dictionary while excluding null values in desired settings that are absent in the existing settings.
+    This ensures idempotency by treating absent keys in existing settings and null values in desired settings as equivalent, preventing unnecessary updates.
+
+    Args:
+      existing_settings (dict): Dictionary representing the current settings in Keycloak
+      desired_settings (dict): Dictionary representing the desired settings
+
+    Returns:
+      dict: A new dictionary containing all entries from existing_settings and desired_settings,
+      excluding null values in desired_settings whose corresponding keys are not present in existing_settings
+    """
+
+    existing = existing_settings or {}
+    desired = desired_settings or {}
+
+    return {**existing, **{k: v for k, v in desired.items() if v is not None or k in existing}}

plugins/module_utils/identity/keycloak/keycloak_clientsecret.py

@@ -0,0 +1,76 @@
+# Copyright (c) 2022, John Cant <a.johncant@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    keycloak_argument_spec,
+)
+
+
+def keycloak_clientsecret_module() -> AnsibleModule:
+    """
+    Returns an AnsibleModule definition for modules that interact with a client
+    secret.
+
+    :return: argument_spec dict
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        realm=dict(default="master"),
+        id=dict(type="str"),
+        client_id=dict(type="str", aliases=["clientId"]),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [
+                ["id", "client_id"],
+                ["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"],
+            ]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        mutually_exclusive=[["token", "auth_realm"], ["token", "auth_username"], ["token", "auth_password"]],
+    )
+
+    return module
+
+
+def keycloak_clientsecret_module_resolve_params(module: AnsibleModule, kc: KeycloakAPI) -> tuple[str, dict[str, t.Any]]:
+    """
+    Given an AnsibleModule definition for keycloak_clientsecret_*, and a
+    KeycloakAPI client, resolve the params needed to interact with the Keycloak
+    client secret, looking up the client by clientId if necessary via an API
+    call.
+
+    :return: tuple of id, realm
+    """
+
+    realm = module.params.get("realm")
+    id = module.params.get("id")
+    client_id = module.params.get("client_id")
+
+    # only lookup the client_id if id isn't provided.
+    # in the case that both are provided, prefer the ID, since it is one
+    # less lookup.
+    if id is None:
+        # Due to the required_one_of spec, client_id is guaranteed to not be None
+        client = kc.get_client_by_client_id(client_id, realm=realm)
+
+        if client is None:
+            module.fail_json(msg=f"Client does not exist {client_id}")
+
+        id = client["id"]
+
+    return id, realm

plugins/modules/keycloak_authentication.py

@@ -0,0 +1,518 @@
+# Copyright (c) 2019, INSPQ <philippe.gauthier@inspq.qc.ca>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authentication
+
+short_description: Configure authentication in Keycloak
+
+description:
+  - This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
+  - It can also delete the flow.
+# Originally added in community.general 3.3.0
+version_added: "3.0.0"
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    description:
+      - The name of the realm in which is the authentication.
+    required: true
+    type: str
+  alias:
+    description:
+      - Alias for the authentication flow.
+    required: true
+    type: str
+  description:
+    description:
+      - Description of the flow.
+    type: str
+  providerId:
+    description:
+      - C(providerId) for the new flow when not copied from an existing flow.
+    choices: ["basic-flow", "client-flow"]
+    type: str
+  copyFrom:
+    description:
+      - C(flowAlias) of the authentication flow to use for the copy.
+    type: str
+  authenticationExecutions:
+    description:
+      - Configuration structure for the executions.
+    type: list
+    elements: dict
+    suboptions:
+      providerId:
+        description:
+          - C(providerID) for the new flow when not copied from an existing flow.
+        type: str
+      displayName:
+        description:
+          - Name of the execution or subflow to create or update.
+        type: str
+      requirement:
+        description:
+          - Control status of the subflow or execution.
+        choices: ["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"]
+        type: str
+      flowAlias:
+        description:
+          - Alias of parent flow.
+        type: str
+      authenticationConfig:
+        description:
+          - Describe the config of the authentication.
+        type: dict
+      index:
+        description:
+          - Priority order of the execution.
+        type: int
+      subFlowType:
+        description:
+          - For new subflows, optionally specify the type.
+          - Is only used at creation.
+        choices: ["basic-flow", "form-flow"]
+        default: "basic-flow"
+        type: str
+  state:
+    description:
+      - Control if the authentication flow must exists or not.
+    choices: ["present", "absent"]
+    default: present
+    type: str
+  force:
+    type: bool
+    default: false
+    description:
+      - If V(true), allows to remove the authentication flow and recreate it.
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Philippe Gauthier (@elfelip)
+  - Gaëtan Daubresse (@Gaetan2907)
+"""
+
+EXAMPLES = r"""
+- name: Create an authentication flow from first broker login and add an execution to it.
+  middleware_automation.keycloak.keycloak_authentication:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: master
+    alias: "Copy of first broker login"
+    copyFrom: "first broker login"
+    authenticationExecutions:
+      - providerId: "test-execution1"
+        requirement: "REQUIRED"
+        authenticationConfig:
+          alias: "test.execution1.property"
+          config:
+          test1.property: "value"
+      - providerId: "test-execution2"
+        requirement: "REQUIRED"
+        authenticationConfig:
+          alias: "test.execution2.property"
+          config:
+          test2.property: "value"
+    state: present
+
+- name: Re-create the authentication flow
+  middleware_automation.keycloak.keycloak_authentication:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: master
+    alias: "Copy of first broker login"
+    copyFrom: "first broker login"
+    authenticationExecutions:
+      - providerId: "test-provisioning"
+        requirement: "REQUIRED"
+        authenticationConfig:
+          alias: "test.provisioning.property"
+          config:
+          test.provisioning.property: "value"
+    state: present
+    force: true
+
+- name: Create an authentication flow with subflow containing an execution.
+  middleware_automation.keycloak.keycloak_authentication:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: master
+    alias: "Copy of first broker login"
+    copyFrom: "first broker login"
+    authenticationExecutions:
+      - providerId: "test-execution1"
+        requirement: "REQUIRED"
+      - displayName: "New Subflow"
+        requirement: "REQUIRED"
+      - providerId: "auth-cookie"
+        requirement: "REQUIRED"
+        flowAlias: "New Sublow"
+    state: present
+
+- name: Remove authentication.
+  middleware_automation.keycloak.keycloak_authentication:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: master
+    alias: "Copy of first broker login"
+    state: absent
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the authentication after module execution.
+  returned: on success
+  type: dict
+  sample:
+    {
+      "alias": "Copy of first broker login",
+      "authenticationExecutions": [
+        {
+          "alias": "review profile config",
+          "authenticationConfig": {
+            "alias": "review profile config",
+            "config": {
+              "update.profile.on.first.login": "missing"
+            },
+            "id": "6f09e4fb-aad4-496a-b873-7fa9779df6d7"
+          },
+          "configurable": true,
+          "displayName": "Review Profile",
+          "id": "8f77dab8-2008-416f-989e-88b09ccf0b4c",
+          "index": 0,
+          "level": 0,
+          "providerId": "idp-review-profile",
+          "requirement": "REQUIRED",
+          "requirementChoices": [
+            "REQUIRED",
+            "ALTERNATIVE",
+            "DISABLED"
+          ]
+        }
+      ],
+      "builtIn": false,
+      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+      "id": "bc228863-5887-4297-b898-4d988f8eaa5c",
+      "providerId": "basic-flow",
+      "topLevel": true
+    }
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    is_struct_included,
+    keycloak_argument_spec,
+)
+
+
+def find_exec_in_executions(searched_exec, executions):
+    """
+    Search if exec is contained in the executions.
+    :param searched_exec: Execution to search for.
+    :param executions: List of executions.
+    :return: Index of the execution, -1 if not found..
+    """
+    for i, existing_exec in enumerate(executions, start=0):
+        if (
+            "providerId" in existing_exec
+            and "providerId" in searched_exec
+            and existing_exec["providerId"] == searched_exec["providerId"]
+            or "displayName" in existing_exec
+            and "displayName" in searched_exec
+            and existing_exec["displayName"] == searched_exec["displayName"]
+        ):
+            return i
+    return -1
+
+
+def create_or_update_executions(kc, config, realm="master"):
+    """
+    Create or update executions for an authentication flow.
+    :param kc: Keycloak API access.
+    :param config: Representation of the authentication flow including its executions.
+    :param realm: Realm
+    :return: tuple (changed, dict(before, after)
+        WHERE
+        bool changed indicates if changes have been made
+        dict(str, str) shows state before and after creation/update
+    """
+    try:
+        changed = False
+        after = ""
+        before = ""
+        execution = None
+        if config.get("authenticationExecutions") is not None:
+            # Get existing executions on the Keycloak server for this alias
+            existing_executions = kc.get_executions_representation(config, realm=realm)
+            for new_exec_index, new_exec in enumerate(config["authenticationExecutions"], start=0):
+                if new_exec["index"] is not None:
+                    new_exec_index = new_exec["index"]
+                exec_found = False
+                # Get flowalias parent if given
+                if new_exec["flowAlias"] is not None:
+                    flow_alias_parent = new_exec["flowAlias"]
+                else:
+                    flow_alias_parent = config["alias"]
+                # Check if same providerId or displayName name between existing and new execution
+                exec_index = find_exec_in_executions(new_exec, existing_executions)
+                if exec_index != -1:
+                    # Remove key that doesn't need to be compared with existing_exec
+                    exclude_key = ["flowAlias", "subFlowType"]
+                    for key in new_exec:
+                        if new_exec[key] is None:
+                            exclude_key.append(key)
+                    # Compare the executions to see if it need changes
+                    if (
+                        not is_struct_included(new_exec, existing_executions[exec_index], exclude_key)
+                        or exec_index != new_exec_index
+                    ):
+                        exec_found = True
+                        if new_exec["index"] is None:
+                            new_exec_index = exec_index
+                        before += f"{existing_executions[exec_index]}\n"
+                    execution = existing_executions[exec_index].copy()
+                    # Remove exec from list in case 2 exec with same name
+                    existing_executions[exec_index].clear()
+                elif new_exec["providerId"] is not None:
+                    kc.create_execution(new_exec, flowAlias=flow_alias_parent, realm=realm)
+                    execution = kc.get_executions_representation(config, realm=realm)[exec_index]
+                    exec_found = True
+                    exec_index = new_exec_index
+                    after += f"{new_exec}\n"
+                elif new_exec["displayName"] is not None:
+                    kc.create_subflow(
+                        new_exec["displayName"], flow_alias_parent, realm=realm, flowType=new_exec["subFlowType"]
+                    )
+                    execution = kc.get_executions_representation(config, realm=realm)[exec_index]
+                    exec_found = True
+                    exec_index = new_exec_index
+                    after += f"{new_exec}\n"
+                if exec_found:
+                    changed = True
+                    if exec_index != -1:
+                        # Update the existing execution
+                        updated_exec = {"id": execution["id"]}
+                        # add the execution configuration
+                        if new_exec["authenticationConfig"] is not None:
+                            if "authenticationConfig" in execution and "id" in execution["authenticationConfig"]:
+                                kc.delete_authentication_config(execution["authenticationConfig"]["id"], realm=realm)
+                            kc.add_authenticationConfig_to_execution(
+                                updated_exec["id"], new_exec["authenticationConfig"], realm=realm
+                            )
+                        for key in new_exec:
+                            # remove unwanted key for the next API call
+                            if key not in ("flowAlias", "authenticationConfig", "subFlowType"):
+                                updated_exec[key] = new_exec[key]
+                        if new_exec["requirement"] is not None:
+                            if "priority" in execution:
+                                updated_exec["priority"] = execution["priority"]
+                            kc.update_authentication_executions(flow_alias_parent, updated_exec, realm=realm)
+                        diff = exec_index - new_exec_index
+                        kc.change_execution_priority(updated_exec["id"], diff, realm=realm)
+                        after += f"{kc.get_executions_representation(config, realm=realm)[new_exec_index]}\n"
+        return changed, dict(before=before, after=after)
+    except Exception as e:
+        kc.module.fail_json(
+            msg=f"Could not create or update executions for authentication flow {config['alias']} in realm {realm}: {e}"
+        )
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        realm=dict(type="str", required=True),
+        alias=dict(type="str", required=True),
+        providerId=dict(type="str", choices=["basic-flow", "client-flow"]),
+        description=dict(type="str"),
+        copyFrom=dict(type="str"),
+        authenticationExecutions=dict(
+            type="list",
+            elements="dict",
+            options=dict(
+                providerId=dict(type="str"),
+                displayName=dict(type="str"),
+                requirement=dict(choices=["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"], type="str"),
+                flowAlias=dict(type="str"),
+                authenticationConfig=dict(type="dict"),
+                index=dict(type="int"),
+                subFlowType=dict(choices=["basic-flow", "form-flow"], default="basic-flow", type="str"),
+            ),
+        ),
+        state=dict(choices=["absent", "present"], default="present"),
+        force=dict(type="bool", default=False),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", flow={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    state = module.params.get("state")
+    force = module.params.get("force")
+
+    new_auth_repr = {
+        "alias": module.params.get("alias"),
+        "copyFrom": module.params.get("copyFrom"),
+        "providerId": module.params.get("providerId"),
+        "authenticationExecutions": module.params.get("authenticationExecutions"),
+        "description": module.params.get("description"),
+        "builtIn": module.params.get("builtIn"),
+        "subflow": module.params.get("subflow"),
+    }
+
+    auth_repr = kc.get_authentication_flow_by_alias(alias=new_auth_repr["alias"], realm=realm)
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not auth_repr:
+        if state == "absent":
+            # Do nothing and exit
+            if module._diff:
+                result["diff"] = dict(before="", after="")
+            result["changed"] = False
+            result["end_state"] = {}
+            result["msg"] = f"{new_auth_repr['alias']} absent"
+            module.exit_json(**result)
+
+        elif state == "present":
+            # Process a creation
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before="", after=new_auth_repr)
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # If copyFrom is defined, create authentication flow from a copy
+            if "copyFrom" in new_auth_repr and new_auth_repr["copyFrom"] is not None:
+                auth_repr = kc.copy_auth_flow(config=new_auth_repr, realm=realm)
+            else:  # Create an empty authentication flow
+                auth_repr = kc.create_empty_auth_flow(config=new_auth_repr, realm=realm)
+
+            # If the authentication still not exist on the server, raise an exception.
+            if auth_repr is None:
+                result["msg"] = f"Authentication just created not found: {new_auth_repr}"
+                module.fail_json(**result)
+
+            # Configure the executions for the flow
+            create_or_update_executions(kc=kc, config=new_auth_repr, realm=realm)
+
+            # Get executions created
+            exec_repr = kc.get_executions_representation(config=new_auth_repr, realm=realm)
+            if exec_repr is not None:
+                auth_repr["authenticationExecutions"] = exec_repr
+            result["end_state"] = auth_repr
+
+    else:
+        if state == "present":
+            # Process an update
+
+            if force:  # If force option is true
+                # Delete the actual authentication flow
+                result["changed"] = True
+                if module._diff:
+                    result["diff"] = dict(before=auth_repr, after=new_auth_repr)
+                if module.check_mode:
+                    module.exit_json(**result)
+                kc.delete_authentication_flow_by_id(id=auth_repr["id"], realm=realm)
+                # If copyFrom is defined, create authentication flow from a copy
+                if "copyFrom" in new_auth_repr and new_auth_repr["copyFrom"] is not None:
+                    auth_repr = kc.copy_auth_flow(config=new_auth_repr, realm=realm)
+                else:  # Create an empty authentication flow
+                    auth_repr = kc.create_empty_auth_flow(config=new_auth_repr, realm=realm)
+                # If the authentication still not exist on the server, raise an exception.
+                if auth_repr is None:
+                    result["msg"] = f"Authentication just created not found: {new_auth_repr}"
+                    module.fail_json(**result)
+            # Configure the executions for the flow
+
+            if module.check_mode:
+                module.exit_json(**result)
+            changed, diff = create_or_update_executions(kc=kc, config=new_auth_repr, realm=realm)
+            result["changed"] |= changed
+
+            if module._diff:
+                result["diff"] = diff
+
+            # Get executions created
+            exec_repr = kc.get_executions_representation(config=new_auth_repr, realm=realm)
+            if exec_repr is not None:
+                auth_repr["authenticationExecutions"] = exec_repr
+            result["end_state"] = auth_repr
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=auth_repr, after="")
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_authentication_flow_by_id(id=auth_repr["id"], realm=realm)
+
+            result["msg"] = f"Authentication flow: {new_auth_repr['alias']} id: {auth_repr['id']} is deleted"
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_authentication_flow.py

@@ -0,0 +1,299 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_authentication_flow
+
+short_description: Allows administration of Keycloak authentication flows via Keycloak API
+
+version_added: "3.0.0"
+
+description:
+    - This module allows you to add, remove or modify Keycloak authentication flows via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - This module supports creating new top-level authentication flows, copying existing flows,
+      and adding execution steps to a flow.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the authentication flow.
+            - On V(present), the flow will be created if it does not yet exist.
+            - On V(absent), the flow will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    alias:
+        type: str
+        required: true
+        description:
+            - Alias (name) of the authentication flow.
+
+    description:
+        type: str
+        description:
+            - Description of the authentication flow.
+        default: ''
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this authentication flow resides.
+        default: 'master'
+
+    provider_id:
+        type: str
+        description:
+            - The provider ID for the flow.
+        default: 'basic-flow'
+        aliases:
+            - providerId
+
+    copy_from:
+        type: str
+        description:
+            - If set, the new flow is created as a copy of the flow with this alias.
+            - Cannot be used together with O(executions).
+        aliases:
+            - copyFrom
+
+    executions:
+        type: list
+        elements: dict
+        description:
+            - A list of executions (authenticator steps) to add to the flow.
+            - Each execution is a dict with keys C(provider_id) (or C(providerId)) and C(requirement).
+            - Executions are only added when the flow is first created.
+        default: []
+        suboptions:
+            provider_id:
+                type: str
+                required: true
+                description:
+                    - The authenticator provider ID (e.g. V(auth-cookie), V(auth-password), V(auth-otp-form)).
+                aliases:
+                    - providerId
+            requirement:
+                type: str
+                required: true
+                description:
+                    - The requirement level for this execution.
+                choices:
+                    - REQUIRED
+                    - ALTERNATIVE
+                    - DISABLED
+                    - CONDITIONAL
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.actiongroup_keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Paulo Menon (@paulomenon)
+'''
+
+EXAMPLES = '''
+- name: Create an authentication flow with executions
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-browser-flow
+    description: "Custom browser flow"
+    provider_id: basic-flow
+    executions:
+      - provider_id: auth-cookie
+        requirement: ALTERNATIVE
+      - provider_id: auth-password
+        requirement: REQUIRED
+      - provider_id: auth-otp-form
+        requirement: ALTERNATIVE
+    state: present
+  delegate_to: localhost
+
+- name: Create an authentication flow by copying an existing one
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-copy-of-browser
+    copy_from: browser
+    state: present
+  delegate_to: localhost
+
+- name: Create a flow using token authentication
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    token: MY_TOKEN
+    realm: TestRealm
+    alias: my-flow
+    state: present
+  delegate_to: localhost
+
+- name: Delete an authentication flow
+  middleware_automation.keycloak.keycloak_authentication_flow:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    alias: my-browser-flow
+    state: absent
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Authentication flow my-browser-flow has been created"
+
+end_state:
+    description: Representation of the authentication flow after module execution.
+    returned: on success
+    type: dict
+    sample: {
+        "id": "uuid-here",
+        "alias": "my-browser-flow",
+        "providerId": "basic-flow",
+        "topLevel": true,
+        "builtIn": false
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    execution_spec = dict(
+        provider_id=dict(type='str', required=True, aliases=['providerId']),
+        requirement=dict(type='str', required=True, choices=['REQUIRED', 'ALTERNATIVE', 'DISABLED', 'CONDITIONAL']),
+    )
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        alias=dict(type='str', required=True),
+        description=dict(type='str', default=''),
+        realm=dict(type='str', default='master'),
+        provider_id=dict(type='str', default='basic-flow', aliases=['providerId']),
+        copy_from=dict(type='str', aliases=['copyFrom']),
+        executions=dict(type='list', default=[], options=execution_spec, elements='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]),
+                           mutually_exclusive=[['copy_from', 'executions']])
+
+    result = dict(changed=False, msg='', diff={}, end_state={})
+
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    alias = module.params.get('alias')
+    state = module.params.get('state')
+    description = module.params.get('description')
+    provider_id = module.params.get('provider_id')
+    copy_from = module.params.get('copy_from')
+    executions = module.params.get('executions')
+
+    before_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
+    flow_exists = bool(before_flow)
+
+    if state == 'absent':
+        if flow_exists:
+            result['changed'] = True
+            if module._diff:
+                result['diff'] = dict(before=before_flow, after='')
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.delete_authentication_flow_by_id(before_flow['id'], realm=realm)
+            result['msg'] = "Authentication flow {alias} has been deleted".format(alias=alias)
+        else:
+            result['msg'] = "Authentication flow {alias} does not exist, doing nothing".format(alias=alias)
+        result['end_state'] = {}
+        module.exit_json(**result)
+
+    if flow_exists:
+        result['changed'] = False
+        result['end_state'] = before_flow
+        result['msg'] = "Authentication flow {alias} already exists".format(alias=alias)
+        module.exit_json(**result)
+
+    result['changed'] = True
+
+    flow_config = {
+        'alias': alias,
+        'description': description,
+        'providerId': provider_id,
+    }
+
+    if module._diff:
+        result['diff'] = dict(before='', after=flow_config)
+
+    if module.check_mode:
+        module.exit_json(**result)
+
+    if copy_from:
+        flow_config['copyFrom'] = copy_from
+        after_flow = kc.copy_auth_flow(flow_config, realm=realm)
+        result['msg'] = "Authentication flow {alias} has been created (copied from {src})".format(alias=alias, src=copy_from)
+    else:
+        after_flow = kc.create_empty_auth_flow(flow_config, realm=realm)
+
+        if executions:
+            for execution in executions:
+                exec_rep = {
+                    'providerId': execution['provider_id'],
+                    'requirement': execution['requirement'],
+                }
+                kc.create_execution(exec_rep, alias, realm=realm)
+
+        result['msg'] = "Authentication flow {alias} has been created".format(alias=alias)
+
+    after_flow = kc.get_authentication_flow_by_alias(alias, realm=realm)
+    result['end_state'] = after_flow
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

