Added auto setting for redirect urls for keycloak clients. Element and Synapse still need to be mapped

roles/web-app-keycloak/tasks/02_update_client_redirects.yml

@@ -0,0 +1,130 @@
+---
+# Update redirectUris/webOrigins per kcadm.sh — no defaults used.
+
+# ── REQUIRED VARS (must be provided by caller) ───────────────────────────────
+# - WEB_PROTOCOL                        e.g. "https"
+# - keycloak_realm                      target realm name
+# - keycloak_server_host_url            e.g. "http://127.0.0.1:8080"
+# - keycloak_server_internal_url        e.g. "http://127.0.0.1:8080"
+# - keycloak_kcadm_path                 e.g. "docker exec -i keycloak /opt/keycloak/bin/kcadm.sh"
+# - keycloak_master_api_user_name
+# - keycloak_master_api_user_password
+# - keycloak_client_id                 clientId to update (e.g. same as realm or an app client)
+# - domains                             your domain map
+# - applications                        your applications map
+
+- name: "Assert required variables are present (no defaults allowed)"
+  assert:
+    that:
+      - WEB_PROTOCOL is defined
+      - keycloak_realm is defined
+      - keycloak_server_host_url is defined
+      - keycloak_server_internal_url is defined
+      - keycloak_kcadm_path is defined
+      - keycloak_master_api_user_name is defined
+      - keycloak_master_api_user_password is defined
+      - keycloak_client_id is defined
+      - keycloak_redirect_features is defined
+      - domains is defined
+      - applications is defined
+    fail_msg: "Missing required variable(s). Provide all vars listed at the top of 10_update_client_redirects.yml."
+
+# 0) Wait & login
+- name: "Wait until Keycloak is reachable at {{ keycloak_server_host_url }}"
+  uri:
+    url: "{{ keycloak_server_host_url }}/realms/master"
+    method: GET
+    status_code: 200
+    validate_certs: false
+  register: kc_up
+  retries: 30
+  delay: 5
+  until: kc_up.status == 200
+
+- name: "kcadm login"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  shell: >
+    {{ keycloak_kcadm_path }} config credentials
+    --server {{ keycloak_server_internal_url }}
+    --realm master
+    --user {{ keycloak_master_api_user_name }}
+    --password {{ keycloak_master_api_user_password }}
+  changed_when: false
+
+# 1) Build desired sets (NO defaults)
+- name: "Build desired redirect URIs from config via filter"
+  set_fact:
+    kc_redirect_uris: >-
+      {{ domains | redirect_uris(applications, WEB_PROTOCOL, '/*', keycloak_redirect_features, True) }}
+
+- name: Build desired web origins (scheme://host[:port])
+  set_fact:
+    kc_web_origins: >-
+      {{ kc_redirect_uris
+         | map('regex_replace','/\\*$','')
+         | map('regex_search','^(https?://[^/]+)')
+         | select('string')
+         | list | unique }}
+
+#- name: "Build post.logout.redirect.uris value ('+' plus explicit URIs without /*)"
+#  set_fact:
+#    kc_desired_post_logout_uris: >-
+#      {{ (['+'] + (kc_redirect_uris | map('regex_replace','/\\*$','') | list)) | join('\n') }}
+
+# 2) Resolve client id (strictly by provided clientId, no fallback)
+- name: "Resolve client internal id for {{ keycloak_client_id }}"
+  shell: >
+    {{ keycloak_kcadm_path }} get clients
+    -r {{ keycloak_realm }}
+    --query 'clientId={{ keycloak_client_id }}'
+    --fields id --format json | jq -r '.[0].id'
+  register: kc_client
+  changed_when: false
+
+- name: "Fail if client not found"
+  assert:
+    that: kc_client.stdout is match('^[0-9a-f-]+$')
+    fail_msg: "Client '{{ keycloak_client_id }}' not found in realm '{{ keycloak_realm }}'."
+
+# 3) Read current config (assume keys exist; we don't use defaults)
+- name: "Read current client configuration"
+  shell: >
+    {{ keycloak_kcadm_path }} get clients/{{ kc_client.stdout }}
+    -r {{ keycloak_realm }} --format json
+  register: kc_client_obj
+  changed_when: false
+
+- name: "Normalize current vs desired for comparison"
+  set_fact:
+    kc_current_redirect_uris:     "{{ (kc_client_obj.stdout | from_json).redirectUris | sort }}"
+    kc_current_web_origins:       "{{ (kc_client_obj.stdout | from_json).webOrigins  | sort }}"
+    kc_current_logout_uris: >-
+      {{
+        (
+          (kc_client_obj.stdout | from_json).attributes['post.logout.redirect.uris']
+          if 'post.logout.redirect.uris' in (kc_client_obj.stdout | from_json).attributes
+          else ''
+        )
+        | regex_replace('\r','')
+        | split('\n')
+        | reject('equalto','')
+        | list | sort
+      }}
+    kc_desired_redirect_uris:     "{{ kc_redirect_uris | sort }}"
+    kc_desired_web_origins:       "{{ kc_web_origins  | sort }}"
+    kc_desired_post_logout_uris:  "+"
+    kc_desired_post_logout_uris_list: >-
+      {{ "+" | split('\n') | reject('equalto','') | list | sort }}
+
+# 4) Update only when changed
+- name: "Update redirectUris, webOrigins, post.logout.redirect.uris"
+  shell: >
+    {{ keycloak_kcadm_path }} update clients/{{ kc_client.stdout }}
+    -r {{ keycloak_realm }}
+    -s 'redirectUris={{ kc_redirect_uris | to_json }}'
+    -s 'webOrigins={{ kc_web_origins | to_json }}'
+    -s 'attributes."post.logout.redirect.uris"={{ kc_desired_post_logout_uris | to_json }}'
+  when: kc_current_redirect_uris != kc_desired_redirect_uris
+        or kc_current_web_origins  != kc_desired_web_origins
+        or kc_current_logout_uris  != kc_desired_post_logout_uris_list
+

