feat: Add Browser and Direct Grant Flow fields to Keycloak Client

Signed-off-by: Douglass Kirkley <doug.kirkley@gmail.com>

Author: dougkirkley

api/v1/keycloakclient_types.go

@@ -181,6 +181,10 @@ type KeycloakClientSpec struct {
 	// +nullable
 	// +optional
 	Authorization *Authorization `json:"authorization,omitempty"`
+
+	// AuthenticationFlowBindingOverrides client auth flow overrides
+	// +optional
+	AuthenticationFlowBindingOverrides AuthenticationFlowBindingOverrides `json:"authenticationFlowBindingOverrides,omitempty"`
 }
 
 type ServiceAccount struct {
@@ -252,6 +256,11 @@ type Authorization struct {
 	Resources []Resource `json:"resources,omitempty"`
 }
 
+type AuthenticationFlowBindingOverrides struct {
+	Browser     string `json:"browser,omitempty"`
+	DirectGrant string `json:"directGrant,omitempty"`
+}
+
 // KeycloakClientStatus defines the observed state of KeycloakClient.
 type KeycloakClientStatus struct {
 	// +optional

api/v1/zz_generated.deepcopy.go

@@ -61,6 +61,14 @@ spec:
                 description: Attributes is a map of client attributes.
                 nullable: true
                 type: object
+              authenticationFlowBindingOverrides:
+                description: AuthenticationFlowBindingOverrides client auth flow overrides
+                properties:
+                  browser:
+                    type: string
+                  directGrant:
+                    type: string
+                type: object
               authorization:
                 description: Authorization is a client authorization configuration.
                 nullable: true

config/crd/bases/v1.edp.epam.com_keycloakclients.yaml

@@ -14,6 +14,9 @@ spec:
   webUrl: https://argocd.example.com
   defaultClientScopes:
     - argocd_groups
+  authenticationFlowBindingOverrides:
+    browser: "browser"
+    direct_grant: "direct grant"
 
 ---
 

config/samples/v1_v1_keycloakclient.yaml

@@ -94,6 +94,16 @@ func (el *PutClient) putKeycloakClient(ctx context.Context, keycloakClient *keyc
 }
 
 func (el *PutClient) convertCrToDto(ctx context.Context, keycloakClient *keycloakApi.KeycloakClient, realmName string) (*dto.Client, error) {
+	authFlowOverrides := keycloakClient.Spec.AuthenticationFlowBindingOverrides
+	if authFlowOverrides.Browser != "" || authFlowOverrides.DirectGrant != "" {
+		authFlows, err := el.getAuthFlows(keycloakClient, realmName)
+		if err != nil {
+			return nil, fmt.Errorf("unable to get auth flows: %w", err)
+		}
+
+		keycloakClient.Spec.AuthenticationFlowBindingOverrides = *authFlows
+	}
+
 	if keycloakClient.Spec.Public {
 		res := dto.ConvertSpecToClient(&keycloakClient.Spec, "", realmName)
 		return res, nil
@@ -181,3 +191,35 @@ func (el *PutClient) setSecretRef(ctx context.Context, keycloakClient *keycloakA
 
 	return nil
 }
+
+func (el *PutClient) getAuthFlows(keycloakClient *keycloakApi.KeycloakClient, realmName string) (*keycloakApi.AuthenticationFlowBindingOverrides, error) {
+	clientAuthFlows := keycloakClient.Spec.AuthenticationFlowBindingOverrides
+
+	flows, err := el.keycloakApiClient.GetRealmAuthFlows(realmName)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get realm: %w", err)
+	}
+
+	realmAuthFlows := make(map[string]string)
+	for i := range flows {
+		realmAuthFlows[flows[i].Alias] = flows[i].ID
+	}
+
+	if clientAuthFlows.Browser != "" {
+		if _, ok := realmAuthFlows[clientAuthFlows.Browser]; !ok {
+			return nil, fmt.Errorf("auth flow %s not found in realm %s", clientAuthFlows.Browser, realmName)
+		}
+
+		clientAuthFlows.Browser = realmAuthFlows[clientAuthFlows.Browser]
+	}
+
+	if clientAuthFlows.DirectGrant != "" {
+		if _, ok := realmAuthFlows[clientAuthFlows.DirectGrant]; !ok {
+			return nil, fmt.Errorf("auth flow %s not found in realm %s", clientAuthFlows.DirectGrant, realmName)
+		}
+
+		clientAuthFlows.DirectGrant = realmAuthFlows[clientAuthFlows.DirectGrant]
+	}
+
+	return &clientAuthFlows, nil
+}