plugins/modules/keycloak_authentication_required_actions.py

@@ -0,0 +1,463 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authentication_required_actions
+
+short_description: Allows administration of Keycloak authentication required actions
+
+description:
+  - This module can register, update and delete required actions.
+  - It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
+# Originally added in community.general 7.1.0
+version_added: "3.0.0"
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    description:
+      - The name of the realm in which are the authentication required actions.
+    required: true
+    type: str
+  required_actions:
+    elements: dict
+    description:
+      - Authentication required action.
+    suboptions:
+      alias:
+        description:
+          - Unique name of the required action.
+        required: true
+        type: str
+      config:
+        description:
+          - Configuration for the required action.
+        type: dict
+      defaultAction:
+        description:
+          - Indicates whether new users have the required action assigned to them.
+        type: bool
+      enabled:
+        description:
+          - Indicates, if the required action is enabled or not.
+        type: bool
+      name:
+        description:
+          - Displayed name of the required action. Required for registration.
+        type: str
+      priority:
+        description:
+          - Priority of the required action.
+        type: int
+      providerId:
+        description:
+          - Provider ID of the required action. Required for registration.
+        type: str
+    type: list
+  state:
+    choices: ["absent", "present"]
+    description:
+      - Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)).
+    required: true
+    type: str
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Skrekulko (@Skrekulko)
+"""
+
+EXAMPLES = r"""
+- name: Register a new required action.
+  middleware_automation.keycloak.keycloak_authentication_required_actions:
+    auth_client_id: "admin-cli"
+    auth_keycloak_url: "http://localhost:8080"
+    auth_password: "password"
+    auth_realm: "master"
+    auth_username: "admin"
+    realm: "master"
+    required_actions:
+      - alias: "TERMS_AND_CONDITIONS"
+        name: "Terms and conditions"
+        providerId: "TERMS_AND_CONDITIONS"
+        enabled: true
+    state: "present"
+
+- name: Update the newly registered required action.
+  middleware_automation.keycloak.keycloak_authentication_required_actions:
+    auth_client_id: "admin-cli"
+    auth_keycloak_url: "http://localhost:8080"
+    auth_password: "password"
+    auth_realm: "master"
+    auth_username: "admin"
+    realm: "master"
+    required_actions:
+      - alias: "TERMS_AND_CONDITIONS"
+        enabled: false
+    state: "present"
+
+- name: Delete the updated registered required action.
+  middleware_automation.keycloak.keycloak_authentication_required_actions:
+    auth_client_id: "admin-cli"
+    auth_keycloak_url: "http://localhost:8080"
+    auth_password: "password"
+    auth_realm: "master"
+    auth_username: "admin"
+    realm: "master"
+    required_actions:
+      - alias: "TERMS_AND_CONDITIONS"
+    state: "absent"
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the authentication required actions after module execution.
+  returned: on success
+  type: complex
+  contains:
+    alias:
+      description:
+        - Unique name of the required action.
+      sample: test-provider-id
+      type: str
+    config:
+      description:
+        - Configuration for the required action.
+      sample: {}
+      type: dict
+    defaultAction:
+      description:
+        - Indicates whether new users have the required action assigned to them.
+      sample: false
+      type: bool
+    enabled:
+      description:
+        - Indicates, if the required action is enabled or not.
+      sample: false
+      type: bool
+    name:
+      description:
+        - Displayed name of the required action. Required for registration.
+      sample: Test provider ID
+      type: str
+    priority:
+      description:
+        - Priority of the required action.
+      sample: 90
+      type: int
+    providerId:
+      description:
+        - Provider ID of the required action. Required for registration.
+      sample: test-provider-id
+      type: str
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def sanitize_required_actions(objects):
+    for obj in objects:
+        alias = obj["alias"]
+        name = obj["name"]
+        provider_id = obj["providerId"]
+
+        if not name:
+            obj["name"] = alias
+
+        if provider_id != alias:
+            obj["providerId"] = alias
+
+    return objects
+
+
+def filter_duplicates(objects):
+    filtered_objects = {}
+
+    for obj in objects:
+        alias = obj["alias"]
+
+        if alias not in filtered_objects:
+            filtered_objects[alias] = obj
+
+    return list(filtered_objects.values())
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        realm=dict(type="str", required=True),
+        required_actions=dict(
+            type="list",
+            elements="dict",
+            options=dict(
+                alias=dict(type="str", required=True),
+                config=dict(type="dict"),
+                defaultAction=dict(type="bool"),
+                enabled=dict(type="bool"),
+                name=dict(type="str"),
+                priority=dict(type="int"),
+                providerId=dict(type="str"),
+            ),
+        ),
+        state=dict(type="str", choices=["present", "absent"], required=True),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", end_state={}, diff=dict(before={}, after={}))
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    # Convenience variables
+    realm = module.params.get("realm")
+    desired_required_actions = module.params.get("required_actions")
+    state = module.params.get("state")
+
+    # Sanitize required actions
+    desired_required_actions = sanitize_required_actions(desired_required_actions)
+
+    # Filter out duplicate required actions
+    desired_required_actions = filter_duplicates(desired_required_actions)
+
+    # Get required actions
+    before_required_actions = kc.get_required_actions(realm=realm)
+
+    if state == "present":
+        # Initialize empty lists to hold the required actions that need to be
+        # registered, updated, and original ones of the updated one
+        register_required_actions = []
+        before_updated_required_actions = []
+        updated_required_actions = []
+
+        # Loop through the desired required actions and check if they exist in the before required actions
+        for desired_required_action in desired_required_actions:
+            found = False
+
+            # Loop through the before required actions and check if the aliases match
+            for before_required_action in before_required_actions:
+                if desired_required_action["alias"] == before_required_action["alias"]:
+                    update_required = False
+
+                    # Fill in the parameters
+                    for k, v in before_required_action.items():
+                        if k not in desired_required_action or desired_required_action[k] is None:
+                            desired_required_action[k] = v
+
+                    # Loop through the keys of the desired and before required actions
+                    # and check if there are any differences between them
+                    for key in desired_required_action.keys():
+                        if (
+                            key in before_required_action
+                            and desired_required_action[key] != before_required_action[key]
+                        ):
+                            update_required = True
+                            break
+
+                    # If there are differences, add the before and desired required actions
+                    # to their respective lists for updating
+                    if update_required:
+                        before_updated_required_actions.append(before_required_action)
+                        updated_required_actions.append(desired_required_action)
+                    found = True
+                    break
+            # If the desired required action is not found in the before required actions,
+            # add it to the list of required actions to register
+            if not found:
+                # Check if name is provided
+                if "name" not in desired_required_action or desired_required_action["name"] is None:
+                    module.fail_json(
+                        msg=f"Unable to register required action {desired_required_action['alias']} in realm {realm}: name not included"
+                    )
+
+                # Check if provider ID is provided
+                if "providerId" not in desired_required_action or desired_required_action["providerId"] is None:
+                    module.fail_json(
+                        msg=f"Unable to register required action {desired_required_action['alias']} in realm {realm}: providerId not included"
+                    )
+
+                register_required_actions.append(desired_required_action)
+
+        # Handle diff
+        if module._diff:
+            diff_required_actions = updated_required_actions.copy()
+            diff_required_actions.extend(register_required_actions)
+
+            result["diff"] = dict(before=before_updated_required_actions, after=diff_required_actions)
+
+        # Handle changed
+        if register_required_actions or updated_required_actions:
+            result["changed"] = True
+
+        # Handle check mode
+        if module.check_mode:
+            if register_required_actions or updated_required_actions:
+                result["change"] = True
+                result["msg"] = "Required actions would be registered/updated"
+            else:
+                result["change"] = False
+                result["msg"] = "Required actions would not be registered/updated"
+
+            module.exit_json(**result)
+
+        # Register required actions
+        if register_required_actions:
+            for register_required_action in register_required_actions:
+                kc.register_required_action(realm=realm, rep=register_required_action)
+                kc.update_required_action(
+                    alias=register_required_action["alias"], realm=realm, rep=register_required_action
+                )
+
+        # Update required actions
+        if updated_required_actions:
+            for updated_required_action in updated_required_actions:
+                kc.update_required_action(
+                    alias=updated_required_action["alias"], realm=realm, rep=updated_required_action
+                )
+
+        # Initialize the final list of required actions
+        final_required_actions = []
+
+        # Iterate over the before_required_actions
+        for before_required_action in before_required_actions:
+            # Check if there is an updated_required_action with the same alias
+            updated_required_action_found = False
+
+            for updated_required_action in updated_required_actions:
+                if updated_required_action["alias"] == before_required_action["alias"]:
+                    # Merge the two dictionaries, favoring the values from updated_required_action
+                    merged_dict = {}
+                    for key in before_required_action.keys():
+                        if key in updated_required_action:
+                            merged_dict[key] = updated_required_action[key]
+                        else:
+                            merged_dict[key] = before_required_action[key]
+
+                    for key in updated_required_action.keys():
+                        if key not in before_required_action:
+                            merged_dict[key] = updated_required_action[key]
+
+                    # Add the merged dictionary to the final list of required actions
+                    final_required_actions.append(merged_dict)
+
+                    # Mark the updated_required_action as found
+                    updated_required_action_found = True
+
+                    # Stop looking for updated_required_action
+                    break
+
+            # If no matching updated_required_action was found, add the before_required_action to the final list of required actions
+            if not updated_required_action_found:
+                final_required_actions.append(before_required_action)
+
+        # Append any remaining updated_required_actions that were not merged
+        for updated_required_action in updated_required_actions:
+            if not any(updated_required_action["alias"] == action["alias"] for action in final_required_actions):
+                final_required_actions.append(updated_required_action)
+
+        # Append newly registered required actions
+        final_required_actions.extend(register_required_actions)
+
+        # Handle message and end state
+        result["msg"] = "Required actions registered/updated"
+        result["end_state"] = final_required_actions
+    else:
+        # Filter out the deleted required actions
+        final_required_actions = []
+        delete_required_actions = []
+
+        for before_required_action in before_required_actions:
+            delete_action = False
+
+            for desired_required_action in desired_required_actions:
+                if before_required_action["alias"] == desired_required_action["alias"]:
+                    delete_action = True
+                    break
+
+            if not delete_action:
+                final_required_actions.append(before_required_action)
+            else:
+                delete_required_actions.append(before_required_action)
+
+        # Handle diff
+        if module._diff:
+            result["diff"] = dict(before=before_required_actions, after=final_required_actions)
+
+        # Handle changed
+        if delete_required_actions:
+            result["changed"] = True
+
+        # Handle check mode
+        if module.check_mode:
+            if final_required_actions:
+                result["change"] = True
+                result["msg"] = "Required actions would be deleted"
+            else:
+                result["change"] = False
+                result["msg"] = "Required actions would not be deleted"
+
+            module.exit_json(**result)
+
+        # Delete required actions
+        if delete_required_actions:
+            for delete_required_action in delete_required_actions:
+                kc.delete_required_action(alias=delete_required_action["alias"], realm=realm)
+
+        # Handle message and end state
+        result["msg"] = "Required actions deleted"
+        result["end_state"] = final_required_actions
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_authz_authorization_scope.py

@@ -0,0 +1,280 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authz_authorization_scope
+
+short_description: Allows administration of Keycloak client authorization scopes using Keycloak API
+
+# Originally added in community.general 6.6.0
+version_added: "3.0.0"
+
+description:
+  - This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization
+    Scopes are only available if a client has Authorization enabled.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
+    the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
+    realm definition with the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
+    paths and payloads have not officially been documented by the Keycloak project.
+    U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the authorization scope.
+      - On V(present), the authorization scope is created (or updated if it exists already).
+      - On V(absent), the authorization scope is removed if it exists.
+    choices: ['present', 'absent']
+    default: 'present'
+    type: str
+  name:
+    description:
+      - Name of the authorization scope to create.
+    type: str
+    required: true
+  display_name:
+    description:
+      - The display name of the authorization scope.
+    type: str
+  icon_uri:
+    description:
+      - The icon URI for the authorization scope.
+    type: str
+  client_id:
+    description:
+      - The C(clientId) of the Keycloak client that should have the authorization scope.
+      - This is usually a human-readable name of the Keycloak client.
+    type: str
+    required: true
+  realm:
+    description:
+      - The name of the Keycloak realm the Keycloak client is in.
+    type: str
+    required: true
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Samuli Seppänen (@mattock)
+"""
+
+EXAMPLES = r"""
+- name: Manage Keycloak file:delete authorization scope
+  keycloak_authz_authorization_scope:
+    name: file:delete
+    state: present
+    display_name: File delete
+    client_id: myclient
+    realm: myrealm
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the authorization scope after module execution.
+  returned: on success
+  type: complex
+  contains:
+    id:
+      description: ID of the authorization scope.
+      type: str
+      returned: when O(state=present)
+      sample: a6ab1cf2-1001-40ec-9f39-48f23b6a0a41
+    name:
+      description: Name of the authorization scope.
+      type: str
+      returned: when O(state=present)
+      sample: file:delete
+    display_name:
+      description: Display name of the authorization scope.
+      type: str
+      returned: when O(state=present)
+      sample: File delete
+    icon_uri:
+      description: Icon URI for the authorization scope.
+      type: str
+      returned: when O(state=present)
+      sample: http://localhost/icon.png
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+        name=dict(type="str", required=True),
+        display_name=dict(type="str"),
+        icon_uri=dict(type="str"),
+        client_id=dict(type="str", required=True),
+        realm=dict(type="str", required=True),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", end_state={}, diff=dict(before={}, after={}))
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    # Convenience variables
+    state = module.params.get("state")
+    name = module.params.get("name")
+    display_name = module.params.get("display_name")
+    icon_uri = module.params.get("icon_uri")
+    client_id = module.params.get("client_id")
+    realm = module.params.get("realm")
+
+    # Get the "id" of the client based on the usually more human-readable
+    # "clientId"
+    cid = kc.get_client_id(client_id, realm=realm)
+    if not cid:
+        module.fail_json(msg=f"Invalid client {client_id} for realm {realm}")
+
+    # Get current state of the Authorization Scope using its name as the search
+    # filter. This returns False if it is not found.
+    before_authz_scope = kc.get_authz_authorization_scope_by_name(name=name, client_id=cid, realm=realm)
+
+    # Generate a JSON payload for Keycloak Admin API. This is needed for
+    # "create" and "update" operations.
+    desired_authz_scope = {}
+    desired_authz_scope["name"] = name
+    desired_authz_scope["displayName"] = display_name
+    desired_authz_scope["iconUri"] = icon_uri
+
+    # Add "id" to payload for modify operations
+    if before_authz_scope:
+        desired_authz_scope["id"] = before_authz_scope["id"]
+
+    # Ensure that undefined (null) optional parameters are presented as empty
+    # strings in the desired state. This makes comparisons with current state
+    # much easier.
+    for k, v in desired_authz_scope.items():
+        if not v:
+            desired_authz_scope[k] = ""
+
+    # Do the above for the current state
+    if before_authz_scope:
+        for k in ["displayName", "iconUri"]:
+            if k not in before_authz_scope:
+                before_authz_scope[k] = ""
+
+    if before_authz_scope and state == "present":
+        changes = False
+        for k, v in desired_authz_scope.items():
+            if before_authz_scope[k] != v:
+                changes = True
+                # At this point we know we have to update the object anyways,
+                # so there's no need to do more work.
+                break
+
+        if changes:
+            if module._diff:
+                result["diff"] = dict(before=before_authz_scope, after=desired_authz_scope)
+
+            if module.check_mode:
+                result["changed"] = True
+                result["msg"] = "Authorization scope would be updated"
+                module.exit_json(**result)
+            else:
+                kc.update_authz_authorization_scope(
+                    payload=desired_authz_scope, id=before_authz_scope["id"], client_id=cid, realm=realm
+                )
+                result["changed"] = True
+                result["msg"] = "Authorization scope updated"
+        else:
+            result["changed"] = False
+            result["msg"] = "Authorization scope not updated"
+
+        result["end_state"] = desired_authz_scope
+    elif not before_authz_scope and state == "present":
+        if module._diff:
+            result["diff"] = dict(before={}, after=desired_authz_scope)
+
+        if module.check_mode:
+            result["changed"] = True
+            result["msg"] = "Authorization scope would be created"
+            module.exit_json(**result)
+        else:
+            kc.create_authz_authorization_scope(payload=desired_authz_scope, client_id=cid, realm=realm)
+            result["changed"] = True
+            result["msg"] = "Authorization scope created"
+            result["end_state"] = desired_authz_scope
+    elif before_authz_scope and state == "absent":
+        if module._diff:
+            result["diff"] = dict(before=before_authz_scope, after={})
+
+        if module.check_mode:
+            result["changed"] = True
+            result["msg"] = "Authorization scope would be removed"
+            module.exit_json(**result)
+        else:
+            kc.remove_authz_authorization_scope(id=before_authz_scope["id"], client_id=cid, realm=realm)
+            result["changed"] = True
+            result["msg"] = "Authorization scope removed"
+    elif not before_authz_scope and state == "absent":
+        result["changed"] = False
+    else:
+        module.fail_json(
+            msg=f"Unable to determine what to do with authorization scope {name} of client {client_id} in realm {realm}"
+        )
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_authz_custom_policy.py

