computer-playbook/roles/web-app-drupal/tasks/04_configure_oidc.yml

- name: "Load OIDC vars"
  include_vars:
    file: "{{ role_path }}/vars/oidc.yml"
    name: oidc_vars

- name: "Apply openid_connect.settings (global)"
  loop: "{{ oidc_vars.oidc_settings | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  command: >
    docker exec {{ DRUPAL_CONTAINER }} bash -lc
    "drush -r {{ DRUPAL_DOCKER_HTML_PATH }} cset -y
    openid_connect.settings {{ item.key }}
    {{ (item.value | to_json) if item.value is mapping or item.value is sequence else item.value }}"

- name: "Ensure/Update OIDC client entity (generic)"
  vars:
    client_id:    "{{ oidc_vars.oidc_client.id }}"
    client_label: "{{ oidc_vars.oidc_client.label }}"
    plugin_id:    "{{ oidc_vars.oidc_client.plugin }}"
    settings_b64: "{{ oidc_vars.oidc_client.settings | to_json | b64encode }}"
  command: >
    docker exec {{ DRUPAL_CONTAINER }} bash -lc
    "drush -r {{ DRUPAL_DOCKER_HTML_PATH }} eval '
      $id=\"{{ client_id }}\";
      $label=\"{{ client_label }}\";
      $plugin=\"{{ plugin_id }}\";
      $settings=json_decode(base64_decode(\"{{ settings_b64 }}\"), TRUE);
      $storage=\\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
      $e=$storage->load($id);
      if (!$e) {
        $e=$storage->create([
          \"id\"=> $id,
          \"label\"=> $label,
          \"status\"=> TRUE,
          \"plugin\"=> $plugin,
          \"settings\"=> $settings,
        ]);
        $e->save();
        print \"created\";
      } else {
        $e->set(\"label\", $label);
        $e->set(\"plugin\", $plugin);
        $e->set(\"settings\", $settings);
        $e->set(\"status\", TRUE);
        $e->save();
        print \"updated\";
      }
    '"
  register: client_apply
  changed_when: "'created' in client_apply.stdout or 'updated' in client_apply.stdout"

- name: "Apply OIDC client settings"
  vars:
    client_id: "{{ oidc_vars.oidc_client.id }}"
    settings_map: "{{ oidc_vars.oidc_client.settings }}"
    kv: "{{ settings_map | dict2items }}"
  loop: "{{ kv }}"
  loop_control:
    label: "{{ item.key }}"
  command: >
    docker exec {{ DRUPAL_CONTAINER }} bash -lc
    "drush -r {{ DRUPAL_DOCKER_HTML_PATH }} eval '
    $id=\"{{ client_id }}\";
    $key=\"{{ item.key }}\";
    $val=json_decode(base64_decode(\"{{ (item.value | to_json | b64encode) }}\"), true);
    $storage=\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
    $c=$storage->load($id);
    $s=$c->get(\"settings\");
    $s[$key]=$val;
    $c->set(\"settings\", $s);
    $c->save();'"
  changed_when: true

- name: "Clear caches after OIDC config"
  command: >
    docker exec {{ DRUPAL_CONTAINER }} bash -lc
    "drush -r {{ DRUPAL_DOCKER_HTML_PATH }} cr"
  changed_when: false