Fix: enable stable Drupal OIDC support and PHP 8.2 base image

- Switched Drupal base image to PHP 8.2 for compatibility with openid_connect 2.x
- Added mariadb-client to container to allow Drush to drop tables
- Upgraded OIDC module from ^1 to ^2@beta for entity-based client configuration
- Replaced legacy client creation task with generic plugin-based entity creation
- Ensured /usr/local/bin is in PATH for www-data user
- Updated oidc.yml to explicitly use the generic plugin

References: https://chatgpt.com/share/6905cecc-8e3c-800f-849b-4041b6925381

roles/web-app-drupal/config/main.yml

@@ -7,6 +7,7 @@ features:
   oidc:               true
   central_database:   true
   logout:             true
+
 server:
   csp:
     flags: {}
@@ -15,18 +16,21 @@ server:
     canonical:
       - "drupal.{{ PRIMARY_DOMAIN }}"
     aliases: []
+
 docker:
   services:
     database:
       enabled:            true
     drupal:
-      version:            latest
+      # Use a PHP 8.2+ base image to ensure compatibility with OIDC 2.x syntax
+      version:            "10-php8.2-apache"
       image:              drupal
       name:               drupal
       backup:
         no_stop_required: true
   volumes:
     data:                 drupal_data
+
 rbac:
   roles:
     authenticated:

roles/web-app-drupal/tasks/04_configure_oidc.yml

@@ -13,22 +13,42 @@
     openid_connect.settings {{ item.key }}
     {{ (item.value | to_json) if item.value is mapping or item.value is sequence else item.value }}"
 
-- name: "Ensure OIDC client entity exists"
+- name: "Ensure/Update OIDC client entity (generic)"
   vars:
-    client_id: "{{ oidc_vars.oidc_client.id }}"
+    client_id:    "{{ oidc_vars.oidc_client.id }}"
     client_label: "{{ oidc_vars.oidc_client.label }}"
+    plugin_id:    "{{ oidc_vars.oidc_client.plugin }}"
+    settings_b64: "{{ oidc_vars.oidc_client.settings | to_json | b64encode }}"
   command: >
     docker exec {{ DRUPAL_CONTAINER }} bash -lc
     "drush -r {{ DRUPAL_DOCKER_HTML_PATH }} eval '
-    $id=\"{{ client_id }}\"; $label=\"{{ client_label }}\";
-    $storage=\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
-    if (!$storage->load($id)) {
-      $client=$storage->create([\"id\"=>$id,\"label\"=>$label]);
-      $client->save();
-      print \"created\";
-    } else { print \"exists\"; }'"
-  register: client_exists
-  changed_when: "'created' in client_exists.stdout"
+      $id=\"{{ client_id }}\";
+      $label=\"{{ client_label }}\";
+      $plugin=\"{{ plugin_id }}\";
+      $settings=json_decode(base64_decode(\"{{ settings_b64 }}\"), TRUE);
+      $storage=\\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
+      $e=$storage->load($id);
+      if (!$e) {
+        $e=$storage->create([
+          \"id\"=> $id,
+          \"label\"=> $label,
+          \"status\"=> TRUE,
+          \"plugin\"=> $plugin,
+          \"settings\"=> $settings,
+        ]);
+        $e->save();
+        print \"created\";
+      } else {
+        $e->set(\"label\", $label);
+        $e->set(\"plugin\", $plugin);
+        $e->set(\"settings\", $settings);
+        $e->set(\"status\", TRUE);
+        $e->save();
+        print \"updated\";
+      }
+    '"
+  register: client_apply
+  changed_when: "'created' in client_apply.stdout or 'updated' in client_apply.stdout"
 
 - name: "Apply OIDC client settings"
   vars:

roles/web-app-drupal/templates/Dockerfile.j2

@@ -1,10 +1,10 @@
 FROM {{ DRUPAL_IMAGE }}:{{ DRUPAL_VERSION }}
 
 # -------------------------------------------------------------------
-# System dependencies (mail support + basic tools)
+# System dependencies (mail support + MySQL client + basic tools)
 # -------------------------------------------------------------------
 RUN apt-get update && \
-    apt-get install -y msmtp msmtp-mta git unzip zip less nano curl vim && \
+    apt-get install -y msmtp msmtp-mta git unzip zip less nano curl vim mariadb-client && \
     rm -rf /var/lib/apt/lists/*
 
 # -------------------------------------------------------------------
@@ -30,7 +30,7 @@ ENV COMPOSER_ALLOW_SUPERUSER=1
 RUN set -eux; \
     builddir="$(mktemp -d)"; \
     composer create-project --no-interaction --no-ansi --no-progress drupal/recommended-project:^10 "$builddir"; \
-    composer --working-dir="$builddir" require -n drush/drush:^13 drupal/openid_connect:^1; \
+    composer --working-dir="$builddir" require -n drush/drush:^13 drupal/openid_connect:^2@beta; \
     rm -rf /opt/drupal/* /opt/drupal/.[!.]* /opt/drupal/..?* 2>/dev/null || true; \
     mkdir -p /opt/drupal; \
     cp -a "$builddir"/. /opt/drupal/; \
@@ -39,7 +39,6 @@ RUN set -eux; \
 # -------------------------------------------------------------------
 # Make vendor binaries available in PATH
 # -------------------------------------------------------------------
-# Make drush unconditionally available on PATH (also if PATH is overridden)
 RUN ln -sf /opt/drupal/vendor/bin/drush /usr/local/bin/drush
 
 # -------------------------------------------------------------------
@@ -75,7 +74,10 @@ RUN set -eux; \
 USER www-data
 WORKDIR /var/www/html  # symlink pointing to {{ DRUPAL_DOCKER_HTML_PATH }}
 
+# Ensure PATH for non-login shells includes /usr/local/bin
+ENV PATH="/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin"
+
 # -------------------------------------------------------------------
 # Build-time check (optional)
 # -------------------------------------------------------------------
-RUN drush --version
+RUN /usr/local/bin/drush --version

roles/web-app-drupal/vars/oidc.yml

@@ -14,6 +14,7 @@ oidc_settings:
 oidc_client:
   id:                                "keycloak"
   label:                             "Keycloak"
+  plugin:                            "generic"   # use the built-in generic OIDC client plugin
   settings:
     client_id:                       "{{ OIDC.CLIENT.ID }}"
     client_secret:                   "{{ OIDC.CLIENT.SECRET }}"