@@ -0,0 +1,213 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authz_custom_policy
+
+short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API
+
+# Originally added in community.general 7.5.0
+version_added: "3.0.0"
+
+description:
+  - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript
+    policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server
+    as JAR files.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
+    the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
+    realm definition with the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
+    paths and payloads have not officially been documented by the Keycloak project.
+    U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the custom policy.
+      - On V(present), the custom policy is created (or updated if it exists already).
+      - On V(absent), the custom policy is removed if it exists.
+    choices: ['present', 'absent']
+    default: 'present'
+    type: str
+  name:
+    description:
+      - Name of the custom policy to create.
+    type: str
+    required: true
+  policy_type:
+    description:
+      - The type of the policy. This must match the name of the custom policy deployed to the server.
+      - Multiple policies pointing to the same policy type can be created, but their names have to differ.
+    type: str
+    required: true
+  client_id:
+    description:
+      - The V(clientId) of the Keycloak client that should have the custom policy attached to it.
+      - This is usually a human-readable name of the Keycloak client.
+    type: str
+    required: true
+  realm:
+    description:
+      - The name of the Keycloak realm the Keycloak client is in.
+    type: str
+    required: true
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Samuli Seppänen (@mattock)
+"""
+
+EXAMPLES = r"""
+- name: Manage Keycloak custom authorization policy
+  middleware_automation.keycloak.keycloak_authz_custom_policy:
+    name: OnlyOwner
+    state: present
+    policy_type: script-policy.js
+    client_id: myclient
+    realm: myrealm
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the custom policy after module execution.
+  returned: on success
+  type: dict
+  contains:
+    name:
+      description: Name of the custom policy.
+      type: str
+      returned: when I(state=present)
+      sample: file:delete
+    policy_type:
+      description: Type of custom policy.
+      type: str
+      returned: when I(state=present)
+      sample: File delete
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+        name=dict(type="str", required=True),
+        policy_type=dict(type="str", required=True),
+        client_id=dict(type="str", required=True),
+        realm=dict(type="str", required=True),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    # Convenience variables
+    state = module.params.get("state")
+    name = module.params.get("name")
+    policy_type = module.params.get("policy_type")
+    client_id = module.params.get("client_id")
+    realm = module.params.get("realm")
+
+    cid = kc.get_client_id(client_id, realm=realm)
+    if not cid:
+        module.fail_json(msg=f"Invalid client {client_id} for realm {realm}")
+
+    before_authz_custom_policy = kc.get_authz_policy_by_name(name=name, client_id=cid, realm=realm)
+
+    desired_authz_custom_policy = {}
+    desired_authz_custom_policy["name"] = name
+    desired_authz_custom_policy["type"] = policy_type
+
+    # Modifying existing custom policies is not possible
+    if before_authz_custom_policy and state == "present":
+        result["msg"] = f"Custom policy {name} already exists"
+        result["changed"] = False
+        result["end_state"] = desired_authz_custom_policy
+    elif not before_authz_custom_policy and state == "present":
+        if module.check_mode:
+            result["msg"] = f"Would create custom policy {name}"
+        else:
+            kc.create_authz_custom_policy(
+                payload=desired_authz_custom_policy, policy_type=policy_type, client_id=cid, realm=realm
+            )
+            result["msg"] = f"Custom policy {name} created"
+
+        result["changed"] = True
+        result["end_state"] = desired_authz_custom_policy
+    elif before_authz_custom_policy and state == "absent":
+        if module.check_mode:
+            result["msg"] = f"Would remove custom policy {name}"
+        else:
+            kc.remove_authz_custom_policy(policy_id=before_authz_custom_policy["id"], client_id=cid, realm=realm)
+            result["msg"] = f"Custom policy {name} removed"
+
+        result["changed"] = True
+        result["end_state"] = {}
+    elif not before_authz_custom_policy and state == "absent":
+        result["msg"] = f"Custom policy {name} does not exist"
+        result["changed"] = False
+        result["end_state"] = {}
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_authz_permission.py

@@ -0,0 +1,443 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authz_permission
+
+# Originally added in community.general 7.2.0
+version_added: "3.0.0"
+
+short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
+
+description:
+  - This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization
+    permissions are only available if a client has Authorization enabled.
+  - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations
+    are targeted at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the
+    JSON responses from GET requests return data in a different format than what is expected for POST and PUT. The end result
+    is that it is not possible to detect changes to things like policies, scopes or resources - at least not without a large
+    number of additional API calls. Therefore this module always updates authorization permissions instead of attempting to
+    determine if changes are truly needed.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
+    the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
+    realm definition with the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
+    paths and payloads have not officially been documented by the Keycloak project.
+    U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the authorization permission.
+      - On V(present), the authorization permission is created (or updated if it exists already).
+      - On V(absent), the authorization permission is removed if it exists.
+    choices: ['present', 'absent']
+    default: 'present'
+    type: str
+  name:
+    description:
+      - Name of the authorization permission to create.
+    type: str
+    required: true
+  description:
+    description:
+      - The description of the authorization permission.
+    type: str
+  permission_type:
+    description:
+      - The type of authorization permission.
+      - On V(scope) create a scope-based permission.
+      - On V(resource) create a resource-based permission.
+    type: str
+    required: true
+    choices:
+      - resource
+      - scope
+  decision_strategy:
+    description:
+      - The decision strategy to use with this permission.
+    type: str
+    default: UNANIMOUS
+    choices:
+      - UNANIMOUS
+      - AFFIRMATIVE
+      - CONSENSUS
+  resources:
+    description:
+      - Resource names to attach to this permission.
+      - Scope-based permissions can only include one resource.
+      - Resource-based permissions can include multiple resources.
+    type: list
+    elements: str
+    default: []
+  scopes:
+    description:
+      - Scope names to attach to this permission.
+      - Resource-based permissions cannot have scopes attached to them.
+    type: list
+    elements: str
+    default: []
+  policies:
+    description:
+      - Policy names to attach to this permission.
+    type: list
+    elements: str
+    default: []
+  client_id:
+    description:
+      - The clientId of the keycloak client that should have the authorization scope.
+      - This is usually a human-readable name of the Keycloak client.
+    type: str
+    required: true
+  realm:
+    description:
+      - The name of the Keycloak realm the Keycloak client is in.
+    type: str
+    required: true
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Samuli Seppänen (@mattock)
+"""
+
+EXAMPLES = r"""
+- name: Manage scope-based Keycloak authorization permission
+  middleware_automation.keycloak.keycloak_authz_permission:
+    name: ScopePermission
+    state: present
+    description: Scope permission
+    permission_type: scope
+    scopes:
+      - file:delete
+    policies:
+      - Default Policy
+    client_id: myclient
+    realm: myrealm
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+
+- name: Manage resource-based Keycloak authorization permission
+  middleware_automation.keycloak.keycloak_authz_permission:
+    name: ResourcePermission
+    state: present
+    description: Resource permission
+    permission_type: resource
+    resources:
+      - Default Resource
+    policies:
+      - Default Policy
+    client_id: myclient
+    realm: myrealm
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the authorization permission after module execution.
+  returned: on success
+  type: complex
+  contains:
+    id:
+      description: ID of the authorization permission.
+      type: str
+      returned: when O(state=present)
+      sample: 9da05cd2-b273-4354-bbd8-0c133918a454
+    name:
+      description: Name of the authorization permission.
+      type: str
+      returned: when O(state=present)
+      sample: ResourcePermission
+    description:
+      description: Description of the authorization permission.
+      type: str
+      returned: when O(state=present)
+      sample: Resource Permission
+    type:
+      description: Type of the authorization permission.
+      type: str
+      returned: when O(state=present)
+      sample: resource
+    decisionStrategy:
+      description: The decision strategy to use.
+      type: str
+      returned: when O(state=present)
+      sample: UNANIMOUS
+    logic:
+      description: The logic used for the permission (part of the payload, but has a fixed value).
+      type: str
+      returned: when O(state=present)
+      sample: POSITIVE
+    resources:
+      description: IDs of resources attached to this permission.
+      type: list
+      returned: when O(state=present)
+      sample:
+        - 49e052ff-100d-4b79-a9dd-52669ed3c11d
+    scopes:
+      description: IDs of scopes attached to this permission.
+      type: list
+      returned: when O(state=present)
+      sample:
+        - 9da05cd2-b273-4354-bbd8-0c133918a454
+    policies:
+      description: IDs of policies attached to this permission.
+      type: list
+      returned: when O(state=present)
+      sample:
+        - 9da05cd2-b273-4354-bbd8-0c133918a454
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+        name=dict(type="str", required=True),
+        description=dict(type="str"),
+        permission_type=dict(type="str", choices=["scope", "resource"], required=True),
+        decision_strategy=dict(type="str", default="UNANIMOUS", choices=["UNANIMOUS", "AFFIRMATIVE", "CONSENSUS"]),
+        resources=dict(type="list", elements="str", default=[]),
+        scopes=dict(type="list", elements="str", default=[]),
+        policies=dict(type="list", elements="str", default=[]),
+        client_id=dict(type="str", required=True),
+        realm=dict(type="str", required=True),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    # Convenience variables
+    state = module.params.get("state")
+    name = module.params.get("name")
+    description = module.params.get("description")
+    permission_type = module.params.get("permission_type")
+    decision_strategy = module.params.get("decision_strategy")
+    realm = module.params.get("realm")
+    client_id = module.params.get("client_id")
+    realm = module.params.get("realm")
+    resources = module.params.get("resources")
+    scopes = module.params.get("scopes")
+    policies = module.params.get("policies")
+
+    if permission_type == "scope" and state == "present":
+        if scopes == []:
+            module.fail_json(msg="Scopes need to defined when permission type is set to scope!")
+        if len(resources) > 1:
+            module.fail_json(msg="Only one resource can be defined for a scope permission!")
+
+    if permission_type == "resource" and state == "present":
+        if resources == []:
+            module.fail_json(msg="A resource need to defined when permission type is set to resource!")
+        if scopes != []:
+            module.fail_json(msg="Scopes cannot be defined when permission type is set to resource!")
+
+    result = dict(changed=False, msg="", end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    # Get id of the client based on client_id
+    cid = kc.get_client_id(client_id, realm=realm)
+    if not cid:
+        module.fail_json(msg=f"Invalid client {client_id} for realm {realm}")
+
+    # Get current state of the permission using its name as the search
+    # filter. This returns False if it is not found.
+    permission = kc.get_authz_permission_by_name(name=name, client_id=cid, realm=realm)
+
+    # Generate a JSON payload for Keycloak Admin API. This is needed for
+    # "create" and "update" operations.
+    payload = {}
+    payload["name"] = name
+    payload["description"] = description
+    payload["type"] = permission_type
+    payload["decisionStrategy"] = decision_strategy
+    payload["logic"] = "POSITIVE"
+    payload["scopes"] = []
+    payload["resources"] = []
+    payload["policies"] = []
+
+    if permission_type == "scope":
+        # Add the resource id, if any, to the payload. While the data type is a
+        # list, it is only possible to have one entry in it based on what Keycloak
+        # Admin Console does.
+        r = False
+        resource_scopes = []
+
+        if resources:
+            r = kc.get_authz_resource_by_name(resources[0], cid, realm)
+            if not r:
+                module.fail_json(
+                    msg=f"Unable to find authorization resource with name {resources[0]} for client {cid} in realm {realm}"
+                )
+            else:
+                payload["resources"].append(r["_id"])
+
+            for rs in r["scopes"]:
+                resource_scopes.append(rs["id"])
+
+        # Generate a list of scope ids based on scope names. Fail if the
+        # defined resource does not include all those scopes.
+        for scope in scopes:
+            s = kc.get_authz_authorization_scope_by_name(scope, cid, realm)
+            if r and s["id"] not in resource_scopes:
+                module.fail_json(
+                    msg=f"Resource {resources[0]} does not include scope {scope} for client {client_id} in realm {realm}"
+                )
+            else:
+                payload["scopes"].append(s["id"])
+
+    elif permission_type == "resource":
+        if resources:
+            for resource in resources:
+                r = kc.get_authz_resource_by_name(resource, cid, realm)
+                if not r:
+                    module.fail_json(
+                        msg=f"Unable to find authorization resource with name {resource} for client {cid} in realm {realm}"
+                    )
+                else:
+                    payload["resources"].append(r["_id"])
+
+    # Add policy ids, if any, to the payload.
+    if policies:
+        for policy in policies:
+            p = kc.get_authz_policy_by_name(policy, cid, realm)
+
+            if p:
+                payload["policies"].append(p["id"])
+            else:
+                module.fail_json(
+                    msg=f"Unable to find authorization policy with name {policy} for client {client_id} in realm {realm}"
+                )
+
+    # Add "id" to payload for update operations
+    if permission:
+        payload["id"] = permission["id"]
+
+        # Handle the special case where the user attempts to change an already
+        # existing permission's type - something that can't be done without a
+        # full delete -> (re)create cycle.
+        if permission["type"] != payload["type"]:
+            module.fail_json(
+                msg=(
+                    f"Modifying the type of permission (scope/resource) is not supported: "
+                    f"permission {permission['id']} of client {cid} in realm {realm} unchanged"
+                )
+            )
+
+    # Updating an authorization  permission is tricky for several reasons.
+    # Firstly, the current permission is retrieved using a _policy_ endpoint,
+    # not from a permission endpoint. Also, the data that is returned is in a
+    # different format than what is expected by the payload. So, comparing the
+    # current state attribute by attribute to the payload is not possible.  For
+    # example the data contains a JSON object "config" which may contain the
+    # authorization type, but which is no required in the payload.  Moreover,
+    # information about resources, scopes and policies is _not_ present in the
+    # data. So, there is no way to determine if any of those fields have
+    # changed. Therefore the best options we have are
+    #
+    # a) Always apply the payload without checking the current state
+    # b) Refuse to make any changes to any settings (only support create and delete)
+    #
+    # The approach taken here is a).
+    #
+    if permission and state == "present":
+        if module.check_mode:
+            result["msg"] = "Notice: unable to check current resources, scopes and policies for permission. \
+                            Would apply desired state without checking the current state."
+        else:
+            kc.update_authz_permission(
+                payload=payload, permission_type=permission_type, id=permission["id"], client_id=cid, realm=realm
+            )
+            result["msg"] = "Notice: unable to check current resources, scopes and policies for permission. \
+                            Applying desired state without checking the current state."
+
+        # Assume that something changed, although we don't know if that is the case.
+        result["changed"] = True
+        result["end_state"] = payload
+    elif not permission and state == "present":
+        if module.check_mode:
+            result["msg"] = "Would create permission"
+        else:
+            kc.create_authz_permission(payload=payload, permission_type=permission_type, client_id=cid, realm=realm)
+            result["msg"] = "Permission created"
+
+        result["changed"] = True
+        result["end_state"] = payload
+    elif permission and state == "absent":
+        if module.check_mode:
+            result["msg"] = "Would remove permission"
+        else:
+            kc.remove_authz_permission(id=permission["id"], client_id=cid, realm=realm)
+            result["msg"] = "Permission removed"
+
+        result["changed"] = True
+
+    elif not permission and state == "absent":
+        result["changed"] = False
+    else:
+        module.fail_json(
+            msg=f"Unable to determine what to do with permission {name} of client {client_id} in realm {realm}"
+        )
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_authz_permission_info.py

@@ -0,0 +1,178 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# Copyright (c) 2021, Christophe Gilles <christophe.gilles54@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_authz_permission_info
+
+# Originally added in community.general 7.2.0
+version_added: "3.0.0"
+
+short_description: Query Keycloak client authorization permissions information
+
+description:
+  - This module allows querying information about Keycloak client authorization permissions from the resources endpoint using
+    the Keycloak REST API. Authorization permissions are only available if a client has Authorization enabled.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
+    the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
+    realm definition with the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
+    paths and payloads have not officially been documented by the Keycloak project.
+    U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
+attributes:
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  name:
+    description:
+      - Name of the authorization permission to create.
+    type: str
+    required: true
+  client_id:
+    description:
+      - The clientId of the keycloak client that should have the authorization scope.
+      - This is usually a human-readable name of the Keycloak client.
+    type: str
+    required: true
+  realm:
+    description:
+      - The name of the Keycloak realm the Keycloak client is in.
+    type: str
+    required: true
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+  - middleware_automation.keycloak.attributes.info_module
+
+author:
+  - Samuli Seppänen (@mattock)
+"""
+
+EXAMPLES = r"""
+- name: Query Keycloak authorization permission
+  middleware_automation.keycloak.keycloak_authz_permission_info:
+    name: ScopePermission
+    client_id: myclient
+    realm: myrealm
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+queried_state:
+  description: State of the resource (a policy) as seen by Keycloak.
+  returned: on success
+  type: complex
+  contains:
+    id:
+      description: ID of the authorization permission.
+      type: str
+      sample: 9da05cd2-b273-4354-bbd8-0c133918a454
+    name:
+      description: Name of the authorization permission.
+      type: str
+      sample: ResourcePermission
+    description:
+      description: Description of the authorization permission.
+      type: str
+      sample: Resource Permission
+    type:
+      description: Type of the authorization permission.
+      type: str
+      sample: resource
+    decisionStrategy:
+      description: The decision strategy.
+      type: str
+      sample: UNANIMOUS
+    logic:
+      description: The logic used for the permission (part of the payload, but has a fixed value).
+      type: str
+      sample: POSITIVE
+    config:
+      description: Configuration of the permission (empty in all observed cases).
+      type: dict
+      sample: {}
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        name=dict(type="str", required=True),
+        client_id=dict(type="str", required=True),
+        realm=dict(type="str", required=True),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    # Convenience variables
+    name = module.params.get("name")
+    client_id = module.params.get("client_id")
+    realm = module.params.get("realm")
+
+    result = dict(changed=False, msg="", queried_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    # Get id of the client based on client_id
+    cid = kc.get_client_id(client_id, realm=realm)
+    if not cid:
+        module.fail_json(msg=f"Invalid client {client_id} for realm {realm}")
+
+    # Get current state of the permission using its name as the search
+    # filter. This returns False if it is not found.
+    permission = kc.get_authz_permission_by_name(name=name, client_id=cid, realm=realm)
+
+    result["queried_state"] = permission
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_client_rolemapping.py