roles/web-app-keycloak/tasks/03_update-ldap-bind.yml

@@ -16,8 +16,8 @@
     {{ keycloak_kcadm_path }} config credentials \
       --server {{ keycloak_server_internal_url }} \
       --realm master \
-      --user {{ keycloak_administrator_username }} \
-      --password {{ keycloak_administrator_password }}
+      --user {{ keycloak_master_api_user_name }} \
+      --password {{ keycloak_master_api_user_password }}
 
 - name: Retrieve LDAP component ID
   shell: |
@@ -37,6 +37,6 @@
     {{ keycloak_kcadm_path }} update components/{{ ldap_component.stdout }} \
       -r {{ keycloak_realm }} \
       -s 'config.bindCredential=["{{ new_bind_password }}"]'
-  no_log: true
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
   register: update_bind
   changed_when: update_bind.rc == 0

roles/web-app-keycloak/tasks/04_ssh_public_key.yml

@@ -15,8 +15,8 @@
     {{ keycloak_kcadm_path }} config credentials \
       --server {{ keycloak_server_internal_url }} \
       --realm master \
-      --user {{ keycloak_administrator_username }} \
-      --password {{ keycloak_administrator_password }}
+      --user {{ keycloak_master_api_user_name }} \
+      --password {{ keycloak_master_api_user_password }}
 
 # LDAP Source
 - name: Get ID of LDAP storage provider
@@ -66,8 +66,8 @@
     {{ keycloak_kcadm_path }} config credentials \
       --server {{ keycloak_server_internal_url }} \
       --realm master \
-      --user {{ keycloak_administrator_username }} \
-      --password {{ keycloak_administrator_password }}
+      --user {{ keycloak_master_api_user_name }} \
+      --password {{ keycloak_master_api_user_password }}
 
 - name: Render user-profile JSON for SSH key
   template:

roles/web-app-keycloak/tasks/Todo.md

@@ -0,0 +1,3 @@
+# Todos
+- Include 03_update-ldap-bind.yml
+- Include 04_ssh_public_key.yml

roles/web-app-keycloak/tasks/main.yml

@@ -1,11 +1,14 @@
 ---
-- name: "create import files for {{application_id}}"
-  include_tasks: 01_import.yml
+#- name: "create import files for {{application_id}}"
+#  include_tasks: 01_import.yml
+#
+#- name: "load docker, db and proxy for {{application_id}}"
+#  include_role: 
+#    name: cmp-db-docker-proxy
 
-- name: "load docker, db and proxy for {{application_id}}"
-  include_role: 
-    name: cmp-db-docker-proxy
+- name: "Apply client redirects without realm import"
+  include_tasks: 02_update_client_redirects.yml
 
 # Deactivated temporary. Import now via realm.yml
 #- name: Implement SSH Public Key Attribut
-#  include_tasks: attributes/ssh_public_key.yml
+#  include_tasks: 03_ssh_public_key.yml