Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keycloak modules should accept refresh_token to allow for retrying authentication if the access token is expired #8857

Open
1 task done
armkeh opened this issue Sep 12, 2024 · 2 comments · May be fixed by #9494
Open
1 task done
Labels
feature This issue/PR relates to a feature request module module plugins plugin (any type)

Comments

@armkeh
Copy link

armkeh commented Sep 12, 2024

Summary

Context

The Keycloak modules currently accept a token (user-provided access token) parameter to allow for a single token for Keycloak API requests to be shared amongst tasks, rather than authenticating to get a token at the start of each tasks.

Problem

Typically a Keycloak access token expires after 10 minutes or less, so for long-running playbooks, it's possible for the token to expire mid-playbook, causing subsequent tasks to fail with a 401 on their first request to Keycloak. Currently the modules do not support refreshing of the token or "falling back" to individually authenticating.

Proposed Solution(s)

I see two ways the modules could more robustly react when the user-provided access token is expired (i.e., a request to Keycloak gets a 401):

  1. The username and password parameters (if provided) are used to authenticate instead.
  • I.e., fall back to per-task authentication.
  • This solution is probably the simplest, but fails to provide the benefit of sharing the token amongst tasks.
  1. Add a refresh_token parameter to the modules, so they can try refreshing if the token is expired. As part of this, the modules should provide back to the user the refreshed access token in their output, so it can be used in subsequent tasks.
  • This does require the user to handle getting the refreshed token from the module output to be used in subsequent tasks.

I believe both could be implemented, with (2) being a first fallback and (1) being a second.

I've listed a few of the modules affected, but this would affect most if not all of the keycloak_... modules.

Issue Type

Feature Idea

Component Name

keycloak_authentication, keycloak_authz_authorization_scope, keycloak_authz_custom_policy, keycloak_authz_permission, keycloak_client, keycloak_group, keycloak_realm, keycloak_role

Additional Information

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link
Collaborator

@ansibullbot
Copy link
Collaborator

@ansibullbot ansibullbot added feature This issue/PR relates to a feature request module module plugins plugin (any type) labels Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature This issue/PR relates to a feature request module module plugins plugin (any type)
Projects
None yet
2 participants