@@ -0,0 +1,414 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_client_rolemapping
+
+short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API
+
+# Originally added in community.general 3.5.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access
+    to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
+    at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way
+    by this module. You may pass single values for attributes when calling the module, and this is translated into a list
+    suitable for the API.
+  - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API
+    to translate the name into the role ID.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the client_rolemapping.
+      - On V(present), the client_rolemapping is created if it does not yet exist, or updated with the parameters
+        you provide.
+      - On V(absent), the client_rolemapping is removed if it exists.
+    default: 'present'
+    type: str
+    choices:
+      - present
+      - absent
+
+  realm:
+    type: str
+    description:
+      - They Keycloak realm under which this role_representation resides.
+    default: 'master'
+
+  group_name:
+    type: str
+    description:
+      - Name of the group to be mapped.
+      - This parameter is required (can be replaced by gid for less API call).
+  parents:
+    type: list
+    description:
+      - List of parent groups for the group to handle sorted top to bottom.
+      - Set this if your group is a subgroup and you do not provide the GID in O(gid).
+    elements: dict
+    suboptions:
+      id:
+        type: str
+        description:
+          - Identify parent by ID.
+          - Needs less API calls than using O(parents[].name).
+          - A deep parent chain can be started at any point when first given parent is given as ID.
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always
+            use just one of them, with ID being preferred.
+      name:
+        type: str
+        description:
+          - Identify parent by name.
+          - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
+          - When giving a parent chain with only names it must be complete up to the top.
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always
+            use just one of them, with ID being preferred.
+  gid:
+    type: str
+    description:
+      - ID of the group to be mapped.
+      - This parameter is not required for updating or deleting the rolemapping but providing it reduces the number of API
+        calls required.
+  client_id:
+    type: str
+    description:
+      - Name of the client to be mapped (different than O(cid)).
+      - This parameter is required (can be replaced by cid for less API call).
+  cid:
+    type: str
+    description:
+      - ID of the client to be mapped.
+      - This parameter is not required for updating or deleting the rolemapping but providing it reduces the number of API
+        calls required.
+  roles:
+    description:
+      - Roles to be mapped to the group.
+    type: list
+    elements: dict
+    suboptions:
+      name:
+        type: str
+        description:
+          - Name of the role_representation.
+          - This parameter is required only when creating or updating the role_representation.
+      id:
+        type: str
+        description:
+          - The unique identifier for this role_representation.
+          - This parameter is not required for updating or deleting a role_representation but providing it reduces the number
+            of API calls required.
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Gaëtan Daubresse (@Gaetan2907)
+"""
+
+EXAMPLES = r"""
+- name: Map a client role to a group, authentication with credentials
+  middleware_automation.keycloak.keycloak_client_rolemapping:
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    state: present
+    client_id: client1
+    group_name: group1
+    roles:
+      - name: role_name1
+        id: role_id1
+      - name: role_name2
+        id: role_id2
+  delegate_to: localhost
+
+- name: Map a client role to a group, authentication with token
+  middleware_automation.keycloak.keycloak_client_rolemapping:
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+    state: present
+    client_id: client1
+    group_name: group1
+    roles:
+      - name: role_name1
+        id: role_id1
+      - name: role_name2
+        id: role_id2
+  delegate_to: localhost
+
+- name: Map a client role to a subgroup, authentication with token
+  middleware_automation.keycloak.keycloak_client_rolemapping:
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+    state: present
+    client_id: client1
+    group_name: subgroup1
+    parents:
+      - name: parent-group
+    roles:
+      - name: role_name1
+        id: role_id1
+      - name: role_name2
+        id: role_id2
+  delegate_to: localhost
+
+- name: Unmap client role from a group
+  middleware_automation.keycloak.keycloak_client_rolemapping:
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    state: absent
+    client_id: client1
+    group_name: group1
+    roles:
+      - name: role_name1
+        id: role_id1
+      - name: role_name2
+        id: role_id2
+  delegate_to: localhost
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+  sample: "Role role1 assigned to group group1."
+
+proposed:
+  description: Representation of proposed client role mapping.
+  returned: always
+  type: dict
+  sample: {"clientId": "test"}
+
+existing:
+  description:
+    - Representation of existing client role mapping.
+    - The sample is truncated.
+  returned: always
+  type: dict
+  sample:
+    {
+      "adminUrl": "http://www.example.com/admin_url",
+      "attributes": {
+        "request.object.signature.alg": "RS256"
+      }
+    }
+
+end_state:
+  description:
+    - Representation of client role mapping after module execution.
+    - The sample is truncated.
+  returned: on success
+  type: dict
+  sample:
+    {
+      "adminUrl": "http://www.example.com/admin_url",
+      "attributes": {
+        "request.object.signature.alg": "RS256"
+      }
+    }
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    roles_spec = dict(
+        name=dict(type="str"),
+        id=dict(type="str"),
+    )
+
+    meta_args = dict(
+        state=dict(default="present", choices=["present", "absent"]),
+        realm=dict(default="master"),
+        gid=dict(type="str"),
+        group_name=dict(type="str"),
+        parents=dict(
+            type="list",
+            elements="dict",
+            options=dict(id=dict(type="str"), name=dict(type="str")),
+        ),
+        cid=dict(type="str"),
+        client_id=dict(type="str"),
+        roles=dict(type="list", elements="dict", options=roles_spec),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    state = module.params.get("state")
+    cid = module.params.get("cid")
+    client_id = module.params.get("client_id")
+    gid = module.params.get("gid")
+    group_name = module.params.get("group_name")
+    roles = module.params.get("roles")
+    parents = module.params.get("parents")
+
+    # Check the parameters
+    if cid is None and client_id is None:
+        module.fail_json(msg="Either the `client_id` or `cid` has to be specified.")
+    if gid is None and group_name is None:
+        module.fail_json(msg="Either the `group_name` or `gid` has to be specified.")
+
+    # Get the potential missing parameters
+    if gid is None:
+        group_rep = kc.get_group_by_name(group_name, realm=realm, parents=parents)
+        if group_rep is not None:
+            gid = group_rep["id"]
+        else:
+            module.fail_json(msg=f"Could not fetch group {group_name}:")
+    if cid is None:
+        cid = kc.get_client_id(client_id, realm=realm)
+        if cid is None:
+            module.fail_json(msg=f"Could not fetch client {client_id}:")
+    if roles is None:
+        module.exit_json(msg="Nothing to do (no roles specified).")
+    else:
+        for role in roles:
+            if role["name"] is None and role["id"] is None:
+                module.fail_json(msg="Either the `name` or `id` has to be specified on each role.")
+            # Fetch missing role_id
+            if role["id"] is None:
+                role_id = kc.get_client_role_id_by_name(cid, role["name"], realm=realm)
+                if role_id is not None:
+                    role["id"] = role_id
+                else:
+                    module.fail_json(msg=f"Could not fetch role {role['name']}:")
+            # Fetch missing role_name
+            else:
+                role["name"] = kc.get_client_group_rolemapping_by_id(gid, cid, role["id"], realm=realm)["name"]
+                if role["name"] is None:
+                    module.fail_json(msg=f"Could not fetch role {role['id']}")
+
+    # Get effective client-level role mappings
+    available_roles_before = kc.get_client_group_available_rolemappings(gid, cid, realm=realm)
+    assigned_roles_before = kc.get_client_group_composite_rolemappings(gid, cid, realm=realm)
+
+    result["existing"] = assigned_roles_before
+    result["proposed"] = list(assigned_roles_before) if assigned_roles_before else []
+
+    update_roles = []
+    for role in roles:
+        # Fetch roles to assign if state present
+        if state == "present":
+            for available_role in available_roles_before:
+                if role["name"] == available_role["name"]:
+                    update_roles.append(
+                        {
+                            "id": role["id"],
+                            "name": role["name"],
+                        }
+                    )
+                    result["proposed"].append(available_role)
+        # Fetch roles to remove if state absent
+        else:
+            for assigned_role in assigned_roles_before:
+                if role["name"] == assigned_role["name"]:
+                    update_roles.append(
+                        {
+                            "id": role["id"],
+                            "name": role["name"],
+                        }
+                    )
+                    if assigned_role in result["proposed"]:  # Handle double removal
+                        result["proposed"].remove(assigned_role)
+
+    if len(update_roles):
+        if state == "present":
+            # Assign roles
+            result["changed"] = True
+            if module._diff:
+                result["diff"] = dict(before=assigned_roles_before, after=result["proposed"])
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.add_group_rolemapping(gid, cid, update_roles, realm=realm)
+            result["msg"] = f"Roles {update_roles} assigned to group {group_name}."
+            assigned_roles_after = kc.get_client_group_composite_rolemappings(gid, cid, realm=realm)
+            result["end_state"] = assigned_roles_after
+            module.exit_json(**result)
+        else:
+            # Remove mapping of role
+            result["changed"] = True
+            if module._diff:
+                result["diff"] = dict(before=assigned_roles_before, after=result["proposed"])
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.delete_group_rolemapping(gid, cid, update_roles, realm=realm)
+            result["msg"] = f"Roles {update_roles} removed from group {group_name}."
+            assigned_roles_after = kc.get_client_group_composite_rolemappings(gid, cid, realm=realm)
+            result["end_state"] = assigned_roles_after
+            module.exit_json(**result)
+    # Do nothing
+    else:
+        result["changed"] = False
+        result["msg"] = (
+            f"Nothing to do, roles {roles} are {'mapped' if state == 'present' else 'not mapped'} with group {group_name}."
+        )
+        module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_client_rolescope.py

@@ -0,0 +1,287 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_client_rolescope
+
+short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other
+  specific client applications
+
+# Originally added in community.general 8.6.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access
+    to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+  - Client O(target_client_id) must have O(middleware_automation.keycloak.keycloak_client#module:full_scope_allowed) set to V(false).
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way
+    by this module. You may pass single values for attributes when calling the module, and this is translated into a list
+    suitable for the API.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the role mapping.
+      - On V(present), all roles in O(role_names) are mapped if not exist yet.
+      - On V(absent), all roles mapping in O(role_names) are removed if it exists.
+    default: 'present'
+    type: str
+    choices:
+      - present
+      - absent
+
+  realm:
+    type: str
+    description:
+      - The Keycloak realm under which clients resides.
+    default: 'master'
+
+  target_client_id:
+    type: str
+    required: true
+    description:
+      - Roles provided in O(role_names) while be added to this client scope.
+  role_owner_client_id:
+    type: str
+    description:
+      - If the O(role_names) are client role, the client ID under which it resides.
+      - If this parameter is absent, the roles are considered a realm role.
+  role_names:
+    required: true
+    type: list
+    elements: str
+    description:
+      - Names of roles to manipulate.
+      - If O(role_owner_client_id) is present, all roles must be under this client.
+      - If O(role_owner_client_id) is absent, all roles must be under the realm.
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Andre Desrosiers (@desand01)
+"""
+
+EXAMPLES = r"""
+- name: Add roles to public client scope
+  middleware_automation.keycloak.keycloak_client_rolescope:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    target_client_id: frontend-client-public
+    role_owner_client_id: backend-client-private
+    role_names:
+      - backend-role-admin
+      - backend-role-user
+
+- name: Remove roles from public client scope
+  middleware_automation.keycloak.keycloak_client_rolescope:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    target_client_id: frontend-client-public
+    role_owner_client_id: backend-client-private
+    role_names:
+      - backend-role-admin
+    state: absent
+
+- name: Add realm roles to public client scope
+  middleware_automation.keycloak.keycloak_client_rolescope:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    target_client_id: frontend-client-public
+    role_names:
+      - realm-role-admin
+      - realm-role-user
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+  sample: "Client role scope for frontend-client-public has been updated"
+
+end_state:
+  description: Representation of role role scope after module execution.
+  returned: on success
+  type: list
+  elements: dict
+  sample:
+    [
+      {
+        "clientRole": false,
+        "composite": false,
+        "containerId": "MyCustomRealm",
+        "id": "47293104-59a6-46f0-b460-2e9e3c9c424c",
+        "name": "backend-role-admin"
+      },
+      {
+        "clientRole": false,
+        "composite": false,
+        "containerId": "MyCustomRealm",
+        "id": "39c62a6d-542c-4715-92d2-41021eb33967",
+        "name": "backend-role-user"
+      }
+    ]
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        target_client_id=dict(type="str", required=True),
+        role_owner_client_id=dict(type="str"),
+        realm=dict(type="str", default="master"),
+        role_names=dict(type="list", elements="str", required=True),
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+
+    result = dict(changed=False, msg="", diff={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    target_client_id = module.params.get("target_client_id")
+    role_owner_client_id = module.params.get("role_owner_client_id")
+    role_names = module.params.get("role_names")
+    state = module.params.get("state")
+
+    objRealm = kc.get_realm_by_id(realm)
+    if not objRealm:
+        module.fail_json(msg=f"Failed to retrive realm '{realm}'")
+
+    objClient = kc.get_client_by_client_id(target_client_id, realm)
+    if not objClient:
+        module.fail_json(msg=f"Failed to retrive client '{realm}.{target_client_id}'")
+    if objClient["fullScopeAllowed"] and state == "present":
+        module.fail_json(msg=f"FullScopeAllowed is active for Client '{realm}.{target_client_id}'")
+
+    if role_owner_client_id:
+        role_owner_client = kc.get_client_by_client_id(role_owner_client_id, realm)
+        if not role_owner_client:
+            module.fail_json(msg=f"Failed to retrive client '{realm}.{role_owner_client_id}'")
+        before_role_mapping = kc.get_client_role_scope_from_client(objClient["id"], role_owner_client["id"], realm)
+    else:
+        before_role_mapping = kc.get_client_role_scope_from_realm(objClient["id"], realm)
+
+    if role_owner_client_id:
+        # retrive all role from client_scope
+        client_scope_roles_by_name = kc.get_client_roles_by_id(role_owner_client["id"], realm)
+    else:
+        # retrive all role from realm
+        client_scope_roles_by_name = kc.get_realm_roles(realm)
+
+    # convert to indexed Dict by name
+    client_scope_roles_by_name = {role["name"]: role for role in client_scope_roles_by_name}
+    role_mapping_by_name = {role["name"]: role for role in before_role_mapping}
+    role_mapping_to_manipulate = []
+
+    if state == "present":
+        # update desired
+        for role_name in role_names:
+            if role_name not in client_scope_roles_by_name:
+                if role_owner_client_id:
+                    module.fail_json(msg=f"Failed to retrive role '{realm}.{role_owner_client_id}.{role_name}'")
+                else:
+                    module.fail_json(msg=f"Failed to retrive role '{realm}.{role_name}'")
+            if role_name not in role_mapping_by_name:
+                role_mapping_to_manipulate.append(client_scope_roles_by_name[role_name])
+                role_mapping_by_name[role_name] = client_scope_roles_by_name[role_name]
+    else:
+        # remove role if present
+        for role_name in role_names:
+            if role_name in role_mapping_by_name:
+                role_mapping_to_manipulate.append(role_mapping_by_name[role_name])
+                del role_mapping_by_name[role_name]
+
+    before_role_mapping = sorted(before_role_mapping, key=lambda d: d["name"])
+    desired_role_mapping = sorted(role_mapping_by_name.values(), key=lambda d: d["name"])
+
+    result["changed"] = len(role_mapping_to_manipulate) > 0
+
+    if result["changed"]:
+        result["diff"] = dict(before=before_role_mapping, after=desired_role_mapping)
+
+    if not result["changed"]:
+        # no changes
+        result["end_state"] = before_role_mapping
+        result["msg"] = f"No changes required for client role scope {target_client_id}."
+    elif state == "present":
+        # doing update
+        if module.check_mode:
+            result["end_state"] = desired_role_mapping
+        elif role_owner_client_id:
+            result["end_state"] = kc.update_client_role_scope_from_client(
+                role_mapping_to_manipulate, objClient["id"], role_owner_client["id"], realm
+            )
+        else:
+            result["end_state"] = kc.update_client_role_scope_from_realm(
+                role_mapping_to_manipulate, objClient["id"], realm
+            )
+        result["msg"] = f"Client role scope for {target_client_id} has been updated"
+    else:
+        # doing delete
+        if module.check_mode:
+            result["end_state"] = desired_role_mapping
+        elif role_owner_client_id:
+            result["end_state"] = kc.delete_client_role_scope_from_client(
+                role_mapping_to_manipulate, objClient["id"], role_owner_client["id"], realm
+            )
+        else:
+            result["end_state"] = kc.delete_client_role_scope_from_realm(
+                role_mapping_to_manipulate, objClient["id"], realm
+            )
+        result["msg"] = f"Client role scope for {target_client_id} has been deleted"
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_client_scope.py

