Keycloak: Authentication management (flows and required actions) #6616
Conversation
ansibullbot
added
feature
felixfontein
added
check-before-release
There was a problem hiding this comment.
Thanks for your contribution! I've added a first comment. Please note that due to the refactoring the diff is very complex and hard to review. I hope that one of the module maintainers will review it.
Please make sure to mark all new module options with version_added: 7.1.0. Also please make sure you do not change any existing module options or module behaviors in non-backwards compatible ways; otherwise this PR cannot be merged.
I'm not sure this can make it into the 7.1.0, since I introduced breaking changes (options and behavior). The reason is that the name of the module keycloak_authentication indicates, that it should manage Keycloak authentication, which in this case are flows, required actions, and policies (not implemented yet). I tried to avoid doing something like keycloak_authentication_required_actions when implementing the required actions, because I believe, that it would just break the consistency of the naming system that's currently used. This basically forced me to do, what I did during the "refac". Many options for flows and required actions have the same name, thus I had to put them under their corresponding options (flow, required_action, etc...). I tried to stick to the official Keycloak API documentation as close as possible, which also lead to the current structure of the options. Anyway, I apologize if I did not make this clear at the beginning. The only viable solution for now, is to wait and merge this PR into a new major version (8.0.0). |
|
Hmm, unfortunately these breaking changes also mean that it won't be possible to merge it for 8.0.0. Breaking changes (with very few exceptions) need a long deprecation period, which should allow to use both the old and new behavior (usually with a switch). I don't know Keycloak (even though I help getting PRs merged for the keycloak modules) so I have no idea whether there is a better way to do this for this specific module / your changes. Maybe someone of the module maintainers will chime in? |
ansibullbot
added
needs_rebase
felixfontein
removed
the
check-before-release
SUMMARY
This is basically a complete rework of the current keycloak_authentication module, that until now, was quite limited (in the way of handling and searching for the right flow or execution). With this new module you can:
ISSUE TYPE
COMPONENT NAME
keycloak_authentication
ADDITIONAL INFORMATION
Deletion of an execution (step or sub-flow) is still not supported. (Might add later on.)
The biggest issue I've found, is that Keycloak has a really cumbersome way of identifying different flows and executions. If the user doesn't have the ID, there's no guarantee, that the user can find the exact one (since there can be duplicates of some executions differing only by ID, etc.). This module thus does a "best-effort" search, by using the input parameters of the user, and tries to find the closest match (which is also an improvement of the previous version of this module).
Some new or reworked methods for calling the Keycloak API are introduced (keycloak module). Also, a new set of unit tests is included (test_keycloak_authentication).