Skip to content

feat(keycloak_realm_key): add full support for all Keycloak key providers#11468

Open
koke1997 wants to merge 4 commits intoansible-collections:mainfrom
koke1997:feat/keycloak-realm-key-generated-providers
Open

feat(keycloak_realm_key): add full support for all Keycloak key providers#11468
koke1997 wants to merge 4 commits intoansible-collections:mainfrom
koke1997:feat/keycloak-realm-key-generated-providers

Conversation

@koke1997
Copy link
Contributor

@koke1997 koke1997 commented Feb 4, 2026
edited
Loading

Summary

Add full support for Keycloak's auto-generated key providers where Keycloak manages the key material automatically, rather than requiring imported keys.

New Provider Types

  • rsa-generated - Auto-generates RSA signing keys with self-signed certificate
  • rsa-enc-generated - Auto-generates RSA encryption keys
  • hmac-generated - Auto-generates HMAC signing keys
  • aes-generated - Auto-generates AES encryption keys
  • ecdsa-generated - Auto-generates ECDSA signing keys
  • ecdh-generated - Auto-generates ECDH key exchange keys
  • eddsa-generated - Auto-generates EdDSA signing keys

New Algorithms

  • HMAC: HS256, HS384, HS512
  • ECDSA: ES256, ES384, ES512
  • RSA Encryption: RSA1_5, RSA-OAEP, RSA-OAEP-256
  • ECDH: ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW
  • AES/EdDSA: No algorithm parameter needed

New Config Options

  • secret_size - For HMAC/AES providers (key size in bytes)
  • key_size - For RSA-generated/RSA-enc-generated providers (key size in bits: 1024, 2048, 4096)
  • elliptic_curve - For ECDSA/ECDH/EdDSA providers:
    • ECDSA: P-256, P-384, P-521
    • ECDH: P-256, P-384, P-521
    • EdDSA: Ed25519, Ed448

Bug Fixes

Backward Compatibility

  • No breaking changes - Existing playbooks using provider_id=rsa or provider_id=rsa-enc continue to work unchanged
  • The algorithm parameter retains its RS256 default, which is valid for rsa and rsa-generated providers
  • For new providers, algorithm must be explicitly specified with clear error messages if omitted

Keycloak Source Reference

Configuration options were matched against the official Keycloak source code:

Provider Keycloak Source Config Properties
hmac-generated GeneratedHmacKeyProviderFactory.java algorithm (HS256/384/512), secretSize
aes-generated GeneratedAesKeyProviderFactory.java secretSize (no algorithm - always AES)
ecdsa-generated GeneratedEcdsaKeyProviderFactory.java ecdsaEllipticCurveKey (P-256/384/521)
ecdh-generated GeneratedEcdhKeyProviderFactory.java ecdhEllipticCurveKey (P-256/384/521)
eddsa-generated GeneratedEddsaKeyProviderFactory.java eddsaEllipticCurveKey (Ed25519/Ed448)
rsa-generated GeneratedRsaKeyProviderFactory.java algorithm (RS/PS 256/384/512), keySize
rsa-enc-generated GeneratedRsaEncKeyProviderFactory.java algorithm (RSA1_5/RSA-OAEP/RSA-OAEP-256), keySize

Parameter Mapping:

  • elliptic_curve → provider-specific config keys (ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
  • secret_sizesecretSize (standard camelCase conversion)
  • key_sizekeySize (standard camelCase conversion)

Test Plan

  • Local testing against Keycloak 26 instance
  • Tested creation of all provider types
  • Verified idempotency (re-run doesn't change)
  • Verified deletion works
  • Verified backward compatibility (existing RSA playbooks work)
  • Verified issue keycloak_realm_key module is unable to delete default keys #11459 fix - managing Keycloak's default keys works correctly
  • Added integration tests for all provider types
  • All ansible-test sanity checks pass

Example Usage

# RSA encryption key (auto-generated)
- community.general.keycloak_realm_key:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: admin
    state: present
    name: my-rsa-enc-key
    parent_id: my-realm
    provider_id: rsa-enc-generated
    config:
      priority: 100
      algorithm: RSA-OAEP
      key_size: 2048