@@ -0,0 +1,328 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2024, Contributors to the middleware_automation.keycloak collection
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: keycloak_client_scope
+
+short_description: Allows administration of Keycloak client scopes via Keycloak API
+
+# Originally added in community.general 3.4.0 as keycloak_clientscope
+version_added: "3.0.0"
+
+description:
+    - This module allows you to add, remove or modify Keycloak client scopes via the Keycloak REST API.
+      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+      and an admin user would work, as would a separate client definition with the scope tailored
+      to your needs and a user having the expected roles.
+
+    - This module also supports managing protocol mappers within a client scope.
+
+attributes:
+    check_mode:
+        support: full
+    diff_mode:
+        support: full
+
+options:
+    state:
+        description:
+            - State of the client scope.
+            - On V(present), the client scope will be created if it does not yet exist, or updated with the parameters you provide.
+            - On V(absent), the client scope will be removed if it exists.
+        default: 'present'
+        type: str
+        choices:
+            - present
+            - absent
+
+    name:
+        type: str
+        required: true
+        description:
+            - Name of the client scope.
+
+    description:
+        type: str
+        default: ''
+        description:
+            - Description of the client scope.
+
+    realm:
+        type: str
+        description:
+            - The Keycloak realm under which this client scope resides.
+        default: 'master'
+
+    protocol:
+        type: str
+        description:
+            - The protocol associated with the client scope.
+        default: 'openid-connect'
+        choices:
+            - openid-connect
+            - saml
+
+    attributes:
+        type: dict
+        description:
+            - A dict of key/value pairs to set as attributes for the client scope.
+
+    protocol_mappers:
+        type: list
+        elements: dict
+        description:
+            - A list of protocol mappers to associate with the client scope.
+            - Each mapper is a dict with the keys C(name), C(protocol), C(protocolMapper), and C(config).
+        default: []
+        suboptions:
+            name:
+                type: str
+                required: true
+                description:
+                    - Name of the protocol mapper.
+            protocol:
+                type: str
+                description:
+                    - Protocol for the mapper.
+                default: 'openid-connect'
+            protocolMapper:
+                type: str
+                required: true
+                description:
+                    - The mapper type (e.g. V(oidc-usermodel-attribute-mapper), V(oidc-audience-mapper)).
+                aliases:
+                    - protocol_mapper_type
+            config:
+                type: dict
+                required: true
+                description:
+                    - Configuration for the protocol mapper.
+
+extends_documentation_fragment:
+    - middleware_automation.keycloak.keycloak
+    - middleware_automation.keycloak.actiongroup_keycloak
+    - middleware_automation.keycloak.attributes
+
+author:
+    - Paulo Menon (@paulomenon)
+'''
+
+EXAMPLES = '''
+- name: Create a client scope with protocol mappers
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    name: my-client-scope
+    description: "A custom client scope"
+    protocol: openid-connect
+    protocol_mappers:
+      - name: email
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-attribute-mapper
+        config:
+          user.attribute: email
+          claim.name: email
+          jsonType.label: String
+          id.token.claim: "true"
+          access.token.claim: "true"
+          userinfo.token.claim: "true"
+    state: present
+  delegate_to: localhost
+
+- name: Create a client scope using token authentication
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    token: MY_TOKEN
+    realm: TestRealm
+    name: my-scope
+    state: present
+  delegate_to: localhost
+
+- name: Delete a client scope
+  middleware_automation.keycloak.keycloak_client_scope:
+    auth_keycloak_url: http://localhost:8080
+    auth_realm: master
+    auth_username: admin
+    auth_password: password
+    realm: TestRealm
+    name: my-client-scope
+    state: absent
+  delegate_to: localhost
+'''
+
+RETURN = '''
+msg:
+    description: Message as to what action was taken.
+    returned: always
+    type: str
+    sample: "Client scope my-scope has been created"
+
+end_state:
+    description: Representation of the client scope after module execution.
+    returned: on success
+    type: dict
+    sample: {
+        "id": "uuid-here",
+        "name": "my-scope",
+        "protocol": "openid-connect",
+        "description": "A custom scope"
+    }
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
+    keycloak_argument_spec, get_token, KeycloakError
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    mapper_spec = dict(
+        name=dict(type='str', required=True),
+        protocol=dict(type='str', default='openid-connect'),
+        protocolMapper=dict(type='str', required=True, aliases=['protocol_mapper_type']),
+        config=dict(type='dict', required=True),
+    )
+
+    meta_args = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent']),
+        name=dict(type='str', required=True),
+        description=dict(type='str', default=''),
+        realm=dict(type='str', default='master'),
+        protocol=dict(type='str', default='openid-connect', choices=['openid-connect', 'saml']),
+        attributes=dict(type='dict'),
+        protocol_mappers=dict(type='list', default=[], options=mapper_spec, elements='dict'),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec,
+                           supports_check_mode=True,
+                           required_one_of=([['token', 'auth_realm', 'auth_username', 'auth_password']]),
+                           required_together=([['auth_realm', 'auth_username', 'auth_password']]))
+
+    result = dict(changed=False, msg='', diff={}, end_state={})
+
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get('realm')
+    name = module.params.get('name')
+    state = module.params.get('state')
+    protocol = module.params.get('protocol')
+    description = module.params.get('description')
+    attributes = module.params.get('attributes')
+    protocol_mappers = module.params.get('protocol_mappers')
+
+    before_scope = kc.get_client_scope_by_name(name, realm=realm)
+
+    if state == 'absent':
+        if before_scope:
+            result['changed'] = True
+            if module._diff:
+                result['diff'] = dict(before=before_scope, after='')
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.delete_client_scope(cid=before_scope['id'], realm=realm)
+            result['msg'] = "Client scope {name} has been deleted".format(name=name)
+        else:
+            result['msg'] = "Client scope {name} does not exist, doing nothing".format(name=name)
+        result['end_state'] = {}
+        module.exit_json(**result)
+
+    scope_rep = {
+        'name': name,
+        'protocol': protocol,
+        'description': description,
+    }
+    if attributes:
+        scope_rep['attributes'] = attributes
+
+    if not before_scope:
+        result['changed'] = True
+        if module._diff:
+            result['diff'] = dict(before='', after=scope_rep)
+        if module.check_mode:
+            module.exit_json(**result)
+
+        kc.create_client_scope(scope_rep, realm=realm)
+        after_scope = kc.get_client_scope_by_name(name, realm=realm)
+
+        if protocol_mappers:
+            for mapper in protocol_mappers:
+                mapper_rep = {
+                    'name': mapper['name'],
+                    'protocol': mapper.get('protocol', protocol),
+                    'protocolMapper': mapper['protocolMapper'],
+                    'config': mapper['config'],
+                }
+                kc.create_client_scope_protocolmapper(after_scope['id'], mapper_rep, realm=realm)
+            after_scope = kc.get_client_scope_by_name(name, realm=realm)
+
+        result['end_state'] = after_scope
+        result['msg'] = "Client scope {name} has been created".format(name=name)
+        module.exit_json(**result)
+
+    else:
+        changed = False
+        for key in ('protocol', 'description'):
+            if scope_rep.get(key) and scope_rep[key] != before_scope.get(key):
+                changed = True
+                break
+
+        if attributes and attributes != before_scope.get('attributes', {}):
+            changed = True
+
+        if changed:
+            result['changed'] = True
+            scope_rep['id'] = before_scope['id']
+            if module._diff:
+                result['diff'] = dict(before=before_scope, after=scope_rep)
+            if module.check_mode:
+                module.exit_json(**result)
+            kc.update_client_scope(scope_rep, realm=realm)
+
+        if protocol_mappers:
+            existing_mappers = kc.get_client_scope_protocolmappers(before_scope['id'], realm=realm)
+            existing_mapper_names = {m['name'] for m in existing_mappers}
+
+            for mapper in protocol_mappers:
+                if mapper['name'] not in existing_mapper_names:
+                    result['changed'] = True
+                    if not module.check_mode:
+                        mapper_rep = {
+                            'name': mapper['name'],
+                            'protocol': mapper.get('protocol', protocol),
+                            'protocolMapper': mapper['protocolMapper'],
+                            'config': mapper['config'],
+                        }
+                        kc.create_client_scope_protocolmapper(before_scope['id'], mapper_rep, realm=realm)
+
+        after_scope = kc.get_client_scope_by_name(name, realm=realm)
+        result['end_state'] = after_scope
+
+        if result['changed']:
+            result['msg'] = "Client scope {name} has been updated".format(name=name)
+        else:
+            result['msg'] = "No changes required to client scope {name}".format(name=name)
+        module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()

plugins/modules/keycloak_client_scope_rolemappings.py

@@ -0,0 +1,282 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_client_scope_rolemappings
+
+short_description: Allows administration of Keycloak client scope scope mappings to restrict the usage of certain roles to
+  specific client scopes
+
+# Originally added in community.general 13.1.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to add or remove Keycloak roles from client scopes using the Keycloak REST API. It requires access
+    to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, C(admin-cli) and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way
+    by this module. You may pass single values for attributes when calling the module, and this is translated into a list
+    suitable for the API.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 13.1.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the role mapping.
+      - On V(present), all roles in O(role_names) are mapped if not exist yet.
+      - On V(absent), all roles mapping in O(role_names) are removed if they exist.
+    default: 'present'
+    type: str
+    choices:
+      - present
+      - absent
+
+  realm:
+    type: str
+    description:
+      - The Keycloak realm under which clients resides.
+    default: 'master'
+
+  client_scope_id:
+    required: true
+    type: str
+    description:
+      - Roles provided in O(role_names) will be added to this client scope.
+
+  client_id:
+    type: str
+    description:
+      - If the O(role_names) are client roles, the client ID under which it resides.
+      - If this parameter is absent, the roles are considered realm roles.
+
+  role_names:
+    required: true
+    type: list
+    elements: str
+    description:
+      - Names of roles to add.
+      - If O(client_id) is present, all roles must be under this client.
+      - If O(client_id) is absent, all roles must be under the realm.
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Felix Grzelka (@felix-grzelka)
+  # This module was adapted from keycloak_client_rolescope, which was written by Andre Desrosiers (@desand01).
+"""
+
+EXAMPLES = r"""
+- name: Add roles to client scope
+  middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    client_id: frontend-client-public
+    client_scope_id: frontend-client-scope
+    role_names:
+      - backend-role-admin
+      - backend-role-user
+
+- name: Remove roles from client scope
+  middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    client_id: frontend-client-public
+    client_scope_id: frontend-client-scope
+    role_names:
+      - backend-role-admin
+    state: absent
+
+- name: Add realm roles to client scope
+  middleware_automation.keycloak.keycloak_client_scope_rolemappings:
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: MyCustomRealm
+    client_scope_id: frontend-client-scope
+    role_names:
+      - realm-role-admin
+      - realm-role-user
+"""
+
+RETURN = r"""
+end_state:
+  description: Representation of client scope scope mappings after module execution.
+  returned: on success
+  type: list
+  elements: dict
+  sample:
+    [
+      {
+        "clientRole": false,
+        "composite": false,
+        "containerId": "77f9bd4e-13a6-451e-9c72-ee6997299c1f",
+        "description": "User role",
+        "id": "9e155ef7-86f5-4def-b507-581ce7b87013",
+        "name": "realm-role-user"
+      },
+      {
+        "clientRole": false,
+        "composite": false,
+        "containerId": "77f9bd4e-13a6-451e-9c72-ee6997299c1f",
+        "description": "Admin role",
+        "id": "9e155ef7-86f5-4def-b507-581ce7b87013",
+        "name": "realm-role-admin"
+      }
+    ]
+"""
+
+import copy
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        client_id=dict(type="str"),
+        client_scope_id=dict(type="str", required=True),
+        realm=dict(type="str", default="master"),
+        role_names=dict(type="list", elements="str", required=True),
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+
+    result = dict(changed=False, msg="", diff={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params["realm"]
+    client_id = module.params["client_id"]
+    client_scope_id = module.params["client_scope_id"]
+    role_names = module.params["role_names"]
+    state = module.params["state"]
+
+    realm_object = kc.get_realm_by_id(realm)
+    if not realm_object:
+        module.fail_json(msg=f"Failed to retrieve realm '{realm}'")
+
+    client_scope_object = kc.get_client_scope_by_name(client_scope_id, realm)
+    if not client_scope_object:
+        module.fail_json(msg=f"Failed to retrieve client scope '{client_scope_id}'")
+
+    if client_id:
+        # add client role
+        client_object = kc.get_client_by_client_id(client_id, realm)
+        if not client_object:
+            module.fail_json(msg=f"Failed to retrieve client '{realm}.{client_id}'")
+        if client_object["fullScopeAllowed"] and state == "present":
+            module.fail_json(msg=f"FullScopeAllowed is active for Client '{realm}.{client_id}'")
+
+        before_roles = kc.get_client_scope_scope_mappings_client(client_scope_object["id"], client_object["id"], realm)
+        available_roles_by_name = kc.get_client_roles_by_id(client_object["id"], realm)
+    else:
+        # add realm role
+        before_roles = kc.get_client_scope_scope_mappings_realm(client_scope_object["id"], realm)
+        available_roles_by_name = kc.get_realm_roles(realm)
+
+    # convert to indexed Dict by name
+    available_roles_by_name = {role["name"]: role for role in available_roles_by_name}
+    before_roles_by_name = {role["name"]: role for role in before_roles}
+    desired_roles = copy.deepcopy(before_roles)
+    changed_roles = []
+
+    if state == "present":
+        # update desired
+        for role_name in role_names:
+            if role_name not in available_roles_by_name:
+                if client_id:
+                    module.fail_json(msg=f"Failed to retrieve role '{realm}.{client_id}.{role_name}'")
+                else:
+                    module.fail_json(msg=f"Failed to retrieve role '{realm}.{role_name}'")
+            if role_name not in before_roles_by_name:
+                changed_roles.append(available_roles_by_name[role_name])
+                desired_roles.append(available_roles_by_name[role_name])
+    else:
+        # remove role if present
+        for role_name in role_names:
+            if role_name in before_roles_by_name:
+                changed_roles.append(before_roles_by_name[role_name])
+                desired_roles.remove(available_roles_by_name[role_name])
+
+    before_roles = sorted(before_roles, key=lambda d: d["name"])
+    desired_role_mapping = sorted(desired_roles, key=lambda d: d["name"])
+
+    result["changed"] = bool(changed_roles)
+
+    if module._diff:
+        result["diff"] = dict(before={"roles": before_roles}, after={"roles": desired_role_mapping})
+
+    if not result["changed"]:
+        # no changes
+        result["end_state"] = before_roles
+        result["msg"] = f"No changes required for client scope {client_scope_id}."
+    elif state == "present":
+        # doing update
+        if module.check_mode:
+            result["end_state"] = desired_role_mapping
+        elif client_id:
+            result["end_state"] = kc.update_client_scope_scope_mappings_client(
+                changed_roles, client_scope_object["id"], client_object["id"], realm
+            )
+        else:
+            result["end_state"] = kc.update_client_scope_scope_mappings_realm(
+                changed_roles, client_scope_object["id"], realm
+            )
+        result["msg"] = f"Clientscope scope mappings for {client_scope_id} have been updated"
+    else:
+        # doing delete
+        if module.check_mode:
+            result["end_state"] = desired_role_mapping
+        elif client_id:
+            result["end_state"] = kc.delete_client_scope_scope_mappings_client(
+                changed_roles, client_scope_object["id"], client_object["id"], realm
+            )
+        else:
+            result["end_state"] = kc.delete_client_scope_scope_mappings_realm(
+                changed_roles, client_scope_object["id"], realm
+            )
+        result["msg"] = f"Clientscope scope mappings for {client_scope_id} have been deleted"
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_client_scope_type.py

@@ -0,0 +1,315 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_client_scope_type
+
+short_description: Set the type of a client scope in a realm or client using the Keycloak API
+
+# Originally added in community.general 6.6.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to set the type (optional, default) of client scopes using the Keycloak REST API. It requires access
+    to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    type: str
+    description:
+      - The Keycloak realm.
+    default: 'master'
+
+  client_id:
+    description:
+      - The O(client_id) of the client. If not set the client scope types are set as a default for the realm.
+    aliases:
+      - clientId
+    type: str
+
+  default_client_scopes:
+    description:
+      - Client scopes that should be of type default.
+    type: list
+    elements: str
+
+  optional_client_scopes:
+    description:
+      - Client scopes that should be of type optional.
+    type: list
+    elements: str
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Simon Pahl (@simonpahl)
+"""
+
+EXAMPLES = r"""
+- name: Set default client scopes on realm level
+  middleware_automation.keycloak.keycloak_client_scope_type:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: "MyCustomRealm"
+    default_client_scopes: ['profile', 'roles']
+  delegate_to: localhost
+
+
+- name: Set default and optional client scopes on client level with token auth
+  middleware_automation.keycloak.keycloak_client_scope_type:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+    realm: "MyCustomRealm"
+    client_id: "MyCustomClient"
+    default_client_scopes: ['profile', 'roles']
+    optional_client_scopes: ['phone']
+  delegate_to: localhost
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+  sample: ""
+proposed:
+  description: Representation of proposed client scope types mapping.
+  returned: always
+  type: dict
+  sample:
+    {
+      "default_client_scopes": [
+        "profile",
+        "role"
+      ],
+      "optional_client_scopes": []
+    }
+existing:
+  description:
+    - Representation of client scopes before module execution.
+  returned: always
+  type: dict
+  sample:
+    {
+      "default_client_scopes": [
+        "profile",
+        "role"
+      ],
+      "optional_client_scopes": [
+        "phone"
+      ]
+    }
+end_state:
+  description:
+    - Representation of client scopes after module execution.
+    - The sample is truncated.
+  returned: on success
+  type: dict
+  sample:
+    {
+      "default_client_scopes": [
+        "profile",
+        "role"
+      ],
+      "optional_client_scopes": []
+    }
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def keycloak_client_scope_type_module():
+    """
+    Returns an AnsibleModule definition.
+
+    :return: argument_spec dict
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        realm=dict(default="master"),
+        client_id=dict(type="str", aliases=["clientId"]),
+        default_client_scopes=dict(type="list", elements="str"),
+        optional_client_scopes=dict(type="list", elements="str"),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [
+                ["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"],
+                ["default_client_scopes", "optional_client_scopes"],
+            ]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+        mutually_exclusive=[["token", "auth_realm"], ["token", "auth_username"], ["token", "auth_password"]],
+    )
+
+    return module
+
+
+def client_scopes_to_add(existing, proposed):
+    to_add = []
+    existing_client_scope_ids = extract_field(existing, "id")
+    for client_scope in proposed:
+        if client_scope["id"] not in existing_client_scope_ids:
+            to_add.append(client_scope)
+    return to_add
+
+
+def client_scopes_to_delete(existing, proposed):
+    to_delete = []
+    proposed_client_scope_ids = extract_field(proposed, "id")
+    for client_scope in existing:
+        if client_scope["id"] not in proposed_client_scope_ids:
+            to_delete.append(client_scope)
+    return to_delete
+
+
+def extract_field(dictionary, field="name"):
+    return [cs[field] for cs in dictionary]
+
+
+def normalize_scopes(scopes):
+    scopes_copy = scopes.copy()
+    if isinstance(scopes_copy.get("default_client_scopes"), list):
+        scopes_copy["default_client_scopes"] = sorted(scopes_copy["default_client_scopes"])
+    if isinstance(scopes_copy.get("optional_client_scopes"), list):
+        scopes_copy["optional_client_scopes"] = sorted(scopes_copy["optional_client_scopes"])
+    return scopes_copy
+
+
+def main():
+    """
+    Module keycloak_client_scope_type
+
+    :return:
+    """
+
+    module = keycloak_client_scope_type_module()
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    client_id = module.params.get("client_id")
+    default_client_scopes = module.params.get("default_client_scopes")
+    optional_client_scopes = module.params.get("optional_client_scopes")
+
+    result = dict(changed=False, msg="", proposed={}, existing={}, end_state={})
+
+    all_client_scopes = kc.get_client_scopes(realm)
+    default_client_scopes_real = []
+    optional_client_scopes_real = []
+
+    for client_scope in all_client_scopes:
+        if default_client_scopes is not None and client_scope["name"] in default_client_scopes:
+            default_client_scopes_real.append(client_scope)
+        if optional_client_scopes is not None and client_scope["name"] in optional_client_scopes:
+            optional_client_scopes_real.append(client_scope)
+
+    if default_client_scopes is not None and len(default_client_scopes_real) != len(default_client_scopes):
+        module.fail_json(msg="At least one of the default_client_scopes does not exist!")
+
+    if optional_client_scopes is not None and len(optional_client_scopes_real) != len(optional_client_scopes):
+        module.fail_json(msg="At least one of the optional_client_scopes does not exist!")
+
+    result["proposed"].update(
+        {
+            "default_client_scopes": "no-change" if default_client_scopes is None else default_client_scopes,
+            "optional_client_scopes": "no-change" if optional_client_scopes is None else optional_client_scopes,
+        }
+    )
+
+    default_client_scopes_existing = kc.get_default_client_scopes(realm, client_id)
+    optional_client_scopes_existing = kc.get_optional_client_scopes(realm, client_id)
+
+    result["existing"].update(
+        {
+            "default_client_scopes": extract_field(default_client_scopes_existing),
+            "optional_client_scopes": extract_field(optional_client_scopes_existing),
+        }
+    )
+
+    if module._diff:
+        result["diff"] = dict(before=normalize_scopes(result["existing"]), after=normalize_scopes(result["proposed"]))
+
+    default_client_scopes_add = client_scopes_to_add(default_client_scopes_existing, default_client_scopes_real)
+    optional_client_scopes_add = client_scopes_to_add(optional_client_scopes_existing, optional_client_scopes_real)
+
+    default_client_scopes_delete = client_scopes_to_delete(default_client_scopes_existing, default_client_scopes_real)
+    optional_client_scopes_delete = client_scopes_to_delete(optional_client_scopes_existing, optional_client_scopes_real)
+
+    result["changed"] = any(
+        len(x) > 0
+        for x in [
+            default_client_scopes_add,
+            optional_client_scopes_add,
+            default_client_scopes_delete,
+            optional_client_scopes_delete,
+        ]
+    )
+
+    if module.check_mode:
+        module.exit_json(**result)
+
+    # first delete so client_scopes can change type
+    for client_scope in default_client_scopes_delete:
+        kc.delete_default_client_scope(client_scope["id"], realm, client_id)
+    for client_scope in optional_client_scopes_delete:
+        kc.delete_optional_client_scope(client_scope["id"], realm, client_id)
+
+    for client_scope in default_client_scopes_add:
+        kc.add_default_client_scope(client_scope["id"], realm, client_id)
+    for client_scope in optional_client_scopes_add:
+        kc.add_optional_client_scope(client_scope["id"], realm, client_id)
+
+    result["end_state"].update(
+        {
+            "default_client_scopes": extract_field(kc.get_default_client_scopes(realm, client_id)),
+            "optional_client_scopes": extract_field(kc.get_optional_client_scopes(realm, client_id)),
+        }
+    )
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_clientsecret_info.py

