From 11b8a66828ecfd2fdf196d5215fde480b6b8005a Mon Sep 17 00:00:00 2001 From: Jack Hartley Date: Fri, 10 Nov 2023 19:36:31 +0000 Subject: [PATCH] fix: allow use of custom client authenticator types (#845) --- docs/resources/openid_client.md | 2 +- provider/resource_keycloak_openid_client.go | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/resources/openid_client.md b/docs/resources/openid_client.md index 2cc52e9f5..6fc3eef1b 100644 --- a/docs/resources/openid_client.md +++ b/docs/resources/openid_client.md @@ -53,7 +53,7 @@ resource "keycloak_openid_client" "openid_client" { URIs for security. This client should be used for applications using the Implicit grant flow. - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests. - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. -- `client_authenticator_type` - (Optional) Defaults to `client-secret` The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. Can be one of the following: +- `client_authenticator_type` - (Optional) Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types: - `client-secret` (Default) Use client id and client secret to authenticate client. - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = ` - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = ` diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go index b5662211b..06a9be69c 100644 --- a/provider/resource_keycloak_openid_client.go +++ b/provider/resource_keycloak_openid_client.go @@ -22,7 +22,6 @@ var ( keycloakOpenidClientAuthorizationPolicyEnforcementMode = []string{"ENFORCING", "PERMISSIVE", "DISABLED"} keycloakOpenidClientResourcePermissionDecisionStrategies = []string{"UNANIMOUS", "AFFIRMATIVE", "CONSENSUS"} keycloakOpenidClientPkceCodeChallengeMethod = []string{"", "plain", "S256"} - keycloakOpenidClientAuthenticatorTypes = []string{"client-secret", "client-jwt", "client-x509", "client-secret-jwt"} ) func resourceKeycloakOpenidClient() *schema.Resource { @@ -72,10 +71,10 @@ func resourceKeycloakOpenidClient() *schema.Resource { Sensitive: true, }, "client_authenticator_type": { - Type: schema.TypeString, - Optional: true, - ValidateFunc: validation.StringInSlice(keycloakOpenidClientAuthenticatorTypes, false), - Default: "client-secret", + Type: schema.TypeString, + Optional: true, + // No validation is performed since Keycloak plugins can register custom client authenticators + Default: "client-secret", }, "standard_flow_enabled": { Type: schema.TypeBool,