From 97f4045c6855ab7d61d20e2278bd07148a8e5ca3 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 26 Aug 2025 21:22:27 +0200
Subject: [PATCH] Keycloak: align client attributes with realm dictionary

- Extended kc_force_attrs in tasks/main.yml to source 'publicClient',
  'serviceAccountsEnabled' and 'frontchannelLogout' directly from
  KEYCLOAK_DICTIONARY_REALM for consistency with import definitions.
- Updated default.json.j2 import template to set 'publicClient' to true.
- Public client mode is required so the frontend API of role 'web-app-desktop'
  can handle login/logout flows without client secret.

Ref: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
---
 roles/web-app-keycloak/tasks/main.yml         | 22 ++++++++++++++++++-
 .../templates/import/clients/default.json.j2  |  2 +-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml
index 357de156..474f919f 100644
--- a/roles/web-app-keycloak/tasks/main.yml
+++ b/roles/web-app-keycloak/tasks/main.yml
@@ -47,7 +47,27 @@
           | list | first
       }}
     kc_force_attrs:
-      frontchannelLogout: true
+      publicClient: >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='publicClient')
+            | first)
+        }}
+      serviceAccountsEnabled: >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='serviceAccountsEnabled')
+            | first )
+        }}
+      frontchannelLogout:  >-
+        {{
+          (KEYCLOAK_DICTIONARY_REALM.clients
+            | selectattr('clientId','equalto', KEYCLOAK_CLIENT_ID)
+            | map(attribute='frontchannelLogout')
+            | first)
+        }}
       attributes: >-
         {{
           ( (KEYCLOAK_DICTIONARY_REALM.clients
diff --git a/roles/web-app-keycloak/templates/import/clients/default.json.j2 b/roles/web-app-keycloak/templates/import/clients/default.json.j2
index b806d4a1..5a539a8a 100644
--- a/roles/web-app-keycloak/templates/import/clients/default.json.j2
+++ b/roles/web-app-keycloak/templates/import/clients/default.json.j2
@@ -19,7 +19,7 @@
   "implicitFlowEnabled": true,
   "directAccessGrantsEnabled": true,
   "serviceAccountsEnabled": true,
-  "publicClient": false,
+  "publicClient": true,
   "frontchannelLogout": true,
   "protocol": "openid-connect",
   "attributes": {