@@ -0,0 +1,168 @@
+
+# Copyright (c) 2022, Fynn Chen <ethan.cfchen@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_clientsecret_info
+
+short_description: Retrieve client secret using Keycloak API
+
+# Originally added in community.general 6.1.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API
+    using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default
+    Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored
+    to your needs and a user having the expected roles.
+  - When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This
+    removes a lookup to the API to translate the O(client_id) into the client ID.
+  - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to
+    the task.'
+attributes:
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    type: str
+    description:
+      - They Keycloak realm under which this client resides.
+    default: 'master'
+
+  id:
+    description:
+      - The unique identifier for this client.
+      - This parameter is not required for getting or generating a client secret but providing it reduces the number of API
+        calls required.
+    type: str
+
+  client_id:
+    description:
+      - The O(client_id) of the client. Passing this instead of O(id) results in an extra API call.
+    aliases:
+      - clientId
+    type: str
+
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+  - middleware_automation.keycloak.attributes.info_module
+
+author:
+  - Fynn Chen (@fynncfchen)
+  - John Cant (@johncant)
+"""
+
+EXAMPLES = r"""
+- name: Get a Keycloak client secret, authentication with credentials
+  middleware_automation.keycloak.keycloak_clientsecret_info:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+  no_log: true
+
+- name: Get a new Keycloak client secret, authentication with token
+  middleware_automation.keycloak.keycloak_clientsecret_info:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+  delegate_to: localhost
+  no_log: true
+
+- name: Get a new Keycloak client secret, passing client_id instead of id
+  middleware_automation.keycloak.keycloak_clientsecret_info:
+    client_id: 'myClientId'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+  delegate_to: localhost
+  no_log: true
+
+- name: Get a new Keycloak client secret, authentication with auth_client_id and auth_client_secret
+  middleware_automation.keycloak.keycloak_clientsecret_info:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_client_secret: SECRET
+    auth_keycloak_url: https://auth.example.com
+  delegate_to: localhost
+  no_log: true
+"""
+
+RETURN = r"""
+msg:
+  description: Textual description of whether we succeeded or failed.
+  returned: always
+  type: str
+
+clientsecret_info:
+  description: Representation of the client secret.
+  returned: on success
+  type: complex
+  contains:
+    type:
+      description: Credential type.
+      type: str
+      returned: always
+      sample: secret
+    value:
+      description: Client secret.
+      type: str
+      returned: always
+      sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
+"""
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+)
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak_clientsecret import (
+    keycloak_clientsecret_module,
+    keycloak_clientsecret_module_resolve_params,
+)
+
+
+def main():
+    """
+    Module keycloak_clientsecret_info
+
+    :return:
+    """
+
+    module = keycloak_clientsecret_module()
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    id, realm = keycloak_clientsecret_module_resolve_params(module, kc)
+
+    clientsecret = kc.get_clientsecret(id=id, realm=realm)
+
+    result = {"clientsecret_info": clientsecret, "msg": f"Get client secret successful for ID {id}"}
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_clientsecret_regenerate.py

@@ -0,0 +1,178 @@
+
+# Copyright (c) 2022, Fynn Chen <ethan.cfchen@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_clientsecret_regenerate
+
+short_description: Regenerate Keycloak client secret using Keycloak API
+
+# Originally added in community.general 6.1.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST
+    API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default
+    Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored
+    to your needs and a user having the expected roles.
+  - When regenerating a client secret, where possible provide the client's ID (not client_id) to the module. This removes
+    a lookup to the API to translate the client_id into the client ID.
+  - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to
+    the task.'
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    type: str
+    description:
+      - They Keycloak realm under which this client resides.
+    default: 'master'
+
+  id:
+    description:
+      - The unique identifier for this client.
+      - This parameter is not required for getting or generating a client secret but providing it reduces the number of API
+        calls required.
+    type: str
+
+  client_id:
+    description:
+      - The client_id of the client. Passing this instead of ID results in an extra API call.
+    aliases:
+      - clientId
+    type: str
+
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Fynn Chen (@fynncfchen)
+  - John Cant (@johncant)
+"""
+
+EXAMPLES = r"""
+- name: Regenerate a Keycloak client secret, authentication with credentials
+  middleware_automation.keycloak.keycloak_clientsecret_regenerate:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+  no_log: true
+
+- name: Regenerate a Keycloak client secret, authentication with token
+  middleware_automation.keycloak.keycloak_clientsecret_regenerate:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+  delegate_to: localhost
+  no_log: true
+
+- name: Regenerate a Keycloak client secret, passing client_id instead of id
+  middleware_automation.keycloak.keycloak_clientsecret_info:
+    client_id: 'myClientId'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+  delegate_to: localhost
+  no_log: true
+
+- name: Regenerate a new Keycloak client secret, authentication with auth_client_id and auth_client_secret
+  middleware_automation.keycloak.keycloak_clientsecret_regenerate:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_client_secret: SECRET
+    auth_keycloak_url: https://auth.example.com
+  delegate_to: localhost
+  no_log: true
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the client credential after module execution.
+  returned: on success
+  type: complex
+  contains:
+    type:
+      description: Credential type.
+      type: str
+      returned: always
+      sample: secret
+    value:
+      description: Client secret.
+      type: str
+      returned: always
+      sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
+"""
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+)
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak_clientsecret import (
+    keycloak_clientsecret_module,
+    keycloak_clientsecret_module_resolve_params,
+)
+
+
+def main():
+    """
+    Module keycloak_clientsecret_regenerate
+
+    :return:
+    """
+
+    module = keycloak_clientsecret_module()
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    id, realm = keycloak_clientsecret_module_resolve_params(module, kc)
+
+    if module.check_mode:
+        dummy_result = {
+            "msg": "No action taken while in check mode",
+            "end_state": {"type": "secret", "value": "X" * 32},
+        }
+        module.exit_json(**dummy_result)
+
+    # Create new secret
+    clientsecret = kc.create_clientsecret(id=id, realm=realm)
+
+    result = {"msg": f"New client secret has been generated for ID {id}", "end_state": clientsecret}
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_clienttemplate.py

@@ -0,0 +1,472 @@
+
+# Copyright (c) 2017, Eike Frost <ei@kefro.st>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_clienttemplate
+
+short_description: Allows administration of Keycloak client templates using Keycloak API
+
+version_added: "3.0.0"
+
+description:
+  - This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to
+    the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
+    at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
+  - The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on
+    an OpenID Connect client for instance and the other way around. Be careful. If you do not specify a setting, usually a
+    sensible default is chosen.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the client template.
+      - On V(present), the client template is created (or updated if it exists already).
+      - On V(absent), the client template is removed if it exists.
+    choices: ['present', 'absent']
+    default: 'present'
+    type: str
+
+  id:
+    description:
+      - ID of client template to be worked on. This is usually a UUID.
+    type: str
+
+  realm:
+    description:
+      - Realm this client template is found in.
+    type: str
+    default: master
+
+  name:
+    description:
+      - Name of the client template.
+    type: str
+
+  description:
+    description:
+      - Description of the client template in Keycloak.
+    type: str
+
+  protocol:
+    description:
+      - Type of client template.
+      - The V(docker-v2) value was added in middleware_automation.keycloak 8.6.0.
+    choices: ['openid-connect', 'saml', 'docker-v2']
+    type: str
+
+  full_scope_allowed:
+    description:
+      - Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak
+        REST API.
+    type: bool
+
+  protocol_mappers:
+    description:
+      - A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST
+        API.
+    type: list
+    elements: dict
+    suboptions:
+      consentRequired:
+        description:
+          - Specifies whether a user needs to provide consent to a client for this mapper to be active.
+        type: bool
+
+      consentText:
+        description:
+          - The human-readable name of the consent the user is presented to accept.
+        type: str
+
+      id:
+        description:
+          - Usually a UUID specifying the internal ID of this protocol mapper instance.
+        type: str
+
+      name:
+        description:
+          - The name of this protocol mapper.
+        type: str
+
+      protocol:
+        description:
+          - This specifies for which protocol this protocol mapper is active.
+        choices: ['openid-connect', 'saml', 'docker-v2']
+        type: str
+
+      protocolMapper:
+        description:
+          - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide
+            since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
+          - V(docker-v2-allow-all-mapper).
+          - V(oidc-address-mapper).
+          - V(oidc-full-name-mapper).
+          - V(oidc-group-membership-mapper).
+          - V(oidc-hardcoded-claim-mapper).
+          - V(oidc-hardcoded-role-mapper).
+          - V(oidc-role-name-mapper).
+          - V(oidc-script-based-protocol-mapper).
+          - V(oidc-sha256-pairwise-sub-mapper).
+          - V(oidc-usermodel-attribute-mapper).
+          - V(oidc-usermodel-client-role-mapper).
+          - V(oidc-usermodel-property-mapper).
+          - V(oidc-usermodel-realm-role-mapper).
+          - V(oidc-usersessionmodel-note-mapper).
+          - V(saml-group-membership-mapper).
+          - V(saml-hardcode-attribute-mapper).
+          - V(saml-hardcode-role-mapper).
+          - V(saml-role-list-mapper).
+          - V(saml-role-name-mapper).
+          - V(saml-user-attribute-mapper).
+          - V(saml-user-property-mapper).
+          - V(saml-user-session-note-mapper).
+          - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to
+            Server Info -> Providers and looking under 'protocol-mapper'.
+        type: str
+
+      config:
+        description:
+          - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value
+            of O(protocol_mappers[].protocolMapper) and are not documented other than by the source of the mappers and its
+            parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing
+            protocol mapper configuration through check-mode in the RV(existing) field.
+        type: dict
+
+  attributes:
+    description:
+      - A dict of further attributes for this client template. This can contain various configuration settings, though in
+        the default installation of Keycloak as of 3.4, none are documented or known, so this is usually empty.
+    type: dict
+
+notes:
+  - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
+    C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available
+    with keycloak_client, do not have any effect on Keycloak client-templates and are discarded if supplied with an API request
+    changing client-templates. As such, they are not available through this module.
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Eike Frost (@eikef)
+"""
+
+EXAMPLES = r"""
+- name: Create or update Keycloak client template (minimal), authentication with credentials
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: master
+    name: this_is_a_test
+  delegate_to: localhost
+
+- name: Create or update Keycloak client template (minimal), authentication with token
+  middleware_automation.keycloak.keycloak_clienttemplate:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    token: TOKEN
+    realm: master
+    name: this_is_a_test
+  delegate_to: localhost
+
+- name: Delete Keycloak client template
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: master
+    state: absent
+    name: test01
+  delegate_to: localhost
+
+- name: Create or update Keycloak client template (with a protocol mapper)
+  middleware_automation.keycloak.keycloak_client:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    realm: master
+    name: this_is_a_test
+    protocol_mappers:
+      - config:
+          access.token.claim: true
+          claim.name: "family_name"
+          id.token.claim: true
+          jsonType.label: String
+          user.attribute: lastName
+          userinfo.token.claim: true
+        consentRequired: true
+        consentText: "${familyName}"
+        name: family name
+        protocol: openid-connect
+        protocolMapper: oidc-usermodel-property-mapper
+    full_scope_allowed: false
+    id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f
+  delegate_to: localhost
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+  sample: "Client template testclient has been updated"
+
+proposed:
+  description: Representation of proposed client template.
+  returned: always
+  type: dict
+  sample: {"name": "test01"}
+
+existing:
+  description: Representation of existing client template (sample is truncated).
+  returned: always
+  type: dict
+  sample:
+    {
+      "description": "test01",
+      "fullScopeAllowed": false,
+      "id": "9c3712ab-decd-481e-954f-76da7b006e5f",
+      "name": "test01",
+      "protocol": "saml"
+    }
+
+end_state:
+  description: Representation of client template after module execution (sample is truncated).
+  returned: on success
+  type: dict
+  sample:
+    {
+      "description": "test01",
+      "fullScopeAllowed": false,
+      "id": "9c3712ab-decd-481e-954f-76da7b006e5f",
+      "name": "test01",
+      "protocol": "saml"
+    }
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    camel,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    protmapper_spec = dict(
+        consentRequired=dict(type="bool"),
+        consentText=dict(type="str"),
+        id=dict(type="str"),
+        name=dict(type="str"),
+        protocol=dict(type="str", choices=["openid-connect", "saml", "docker-v2"]),
+        protocolMapper=dict(type="str"),
+        config=dict(type="dict"),
+    )
+
+    meta_args = dict(
+        realm=dict(type="str", default="master"),
+        state=dict(default="present", choices=["present", "absent"]),
+        id=dict(type="str"),
+        name=dict(type="str"),
+        description=dict(type="str"),
+        protocol=dict(type="str", choices=["openid-connect", "saml", "docker-v2"]),
+        attributes=dict(type="dict"),
+        full_scope_allowed=dict(type="bool"),
+        protocol_mappers=dict(type="list", elements="dict", options=protmapper_spec),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [
+                ["id", "name"],
+                ["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"],
+            ]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    state = module.params.get("state")
+    cid = module.params.get("id")
+
+    # Filter and map the parameters names that apply to the client template
+    clientt_params = [
+        x
+        for x in module.params
+        if x
+        not in [
+            "state",
+            "auth_keycloak_url",
+            "auth_client_id",
+            "auth_realm",
+            "auth_client_secret",
+            "auth_username",
+            "auth_password",
+            "validate_certs",
+            "realm",
+        ]
+        and module.params.get(x) is not None
+    ]
+
+    # See if it already exists in Keycloak
+    if cid is None:
+        before_clientt = kc.get_client_template_by_name(module.params.get("name"), realm=realm)
+        if before_clientt is not None:
+            cid = before_clientt["id"]
+    else:
+        before_clientt = kc.get_client_template_by_id(cid, realm=realm)
+
+    if before_clientt is None:
+        before_clientt = {}
+
+    result["existing"] = before_clientt
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for clientt_param in clientt_params:
+        # lists in the Keycloak API are sorted
+        new_param_value = module.params.get(clientt_param)
+        if isinstance(new_param_value, list):
+            try:
+                new_param_value = sorted(new_param_value)
+            except TypeError:
+                pass
+        changeset[camel(clientt_param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_clientt = before_clientt.copy()
+    desired_clientt.update(changeset)
+
+    result["proposed"] = changeset
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_clientt:
+        if state == "absent":
+            # Do nothing and exit
+            if module._diff:
+                result["diff"] = dict(before="", after="")
+            result["changed"] = False
+            result["end_state"] = {}
+            result["msg"] = "Client template does not exist, doing nothing."
+            module.exit_json(**result)
+
+        # Process a creation
+        result["changed"] = True
+
+        if "name" not in desired_clientt:
+            module.fail_json(msg="name needs to be specified when creating a new client")
+
+        if module._diff:
+            result["diff"] = dict(before="", after=desired_clientt)
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        kc.create_client_template(desired_clientt, realm=realm)
+        after_clientt = kc.get_client_template_by_name(desired_clientt["name"], realm=realm)
+
+        result["end_state"] = after_clientt
+
+        result["msg"] = f"Client template {desired_clientt['name']} has been created."
+        module.exit_json(**result)
+
+    else:
+        if state == "present":
+            # Process an update
+
+            result["changed"] = True
+            if module.check_mode:
+                # We can only compare the current client template with the proposed updates we have
+                if module._diff:
+                    result["diff"] = dict(before=before_clientt, after=desired_clientt)
+
+                module.exit_json(**result)
+
+            # do the update
+            kc.update_client_template(cid, desired_clientt, realm=realm)
+
+            after_clientt = kc.get_client_template_by_id(cid, realm=realm)
+            if before_clientt == after_clientt:
+                result["changed"] = False
+
+            result["end_state"] = after_clientt
+
+            if module._diff:
+                result["diff"] = dict(before=before_clientt, after=after_clientt)
+
+            result["msg"] = f"Client template {desired_clientt['name']} has been updated."
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=before_clientt, after="")
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_client_template(cid, realm=realm)
+            result["proposed"] = {}
+
+            result["end_state"] = {}
+
+            result["msg"] = f"Client template {before_clientt['name']} has been deleted."
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_component.py