# ECDH key exchange (auto-generated)  
- community.general.keycloak_realm_key:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: admin
    state: present
    name: my-ecdh-key
    parent_id: my-realm
    provider_id: ecdh-generated
    config:
      priority: 100
      algorithm: ECDH_ES
      elliptic_curve: P-256

# EdDSA signing key (auto-generated)
- community.general.keycloak_realm_key:
    auth_keycloak_url: http://localhost:8080
    auth_realm: master
    auth_username: admin
    auth_password: admin
    state: present
    name: my-eddsa-key
    parent_id: my-realm
    provider_id: eddsa-generated
    config:
      priority: 100
      elliptic_curve: Ed25519

@koke1997
feat(keycloak_realm_key): add support for auto-generated key providers
4a5c407 
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:

- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys

New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)

New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)

Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue ansible-collections#11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated

Fixes: ansible-collections#11459
@koke1997 koke1997 force-pushed the feat/keycloak-realm-key-generated-providers branch from 7a72feb to 4a5c407 Compare February 4, 2026 22:36
@ansibullbot
Copy link
Collaborator

ansibullbot commented Feb 4, 2026

cc @eikef @mattock @ndclt @thomasbach-dev
click here for bot help

@ansibullbot ansibullbot added integration tests/integration module module plugins plugin (any type) tests tests labels Feb 4, 2026
@ansibullbot
Copy link
Collaborator

ansibullbot commented Feb 4, 2026

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

plugins/modules/keycloak_realm_key.py:0:0: doc-default-does-not-match-spec: Argument 'algorithm' in argument_spec found in config defines default as ('RS256') but documentation defines default as (None)
plugins/modules/keycloak_realm_key.py:0:0: no-log-needed: Argument 'secret_size' in argument_spec could be a secret, though doesn't have `no_log` set found in config

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

plugins/modules/keycloak_realm_key.py:0:0: doc-default-does-not-match-spec: Argument 'algorithm' in argument_spec found in config defines default as ('RS256') but documentation defines default as (None)
plugins/modules/keycloak_realm_key.py:0:0: no-log-needed: Argument 'secret_size' in argument_spec could be a secret, though doesn't have `no_log` set found in config

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

plugins/modules/keycloak_realm_key.py:0:0: doc-default-does-not-match-spec: Argument 'algorithm' in argument_spec found in config defines default as ('RS256') but documentation defines default as (None)
plugins/modules/keycloak_realm_key.py:0:0: no-log-needed: Argument 'secret_size' in argument_spec could be a secret, though doesn't have `no_log` set found in config

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

plugins/modules/keycloak_realm_key.py:0:0: doc-default-does-not-match-spec: Argument 'algorithm' in argument_spec found in config defines default as ('RS256') but documentation defines default as (None)
plugins/modules/keycloak_realm_key.py:0:0: no-log-needed: Argument 'secret_size' in argument_spec could be a secret, though doesn't have `no_log` set found in config

click here for bot help

@ansibullbot ansibullbot added ci_verified Push fixes to PR branch to re-run CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Feb 4, 2026
@koke1997
fix: address sanity test failures
eed65eb 
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
@ansibullbot ansibullbot removed ci_verified Push fixes to PR branch to re-run CI needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR labels Feb 4, 2026
@koke1997 koke1997 mentioned this pull request Feb 4, 2026
Closed
1 task
@koke1997
feat(keycloak_realm_key): extend support for all Keycloak key providers
7ebca7f 
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)

Changes:
- Add provider-specific elliptic curve config key mapping
  (ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers

This completes full coverage of all Keycloak key provider types.
@koke1997 koke1997 changed the title feat(keycloak_realm_key): add support for auto-generated key providers feat(keycloak_realm_key): add full support for all Keycloak key providers Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

has_issue integration tests/integration module module plugins plugin (any type) tests tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

keycloak_realm_key module is unable to delete default keys

2 participants

@koke1997 @ansibullbot