@@ -0,0 +1,328 @@
+
+# Copyright (c) 2024, Björn Bösel <bjoernboesel@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_component
+
+short_description: Allows administration of Keycloak components using Keycloak API
+
+# Originally added in community.general 10.0.0
+version_added: "3.0.0"
+
+description:
+  - This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST
+    API using OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default
+    Keycloak installation, C(admin-cli) and an C(admin) user would work, as would a separate realm definition with the scope
+    tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
+    at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). Aliases are provided so camelCased versions can be
+    used as well.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the Keycloak component.
+      - On V(present), the component is created (or updated if it exists already).
+      - On V(absent), the component is removed if it exists.
+    choices: ['present', 'absent']
+    default: 'present'
+    type: str
+  name:
+    description:
+      - Name of the component to create.
+    type: str
+    required: true
+  parent_id:
+    description:
+      - The parent_id of the component. In practice the ID (name) of the realm.
+    type: str
+    required: true
+  provider_id:
+    description:
+      - The name of the "provider ID" for the key.
+    type: str
+    required: true
+  provider_type:
+    description:
+      - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider),
+        ...
+      - See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
+    type: str
+    required: true
+  config:
+    description:
+      - Configuration properties for the provider.
+      - Contents vary depending on the provider type.
+    type: dict
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Björn Bösel (@fivetide)
+"""
+
+EXAMPLES = r"""
+- name: Manage Keycloak User Storage Provider
+  middleware_automation.keycloak.keycloak_component:
+    auth_keycloak_url: http://localhost:8080
+    auth_username: keycloak
+    auth_password: keycloak
+    auth_realm: master
+    name: my storage provider
+    state: present
+    parent_id: some_realm
+    provider_id: my storage
+    provider_type: "org.keycloak.storage.UserStorageProvider"
+    config:
+      myCustomKey: "my_custom_key"
+      cachePolicy: "NO_CACHE"
+      enabled: true
+"""
+
+RETURN = r"""
+end_state:
+  description: Representation of the keycloak_component after module execution.
+  returned: on success
+  type: dict
+  contains:
+    id:
+      description: ID of the component.
+      type: str
+      returned: when O(state=present)
+      sample: 5b7ec13f-99da-46ad-8326-ab4c73cf4ce4
+    name:
+      description: Name of the component.
+      type: str
+      returned: when O(state=present)
+      sample: mykey
+    parentId:
+      description: ID of the realm this key belongs to.
+      type: str
+      returned: when O(state=present)
+      sample: myrealm
+    providerId:
+      description: The ID of the key provider.
+      type: str
+      returned: when O(state=present)
+      sample: rsa
+    providerType:
+      description: The type of provider.
+      type: str
+      returned: when O(state=present)
+    config:
+      description: Component configuration.
+      type: dict
+"""
+
+from copy import deepcopy
+from urllib.parse import urlencode
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    camel,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+        name=dict(type="str", required=True),
+        parent_id=dict(type="str", required=True),
+        provider_id=dict(type="str", required=True),
+        provider_type=dict(type="str", required=True),
+        config=dict(
+            type="dict",
+        ),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", end_state={}, diff=dict(before={}, after={}))
+
+    # This will include the current state of the component if it is already
+    # present. This is only used for diff-mode.
+    before_component = {}
+    before_component["config"] = {}
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    params_to_ignore = list(keycloak_argument_spec().keys()) + ["state", "parent_id"]
+
+    # Filter and map the parameters names that apply to the role
+    component_params = [x for x in module.params if x not in params_to_ignore and module.params.get(x) is not None]
+
+    provider_type = module.params.get("provider_type")
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+    changeset["config"] = {}
+
+    # Generate a JSON payload for Keycloak Admin API from the module
+    # parameters.  Parameters that do not belong to the JSON payload (e.g.
+    # "state" or "auth_keycloal_url") have been filtered away earlier (see
+    # above).
+    #
+    # This loop converts Ansible module parameters (snake-case) into
+    # Keycloak-compatible format (camel-case). For example private_key
+    # becomes privateKey.
+    #
+    # It also converts bool, str and int parameters into lists with a single
+    # entry of 'str' type. Bool values are also lowercased. This is required
+    # by Keycloak.
+    #
+    for component_param in component_params:
+        if component_param == "config":
+            for config_param in module.params.get("config"):
+                changeset["config"][camel(config_param)] = []
+                raw_value = module.params.get("config")[config_param]
+                if isinstance(raw_value, bool):
+                    value = str(raw_value).lower()
+                else:
+                    value = str(raw_value)
+
+                changeset["config"][camel(config_param)].append(value)
+        else:
+            # No need for camelcase in here as these are one word parameters
+            new_param_value = module.params.get(component_param)
+            changeset[camel(component_param)] = new_param_value
+
+    # Make a deep copy of the changeset. This is use when determining
+    # changes to the current state.
+    changeset_copy = deepcopy(changeset)
+
+    # Make it easier to refer to current module parameters
+    name = module.params.get("name")
+    state = module.params.get("state")
+    provider_type = module.params.get("provider_type")
+    parent_id = module.params.get("parent_id")
+
+    # Get a list of all Keycloak components that are of keyprovider type.
+    current_components = kc.get_components(urlencode(dict(type=provider_type)), parent_id)
+
+    # If this component is present get its key ID. Confusingly the key ID is
+    # also known as the Provider ID.
+    component_id = None
+
+    # Track individual parameter changes
+    changes = ""
+
+    # This tells Ansible whether the key was changed (added, removed, modified)
+    result["changed"] = False
+
+    # Loop through the list of components. If we encounter a component whose
+    # name matches the value of the name parameter then assume the key is
+    # already present.
+    for component in current_components:
+        if component["name"] == name:
+            component_id = component["id"]
+            changeset["id"] = component_id
+            changeset_copy["id"] = component_id
+
+            # Compare top-level parameters
+            for param in changeset:
+                before_component[param] = component[param]
+
+                if changeset_copy[param] != component[param] and param != "config":
+                    changes += f"{param}: {component[param]} -> {changeset_copy[param]}, "
+                    result["changed"] = True
+            # Compare parameters under the "config" key
+            for p, v in changeset_copy["config"].items():
+                try:
+                    before_component["config"][p] = component["config"][p] or []
+                except KeyError:
+                    before_component["config"][p] = []
+                if v != component["config"][p]:
+                    changes += f"config.{p}: {component['config'][p]} -> {v}, "
+                    result["changed"] = True
+
+    # Check all the possible states of the resource and do what is needed to
+    # converge current state with desired state (create, update or delete
+    # the key).
+    if component_id and state == "present":
+        if result["changed"]:
+            if module._diff:
+                result["diff"] = dict(before=before_component, after=changeset_copy)
+
+            if module.check_mode:
+                result["msg"] = f"Component {name} would be changed: {changes.strip(', ')}"
+            else:
+                kc.update_component(changeset, parent_id)
+                result["msg"] = f"Component {name} changed: {changes.strip(', ')}"
+        else:
+            result["msg"] = f"Component {name} was in sync"
+
+        result["end_state"] = changeset_copy
+    elif component_id and state == "absent":
+        if module._diff:
+            result["diff"] = dict(before=before_component, after={})
+
+        if module.check_mode:
+            result["changed"] = True
+            result["msg"] = f"Component {name} would be deleted"
+        else:
+            kc.delete_component(component_id, parent_id)
+            result["changed"] = True
+            result["msg"] = f"Component {name} deleted"
+
+        result["end_state"] = {}
+    elif not component_id and state == "present":
+        if module._diff:
+            result["diff"] = dict(before={}, after=changeset_copy)
+
+        if module.check_mode:
+            result["changed"] = True
+            result["msg"] = f"Component {name} would be created"
+        else:
+            kc.create_component(changeset, parent_id)
+            result["changed"] = True
+            result["msg"] = f"Component {name} created"
+
+        result["end_state"] = changeset_copy
+    elif not component_id and state == "absent":
+        result["changed"] = False
+        result["msg"] = f"Component {name} not present"
+        result["end_state"] = {}
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_component_info.py

@@ -0,0 +1,171 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_component_info
+
+short_description: Retrieve component info in Keycloak
+
+# Originally added in community.general 8.2.0
+version_added: "3.0.0"
+
+description:
+  - This module retrieve information on component from Keycloak.
+attributes:
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  realm:
+    description:
+      - The name of the realm.
+    required: true
+    type: str
+  name:
+    description:
+      - Name of the Component.
+    type: str
+  provider_type:
+    description:
+      - Provider type of components.
+      - 'Examples: V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy),
+        V(org.keycloak.keys.KeyProvider), V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
+    type: str
+  parent_id:
+    description:
+      - Container ID of the components.
+    type: str
+
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+  - middleware_automation.keycloak.attributes.info_module
+
+author:
+  - Andre Desrosiers (@desand01)
+"""
+
+EXAMPLES = r"""
+- name: Retrive info of a UserStorageProvider named myldap
+  middleware_automation.keycloak.keycloak_component_info:
+    auth_keycloak_url: http://localhost:8080
+    auth_username: admin
+    auth_password: password
+    auth_realm: master
+    realm: myrealm
+    name: myldap
+    provider_type: org.keycloak.storage.UserStorageProvider
+
+- name: Retrive key info component
+  middleware_automation.keycloak.keycloak_component_info:
+    auth_keycloak_url: http://localhost:8080
+    auth_username: admin
+    auth_password: password
+    auth_realm: master
+    realm: myrealm
+    name: rsa-enc-generated
+    provider_type: org.keycloak.keys.KeyProvider
+
+- name: Retrive all component from realm master
+  middleware_automation.keycloak.keycloak_component_info:
+    auth_keycloak_url: http://localhost:8080
+    auth_username: admin
+    auth_password: password
+    auth_realm: master
+    realm: myrealm
+
+- name: Retrive all sub components of parent component filter by type
+  middleware_automation.keycloak.keycloak_component_info:
+    auth_keycloak_url: http://localhost:8080
+    auth_username: admin
+    auth_password: password
+    auth_realm: master
+    realm: myrealm
+    parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
+    provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
+"""
+
+RETURN = r"""
+components:
+  description: JSON representation of components.
+  returned: always
+  type: list
+  elements: dict
+"""
+
+from urllib.parse import quote
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        name=dict(type="str"),
+        realm=dict(type="str", required=True),
+        parent_id=dict(type="str"),
+        provider_type=dict(type="str"),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+
+    result = dict(changed=False, components=[])
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    parentId = module.params.get("parent_id")
+    name = module.params.get("name")
+    providerType = module.params.get("provider_type")
+
+    objRealm = kc.get_realm_by_id(realm)
+    if not objRealm:
+        module.fail_json(msg=f"Failed to retrive realm '{realm}'")
+
+    filters = []
+
+    if parentId:
+        filters.append(f"parent={quote(parentId, safe='')}")
+    else:
+        filters.append(f"parent={quote(objRealm['id'], safe='')}")
+
+    if name:
+        filters.append(f"name={quote(name, safe='')}")
+    if providerType:
+        filters.append(f"type={quote(providerType, safe='')}")
+
+    result["components"] = kc.get_components(filter="&".join(filters), realm=realm)
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_group.py

@@ -0,0 +1,493 @@
+
+# Copyright (c) 2019, Adam Goossens <adam.goossens@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_group
+
+short_description: Allows administration of Keycloak groups using Keycloak API
+
+version_added: "3.0.0"
+
+description:
+  - This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the
+    REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In
+    a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the
+    scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
+    at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and are returned that way
+    by this module. You may pass single values for attributes when calling the module, and this is translated into a list
+    suitable for the API.
+  - When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate
+    the name into the group ID.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the group.
+      - On V(present), the group is created if it does not yet exist, or updated with the parameters you provide.
+      - On V(absent), the group is removed if it exists. Be aware that absenting a group with subgroups automatically deletes
+        all its subgroups too.
+    default: 'present'
+    type: str
+    choices:
+      - present
+      - absent
+
+  name:
+    type: str
+    description:
+      - Name of the group.
+      - This parameter is required only when creating or updating the group.
+  realm:
+    type: str
+    description:
+      - They Keycloak realm under which this group resides.
+    default: 'master'
+
+  id:
+    type: str
+    description:
+      - The unique identifier for this group.
+      - This parameter is not required for updating or deleting a group but providing it reduces the number of API calls required.
+  attributes:
+    type: dict
+    description:
+      - A dict of key/value pairs to set as custom attributes for the group.
+      - Values may be single values (for example a string) or a list of strings.
+  parents:
+    type: list
+    description:
+      - List of parent groups for the group to handle sorted top to bottom.
+      - Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup
+        by name.
+      - Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly
+        queried without necessarily knowing its parent(s).
+    elements: dict
+    suboptions:
+      id:
+        type: str
+        description:
+          - Identify parent by ID.
+          - Needs less API calls than using O(parents[].name).
+          - A deep parent chain can be started at any point when first given parent is given as ID.
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always
+            use just one of them, with ID being preferred.
+      name:
+        type: str
+        description:
+          - Identify parent by name.
+          - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
+          - When giving a parent chain with only names it must be complete up to the top.
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always
+            use just one of them, with ID being preferred.
+notes:
+  - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the
+    Keycloak API are read-only for groups. This limitation will be removed in a later version of this module.
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Adam Goossens (@adamgoossens)
+"""
+
+EXAMPLES = r"""
+- name: Create a Keycloak group, authentication with credentials
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  register: result_new_kcgrp
+  delegate_to: localhost
+
+- name: Create a Keycloak group, authentication with token
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    token: TOKEN
+  delegate_to: localhost
+
+- name: Delete a keycloak group
+  middleware_automation.keycloak.keycloak_group:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    state: absent
+    realm: MyCustomRealm
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Delete a Keycloak group based on name
+  middleware_automation.keycloak.keycloak_group:
+    name: my-group-for-deletion
+    state: absent
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Update the name of a Keycloak group
+  middleware_automation.keycloak.keycloak_group:
+    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
+    name: an-updated-kc-group-name
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+  delegate_to: localhost
+
+- name: Create a keycloak group with some custom attributes
+  middleware_automation.keycloak.keycloak_group:
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    name: my-new_group
+    attributes:
+      attrib1: value1
+      attrib2: value2
+      attrib3:
+        - with
+        - numerous
+        - individual
+        - list
+        - items
+  delegate_to: localhost
+
+- name: Create a Keycloak subgroup of a base group (using parent name)
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group-sub
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    parents:
+      - name: my-new-kc-group
+  register: result_new_kcgrp_sub
+  delegate_to: localhost
+
+- name: Create a Keycloak subgroup of a base group (using parent id)
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group-sub2
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    parents:
+      - id: "{{ result_new_kcgrp.end_state.id }}"
+  delegate_to: localhost
+
+- name: Create a Keycloak subgroup of a subgroup (using parent names)
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group-sub-sub
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    parents:
+      - name: my-new-kc-group
+      - name: my-new-kc-group-sub
+  delegate_to: localhost
+
+- name: Create a Keycloak subgroup of a subgroup (using direct parent id)
+  middleware_automation.keycloak.keycloak_group:
+    name: my-new-kc-group-sub-sub
+    realm: MyCustomRealm
+    state: present
+    auth_client_id: admin-cli
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: USERNAME
+    auth_password: PASSWORD
+    parents:
+      - id: "{{ result_new_kcgrp_sub.end_state.id }}"
+  delegate_to: localhost
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+
+end_state:
+  description: Representation of the group after module execution (sample is truncated).
+  returned: on success
+  type: complex
+  contains:
+    id:
+      description: GUID that identifies the group.
+      type: str
+      returned: always
+      sample: 23f38145-3195-462c-97e7-97041ccea73e
+    name:
+      description: Name of the group.
+      type: str
+      returned: always
+      sample: grp-test-123
+    attributes:
+      description: Attributes applied to this group.
+      type: dict
+      returned: always
+      sample:
+        attr1: ["val1", "val2", "val3"]
+    path:
+      description: URI path to the group.
+      type: str
+      returned: always
+      sample: /grp-test-123
+    realmRoles:
+      description: An array of the realm-level roles granted to this group.
+      type: list
+      returned: always
+      sample: []
+    subGroups:
+      description: A list of groups that are children of this group. These groups have the same parameters as documented here.
+      type: list
+      returned: always
+    clientRoles:
+      description: A list of client-level roles granted to this group.
+      type: list
+      returned: always
+      sample: []
+    access:
+      description: A dict describing the accesses you have to this group based on the credentials used.
+      type: dict
+      returned: always
+      sample:
+        manage: true
+        manageMembership: true
+        view: true
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    camel,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    meta_args = dict(
+        state=dict(default="present", choices=["present", "absent"]),
+        realm=dict(default="master"),
+        id=dict(type="str"),
+        name=dict(type="str"),
+        attributes=dict(type="dict"),
+        parents=dict(
+            type="list",
+            elements="dict",
+            options=dict(id=dict(type="str"), name=dict(type="str")),
+        ),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [
+                ["id", "name"],
+                ["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"],
+            ]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", diff={}, group="")
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    state = module.params.get("state")
+    gid = module.params.get("id")
+    name = module.params.get("name")
+    attributes = module.params.get("attributes")
+
+    parents = module.params.get("parents")
+
+    # attributes in Keycloak have their values returned as lists
+    # using the API. attributes is a dict, so we'll transparently convert
+    # the values to lists.
+    if attributes is not None:
+        for key, val in module.params["attributes"].items():
+            module.params["attributes"][key] = [val] if not isinstance(val, list) else val
+
+    # Filter and map the parameters names that apply to the group
+    group_params = [
+        x
+        for x in module.params
+        if x not in list(keycloak_argument_spec().keys()) + ["state", "realm", "parents"]
+        and module.params.get(x) is not None
+    ]
+
+    # See if it already exists in Keycloak
+    if gid is None:
+        before_group = kc.get_group_by_name(name, realm=realm, parents=parents)
+    else:
+        before_group = kc.get_group_by_groupid(gid, realm=realm)
+
+    if before_group is None:
+        before_group = {}
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for param in group_params:
+        new_param_value = module.params.get(param)
+        old_value = before_group[param] if param in before_group else None
+        if new_param_value != old_value:
+            changeset[camel(param)] = new_param_value
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_group = before_group.copy()
+    desired_group.update(changeset)
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_group:
+        if state == "absent":
+            # Do nothing and exit
+            if module._diff:
+                result["diff"] = dict(before="", after="")
+            result["changed"] = False
+            result["end_state"] = {}
+            result["msg"] = "Group does not exist; doing nothing."
+            module.exit_json(**result)
+
+        # Process a creation
+        result["changed"] = True
+
+        if name is None:
+            module.fail_json(msg="name must be specified when creating a new group")
+
+        if module._diff:
+            result["diff"] = dict(before="", after=desired_group)
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it ...
+        if parents:
+            # ... as subgroup of another parent group
+            kc.create_subgroup(parents, desired_group, realm=realm)
+        else:
+            # ... as toplvl base group
+            kc.create_group(desired_group, realm=realm)
+
+        after_group = kc.get_group_by_name(name, realm, parents=parents)
+
+        result["end_state"] = after_group
+
+        result["msg"] = f"Group {after_group['name']} has been created with ID {after_group['id']}"
+        module.exit_json(**result)
+
+    else:
+        if state == "present":
+            # Process an update
+
+            # no changes
+            if desired_group == before_group:
+                result["changed"] = False
+                result["end_state"] = desired_group
+                result["msg"] = f"No changes required to group {before_group['name']}."
+                module.exit_json(**result)
+
+            # doing an update
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=before_group, after=desired_group)
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # do the update
+            kc.update_group(desired_group, realm=realm)
+
+            after_group = kc.get_group_by_groupid(desired_group["id"], realm=realm)
+
+            result["end_state"] = after_group
+
+            result["msg"] = f"Group {after_group['id']} has been updated"
+            module.exit_json(**result)
+
+        else:
+            # Process a deletion (because state was not 'present')
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=before_group, after="")
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            gid = before_group["id"]
+            kc.delete_group(groupid=gid, realm=realm)
+
+            result["end_state"] = {}
+
+            result["msg"] = f"Group {before_group['name']} has been deleted"
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/keycloak_identity_provider.py

@@ -0,0 +1,777 @@
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: keycloak_identity_provider
+
+short_description: Allows administration of Keycloak identity providers using Keycloak API
+
+# Originally added in community.general 3.6.0
+version_added: "3.0.0"
+
+description:
+  - This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access
+    to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
+    In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
+    the scope tailored to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
+    at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  action_group:
+    # Originally added in community.general 10.2.0
+    version_added: "3.0.0"
+
+options:
+  state:
+    description:
+      - State of the identity provider.
+      - On V(present), the identity provider is created if it does not yet exist, or updated with the parameters you provide.
+      - On V(absent), the identity provider is removed if it exists.
+    default: 'present'
+    type: str
+    choices:
+      - present
+      - absent
+
+  realm:
+    description:
+      - The Keycloak realm under which this identity provider resides.
+    default: 'master'
+    type: str
+
+  alias:
+    description:
+      - The alias uniquely identifies an identity provider and it is also used to build the redirect URI.
+    required: true
+    type: str
+
+  display_name:
+    description:
+      - Friendly name for identity provider.
+    aliases:
+      - displayName
+    type: str
+
+  enabled:
+    description:
+      - Enable/disable this identity provider.
+    type: bool
+
+  store_token:
+    description:
+      - Enable/disable whether tokens must be stored after authenticating users.
+    aliases:
+      - storeToken
+    type: bool
+
+  add_read_token_role_on_create:
+    description:
+      - Enable/disable whether new users can read any stored tokens. This assigns the C(broker.read-token) role.
+    aliases:
+      - addReadTokenRoleOnCreate
+    type: bool
+
+  trust_email:
+    description:
+      - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
+    aliases:
+      - trustEmail
+    type: bool
+
+  link_only:
+    description:
+      - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do
+        not want to allow login from the provider, but want to integrate with a provider.
+    aliases:
+      - linkOnly
+    type: bool
+
+  first_broker_login_flow_alias:
+    description:
+      - Alias of authentication flow, which is triggered after first login with this identity provider.
+    aliases:
+      - firstBrokerLoginFlowAlias
+    type: str
+
+  post_broker_login_flow_alias:
+    description:
+      - Alias of authentication flow, which is triggered after each login with this identity provider.
+    aliases:
+      - postBrokerLoginFlowAlias
+    type: str
+
+  authenticate_by_default:
+    description:
+      - Specifies if this identity provider should be used by default for authentication even before displaying login screen.
+    aliases:
+      - authenticateByDefault
+    type: bool
+
+  provider_id:
+    description:
+      - Protocol used by this provider (supported values are V(oidc) or V(saml)).
+    aliases:
+      - providerId
+    type: str
+
+  config:
+    description:
+      - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
+        Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing
+        identity provider configuration through check-mode in the RV(existing) field.
+    type: dict
+    suboptions:
+      hide_on_login_page:
+        description:
+          - If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint)
+            parameter.
+        aliases:
+          - hideOnLoginPage
+        type: bool
+
+      gui_order:
+        description:
+          - Number defining order of the provider in GUI (for example, on Login page).
+        aliases:
+          - guiOrder
+        type: int
+
+      sync_mode:
+        description:
+          - Default sync mode for all mappers. The sync mode determines when user data is synced using the mappers.
+        aliases:
+          - syncMode
+        type: str
+
+      issuer:
+        description:
+          - The issuer identifier for the issuer of the response. If not provided, no validation is performed.
+        type: str
+
+      authorizationUrl:
+        description:
+          - The Authorization URL.
+        type: str
+
+      tokenUrl:
+        description:
+          - The Token URL.
+        type: str
+
+      logoutUrl:
+        description:
+          - End session endpoint to use to logout user from external IDP.
+        type: str
+
+      userInfoUrl:
+        description:
+          - The User Info URL.
+        type: str
+
+      clientAuthMethod:
+        description:
+          - The client authentication method.
+        type: str
+
+      clientId:
+        description:
+          - The client or client identifier registered within the identity provider.
+        type: str
+
+      clientSecret:
+        description:
+          - The client or client secret registered within the identity provider.
+        type: str
+
+      defaultScope:
+        description:
+          - The scopes to be sent when asking for authorization.
+        type: str
+
+      validateSignature:
+        description:
+          - Enable/disable signature validation of external IDP signatures.
+        type: bool
+
+      useJwksUrl:
+        description:
+          - If V(true), identity provider public keys are downloaded from given JWKS URL.
+        type: bool
+
+      jwksUrl:
+        description:
+          - URL where identity provider keys in JWK format are stored. See JWK specification for more details.
+        type: str
+
+      entityId:
+        description:
+          - The Entity ID that is used to uniquely identify this SAML Service Provider.
+        type: str
+
+      singleSignOnServiceUrl:
+        description:
+          - The URL that must be used to send authentication requests (SAML AuthnRequest).
+        type: str
+
+      singleLogoutServiceUrl:
+        description:
+          - The URL that must be used to send logout requests.
+        type: str
+
+      backchannelSupported:
+        description:
+          - Does the external IDP support backchannel logout?
+        type: str
+
+      nameIDPolicyFormat:
+        description:
+          - Specifies the URI reference corresponding to a name identifier format.
+        type: str
+
+      principalType:
+        description:
+          - Way to identify and track external users from the assertion.
+        type: str
+
+      fromUrl:
+        description:
+          - IDP well-known OpenID Connect configuration URL.
+          - Support only O(provider_id=oidc).
+          - O(config.fromUrl) is mutually exclusive with O(config.userInfoUrl), O(config.authorizationUrl),
+            O(config.tokenUrl), O(config.logoutUrl), O(config.issuer) and O(config.jwksUrl).
+        type: str
+
+  mappers:
+    description:
+      - A list of dicts defining mappers associated with this Identity Provider.
+    type: list
+    elements: dict
+    suboptions:
+      id:
+        description:
+          - Unique ID of this mapper.
+        type: str
+
+      name:
+        description:
+          - Name of the mapper.
+        type: str
+
+      identityProviderAlias:
+        description:
+          - Alias of the identity provider for this mapper.
+        type: str
+
+      identityProviderMapper:
+        description:
+          - Type of mapper.
+        type: str
+
+      config:
+        description:
+          - Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper).
+        type: dict
+
+extends_documentation_fragment:
+  - middleware_automation.keycloak.keycloak
+  - middleware_automation.keycloak.actiongroup_keycloak
+  - middleware_automation.keycloak.attributes
+
+author:
+  - Laurent Paumier (@laurpaum)
+"""
+
+EXAMPLES = r"""
+- name: Create OIDC identity provider, authentication with credentials
+  middleware_automation.keycloak.keycloak_identity_provider:
+    state: present
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: admin
+    auth_password: admin
+    realm: myrealm
+    alias: oidc-idp
+    display_name: OpenID Connect IdP
+    enabled: true
+    provider_id: oidc
+    config:
+      issuer: https://idp.example.com
+      authorizationUrl: https://idp.example.com
+      tokenUrl: https://idp.example.com/token
+      userInfoUrl: https://idp.example.com/userinfo
+      clientAuthMethod: client_secret_post
+      clientId: my-client
+      clientSecret: secret
+      syncMode: FORCE
+    mappers:
+      - name: first_name
+        identityProviderMapper: oidc-user-attribute-idp-mapper
+        config:
+          claim: first_name
+          user.attribute: first_name
+          syncMode: INHERIT
+      - name: last_name
+        identityProviderMapper: oidc-user-attribute-idp-mapper
+        config:
+          claim: last_name
+          user.attribute: last_name
+          syncMode: INHERIT
+
+- name: Create OIDC identity provider, with well-known configuration URL
+  middleware_automation.keycloak.keycloak_identity_provider:
+    state: present
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: admin
+    auth_password: admin
+    realm: myrealm
+    alias: oidc-idp
+    display_name: OpenID Connect IdP
+    enabled: true
+    provider_id: oidc
+    config:
+      fromUrl: https://the-idp.example.com/realms/idprealm/.well-known/openid-configuration
+      clientAuthMethod: client_secret_post
+      clientId: my-client
+      clientSecret: secret
+
+- name: Create SAML identity provider, authentication with credentials
+  middleware_automation.keycloak.keycloak_identity_provider:
+    state: present
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: admin
+    auth_password: admin
+    realm: myrealm
+    alias: saml-idp
+    display_name: SAML IdP
+    enabled: true
+    provider_id: saml
+    config:
+      entityId: https://auth.example.com/realms/myrealm
+      singleSignOnServiceUrl: https://idp.example.com/login
+      wantAuthnRequestsSigned: true
+      wantAssertionsSigned: true
+    mappers:
+      - name: roles
+        identityProviderMapper: saml-user-attribute-idp-mapper
+        config:
+          user.attribute: roles
+          attribute.friendly.name: User Roles
+          attribute.name: roles
+          syncMode: INHERIT
+
+- name: Create OIDC identity provider, authentication with credentials and advanced claim to group
+  middleware_automation.keycloak.keycloak_identity_provider:
+    state: present
+    auth_keycloak_url: https://auth.example.com
+    auth_realm: master
+    auth_username: admin
+    auth_password: admin
+    realm: myrealm
+    alias: oidc-idp
+    display_name: OpenID Connect IdP
+    enabled: true
+    provider_id: oidc
+    config:
+      issuer: https://idp.example.com
+      authorizationUrl: https://idp.example.com
+      tokenUrl: https://idp.example.com/token
+      userInfoUrl: https://idp.example.com/userinfo
+      clientAuthMethod: client_secret_post
+      clientId: my-client
+      clientSecret: secret
+      syncMode: FORCE
+    mappers:
+      - name: group_name
+        identityProviderMapper: oidc-advanced-group-idp-mapper
+        config:
+          claims: '[{"key":"my_key","value":"my_value"}]'
+          group: group_name
+          syncMode: INHERIT
+"""
+
+RETURN = r"""
+msg:
+  description: Message as to what action was taken.
+  returned: always
+  type: str
+  sample: "Identity provider my-idp has been created"
+
+proposed:
+  description: Representation of proposed identity provider.
+  returned: always
+  type: dict
+  sample:
+    {
+      "config": {
+        "authorizationUrl": "https://idp.example.com",
+        "clientAuthMethod": "client_secret_post",
+        "clientId": "my-client",
+        "clientSecret": "secret",
+        "issuer": "https://idp.example.com",
+        "tokenUrl": "https://idp.example.com/token",
+        "userInfoUrl": "https://idp.example.com/userinfo"
+      },
+      "displayName": "OpenID Connect IdP",
+      "providerId": "oidc"
+    }
+
+existing:
+  description: Representation of existing identity provider.
+  returned: always
+  type: dict
+  sample:
+    {
+      "addReadTokenRoleOnCreate": false,
+      "alias": "my-idp",
+      "authenticateByDefault": false,
+      "config": {
+        "authorizationUrl": "https://old.example.com",
+        "clientAuthMethod": "client_secret_post",
+        "clientId": "my-client",
+        "clientSecret": "**********",
+        "issuer": "https://old.example.com",
+        "syncMode": "FORCE",
+        "tokenUrl": "https://old.example.com/token",
+        "userInfoUrl": "https://old.example.com/userinfo"
+      },
+      "displayName": "OpenID Connect IdP",
+      "enabled": true,
+      "firstBrokerLoginFlowAlias": "first broker login",
+      "internalId": "4d28d7e3-1b80-45bb-8a30-5822bf55aa1c",
+      "linkOnly": false,
+      "providerId": "oidc",
+      "storeToken": false,
+      "trustEmail": false
+    }
+
+end_state:
+  description: Representation of identity provider after module execution.
+  returned: on success
+  type: dict
+  sample:
+    {
+      "addReadTokenRoleOnCreate": false,
+      "alias": "my-idp",
+      "authenticateByDefault": false,
+      "config": {
+        "authorizationUrl": "https://idp.example.com",
+        "clientAuthMethod": "client_secret_post",
+        "clientId": "my-client",
+        "clientSecret": "**********",
+        "issuer": "https://idp.example.com",
+        "tokenUrl": "https://idp.example.com/token",
+        "userInfoUrl": "https://idp.example.com/userinfo"
+      },
+      "displayName": "OpenID Connect IdP",
+      "enabled": true,
+      "firstBrokerLoginFlowAlias": "first broker login",
+      "internalId": "4d28d7e3-1b80-45bb-8a30-5822bf55aa1c",
+      "linkOnly": false,
+      "providerId": "oidc",
+      "storeToken": false,
+      "trustEmail": false
+    }
+"""
+
+from copy import deepcopy
+
+from ansible.module_utils.basic import AnsibleModule
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.identity.keycloak.keycloak import (
+    KeycloakAPI,
+    KeycloakError,
+    camel,
+    get_token,
+    keycloak_argument_spec,
+)
+
+
+def sanitize(idp):
+    idpcopy = deepcopy(idp)
+    if "config" in idpcopy:
+        if "clientSecret" in idpcopy["config"]:
+            idpcopy["config"]["clientSecret"] = "**********"
+    return idpcopy
+
+
+def get_identity_provider_with_mappers(kc, alias, realm):
+    idp = kc.get_identity_provider(alias, realm)
+    if idp is not None:
+        idp["mappers"] = sorted(kc.get_identity_provider_mappers(alias, realm), key=lambda x: x.get("name"))
+        # clientSecret returned by API when using `get_identity_provider(alias, realm)` is always **********
+        # to detect changes to the secret, we get the actual cleartext secret from the full realm info
+        if "config" in idp:
+            if "clientSecret" in idp["config"]:
+                for idp_from_realm in kc.get_realm_by_id(realm).get("identityProviders", []):
+                    if idp_from_realm["internalId"] == idp["internalId"]:
+                        cleartext_secret = idp_from_realm.get("config", {}).get("clientSecret")
+                        if cleartext_secret:
+                            idp["config"]["clientSecret"] = cleartext_secret
+    if idp is None:
+        idp = {}
+    return idp
+
+
+def fetch_identity_provider_wellknown_config(kc, config):
+    """
+    Fetches OpenID Connect well-known configuration from a given URL and updates the config dict with discovered endpoints.
+    Support for oidc providers only.
+    :param kc: KeycloakAPI instance used to fetch endpoints and handle errors.
+    :param config: Dictionary containing identity provider configuration, must include 'fromUrl' key to trigger fetch.
+    :return: None. The config dict is updated in-place.
+    """
+    if config and "fromUrl" in config:
+        if "providerId" in config and config["providerId"] != "oidc":
+            kc.module.fail_json(msg="Only 'oidc' provider_id is supported when using 'fromUrl'.")
+        endpoints = ["userInfoUrl", "authorizationUrl", "tokenUrl", "logoutUrl", "issuer", "jwksUrl"]
+        if any(k in config for k in endpoints):
+            kc.module.fail_json(
+                msg="Cannot specify both 'fromUrl' and 'userInfoUrl', 'authorizationUrl', 'tokenUrl', 'logoutUrl', 'issuer' or 'jwksUrl'."
+            )
+        openIdConfig = kc.fetch_idp_endpoints_import_config_url(
+            fromUrl=config["fromUrl"], realm=kc.module.params.get("realm", "master")
+        )
+        for k in endpoints:
+            if k in openIdConfig:
+                config[k] = openIdConfig[k]
+        del config["fromUrl"]
+
+
+def main():
+    """
+    Module execution
+
+    :return:
+    """
+    argument_spec = keycloak_argument_spec()
+
+    mapper_spec = dict(
+        id=dict(type="str"),
+        name=dict(type="str"),
+        identityProviderAlias=dict(type="str"),
+        identityProviderMapper=dict(type="str"),
+        config=dict(type="dict"),
+    )
+
+    meta_args = dict(
+        state=dict(type="str", default="present", choices=["present", "absent"]),
+        realm=dict(type="str", default="master"),
+        alias=dict(type="str", required=True),
+        add_read_token_role_on_create=dict(type="bool", aliases=["addReadTokenRoleOnCreate"]),
+        authenticate_by_default=dict(type="bool", aliases=["authenticateByDefault"]),
+        config=dict(type="dict"),
+        display_name=dict(type="str", aliases=["displayName"]),
+        enabled=dict(type="bool"),
+        first_broker_login_flow_alias=dict(type="str", aliases=["firstBrokerLoginFlowAlias"]),
+        link_only=dict(type="bool", aliases=["linkOnly"]),
+        post_broker_login_flow_alias=dict(type="str", aliases=["postBrokerLoginFlowAlias"]),
+        provider_id=dict(type="str", aliases=["providerId"]),
+        store_token=dict(type="bool", aliases=["storeToken"]),
+        trust_email=dict(type="bool", aliases=["trustEmail"]),
+        mappers=dict(type="list", elements="dict", options=mapper_spec),
+    )
+
+    argument_spec.update(meta_args)
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_one_of=(
+            [["token", "auth_realm", "auth_username", "auth_password", "auth_client_id", "auth_client_secret"]]
+        ),
+        required_together=([["auth_username", "auth_password"]]),
+        required_by={"refresh_token": "auth_realm"},
+    )
+
+    result = dict(changed=False, msg="", diff={}, proposed={}, existing={}, end_state={})
+
+    # Obtain access token, initialize API
+    try:
+        connection_header = get_token(module.params)
+    except KeycloakError as e:
+        module.fail_json(msg=str(e))
+
+    kc = KeycloakAPI(module, connection_header)
+
+    realm = module.params.get("realm")
+    alias = module.params.get("alias")
+    state = module.params.get("state")
+    config = module.params.get("config")
+
+    fetch_identity_provider_wellknown_config(kc, config)
+
+    # Filter and map the parameters names that apply to the identity provider.
+    idp_params = [
+        x
+        for x in module.params
+        if x not in list(keycloak_argument_spec().keys()) + ["state", "realm", "mappers"]
+        and module.params.get(x) is not None
+    ]
+
+    # See if it already exists in Keycloak
+    before_idp = get_identity_provider_with_mappers(kc, alias, realm)
+
+    # Build a proposed changeset from parameters given to this module
+    changeset = {}
+
+    for param in idp_params:
+        new_param_value = module.params.get(param)
+        old_value = before_idp[camel(param)] if camel(param) in before_idp else None
+        if new_param_value != old_value:
+            changeset[camel(param)] = new_param_value
+
+    # special handling of mappers list to allow change detection
+    if module.params.get("mappers") is not None:
+        for change in module.params["mappers"]:
+            change = {k: v for k, v in change.items() if v is not None}
+            if change.get("id") is None and change.get("name") is None:
+                module.fail_json(msg="Either `name` or `id` has to be specified on each mapper.")
+            if before_idp == dict():
+                old_mapper = dict()
+            elif change.get("id") is not None:
+                old_mapper = kc.get_identity_provider_mapper(change["id"], alias, realm)
+                if old_mapper is None:
+                    old_mapper = dict()
+            else:
+                found = [x for x in kc.get_identity_provider_mappers(alias, realm) if x["name"] == change["name"]]
+                if len(found) == 1:
+                    old_mapper = found[0]
+                else:
+                    old_mapper = dict()
+            new_mapper = old_mapper.copy()
+            new_mapper.update(change)
+
+            if changeset.get("mappers") is None:
+                changeset["mappers"] = list()
+            # eventually this holds all desired mappers, unchanged, modified and newly added
+            changeset["mappers"].append(new_mapper)
+
+        # ensure idempotency in case module.params.mappers is not sorted by name
+        changeset["mappers"] = sorted(
+            changeset["mappers"], key=lambda x: x.get("id") if x.get("name") is None else x["name"]
+        )
+
+    # Prepare the desired values using the existing values (non-existence results in a dict that is save to use as a basis)
+    desired_idp = before_idp.copy()
+    desired_idp.update(changeset)
+
+    result["proposed"] = sanitize(changeset)
+    result["existing"] = sanitize(before_idp)
+
+    # Cater for when it doesn't exist (an empty dict)
+    if not before_idp:
+        if state == "absent":
+            # Do nothing and exit
+            if module._diff:
+                result["diff"] = dict(before="", after="")
+            result["changed"] = False
+            result["end_state"] = {}
+            result["msg"] = "Identity provider does not exist; doing nothing."
+            module.exit_json(**result)
+
+        # Process a creation
+        result["changed"] = True
+
+        if module._diff:
+            result["diff"] = dict(before="", after=sanitize(desired_idp))
+
+        if module.check_mode:
+            module.exit_json(**result)
+
+        # create it
+        desired_idp = desired_idp.copy()
+        mappers = desired_idp.pop("mappers", [])
+        kc.create_identity_provider(desired_idp, realm)
+        for mapper in mappers:
+            if mapper.get("identityProviderAlias") is None:
+                mapper["identityProviderAlias"] = alias
+            kc.create_identity_provider_mapper(mapper, alias, realm)
+        after_idp = get_identity_provider_with_mappers(kc, alias, realm)
+
+        result["end_state"] = sanitize(after_idp)
+
+        result["msg"] = f"Identity provider {alias} has been created"
+        module.exit_json(**result)
+
+    else:
+        if state == "present":
+            # Process an update
+
+            # no changes
+            if desired_idp == before_idp:
+                result["changed"] = False
+                result["end_state"] = sanitize(desired_idp)
+                result["msg"] = f"No changes required to identity provider {alias}."
+                module.exit_json(**result)
+
+            # doing an update
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=sanitize(before_idp), after=sanitize(desired_idp))
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # do the update
+            desired_idp = desired_idp.copy()
+            updated_mappers = desired_idp.pop("mappers", [])
+            original_mappers = list(before_idp.get("mappers", []))
+
+            kc.update_identity_provider(desired_idp, realm)
+            for mapper in updated_mappers:
+                if mapper.get("id") is not None:
+                    # only update existing if there is a change
+                    for i, orig in enumerate(original_mappers):
+                        if mapper["id"] == orig["id"]:
+                            del original_mappers[i]
+                            if mapper != orig:
+                                kc.update_identity_provider_mapper(mapper, alias, realm)
+                else:
+                    if mapper.get("identityProviderAlias") is None:
+                        mapper["identityProviderAlias"] = alias
+                    kc.create_identity_provider_mapper(mapper, alias, realm)
+            for mapper in [
+                x for x in before_idp["mappers"] if [y for y in updated_mappers if y["name"] == x["name"]] == []
+            ]:
+                kc.delete_identity_provider_mapper(mapper["id"], alias, realm)
+
+            after_idp = get_identity_provider_with_mappers(kc, alias, realm)
+
+            result["end_state"] = sanitize(after_idp)
+
+            result["msg"] = f"Identity provider {alias} has been updated"
+            module.exit_json(**result)
+
+        elif state == "absent":
+            # Process a deletion
+            result["changed"] = True
+
+            if module._diff:
+                result["diff"] = dict(before=sanitize(before_idp), after="")
+
+            if module.check_mode:
+                module.exit_json(**result)
+
+            # delete it
+            kc.delete_identity_provider(alias, realm)
+
+            result["end_state"] = {}
+
+            result["msg"] = f"Identity provider {alias} has been deleted"
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()