controllers/keycloakclient/chain/put_client.go

@@ -310,6 +310,71 @@ func TestPutClient_Serve(t *testing.T) {
 			},
 			wantErr: require.NoError,
 		},
+		{
+			name: "create client with auth flows",
+			fields: fields{
+				client: func(t *testing.T) client.Client {
+					s := runtime.NewScheme()
+					require.NoError(t, keycloakApi.AddToScheme(s))
+					require.NoError(t, corev1.AddToScheme(s))
+
+					return fake.NewClientBuilder().
+						WithScheme(s).
+						WithObjects(
+							&keycloakApi.KeycloakClient{
+								ObjectMeta: metav1.ObjectMeta{
+									Name:      "test-client",
+									Namespace: "default",
+								},
+								Spec: keycloakApi.KeycloakClientSpec{
+									ClientId: "test-client-id",
+									AuthenticationFlowBindingOverrides: keycloakApi.AuthenticationFlowBindingOverrides{
+										Browser:     "browser",
+										DirectGrant: "direct grant",
+									},
+								},
+							},
+						).
+						Build()
+				},
+				secretRef: func(t *testing.T) secretRef {
+					return mocks.NewRefClient(t)
+				},
+			},
+			args: args{
+				keycloakClient: client.ObjectKey{
+					Name:      "test-client",
+					Namespace: "default",
+				},
+				adapterClient: func(t *testing.T) keycloak.Client {
+					m := keycloakmocks.NewMockClient(t)
+
+					m.On("GetClientID", "test-client-id", "realm").
+						Return("", adapter.NotFoundError("not found")).
+						Once()
+
+					m.On("CreateClient", testifymock.Anything, testifymock.Anything).
+						Return(nil)
+
+					m.On("GetClientID", "test-client-id", "realm").
+						Return("123", nil)
+					m.On("GetRealmAuthFlows", "realm").
+						Return([]adapter.KeycloakAuthFlow{
+							{
+								ID:    "A39C9C6E-430A-4891-8592-FC195AF2581B",
+								Alias: "browser",
+							},
+							{
+								ID:    "8BF514C6-922C-44A0-8F90-488D1B9DE437",
+								Alias: "direct grant",
+							},
+						}, nil)
+
+					return m
+				},
+			},
+			wantErr: require.NoError,
+		},
 	}
 
 	for _, tt := range tests {

controllers/keycloakclient/chain/put_client_test.go

@@ -61,6 +61,14 @@ spec:
                 description: Attributes is a map of client attributes.
                 nullable: true
                 type: object
+              authenticationFlowBindingOverrides:
+                description: AuthenticationFlowBindingOverrides client auth flow overrides
+                properties:
+                  browser:
+                    type: string
+                  directGrant:
+                    type: string
+                type: object
               authorization:
                 description: Authorization is a client authorization configuration.
                 nullable: true

deploy-templates/crds/v1.edp.epam.com_keycloakclients.yaml

@@ -1954,6 +1954,13 @@ If empty - WebUrl will be used.<br/>
             <i>Default</i>: map[post.logout.redirect.uris:+]<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#keycloakclientspecauthenticationflowbindingoverrides">authenticationFlowBindingOverrides</a></b></td>
+        <td>object</td>
+        <td>
+          AuthenticationFlowBindingOverrides client auth flow overrides<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b><a href="#keycloakclientspecauthorization">authorization</a></b></td>
         <td>object</td>
@@ -2190,6 +2197,40 @@ If not specified, the value from `WebUrl` is used<br/>
 </table>
 
 
+### KeycloakClient.spec.authenticationFlowBindingOverrides
+<sup><sup>[↩ Parent](#keycloakclientspec)</sup></sup>
+
+
+
+AuthenticationFlowBindingOverrides client auth flow overrides
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>browser</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>directGrant</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### KeycloakClient.spec.authorization
 <sup><sup>[↩ Parent](#keycloakclientspec)</sup></sup>
 

docs/api.md

@@ -524,15 +524,16 @@ func getGclCln(client *dto.Client) gocloak.Client {
 		RedirectURIs: &[]string{
 			client.WebUrl + "/*",
 		},
-		RegistrationAccessToken: &client.RegistrationAccessToken,
-		RootURL:                 &client.WebUrl,
-		AdminURL:                &client.AdminUrl,
-		BaseURL:                 &client.HomeUrl,
-		Secret:                  &client.ClientSecret,
-		ServiceAccountsEnabled:  &client.ServiceAccountEnabled,
-		StandardFlowEnabled:     &client.StandardFlowEnabled,
-		SurrogateAuthRequired:   &client.SurrogateAuthRequired,
-		WebOrigins:              &client.WebOrigins,
+		RegistrationAccessToken:            &client.RegistrationAccessToken,
+		RootURL:                            &client.WebUrl,
+		AdminURL:                           &client.AdminUrl,
+		BaseURL:                            &client.HomeUrl,
+		Secret:                             &client.ClientSecret,
+		ServiceAccountsEnabled:             &client.ServiceAccountEnabled,
+		StandardFlowEnabled:                &client.StandardFlowEnabled,
+		SurrogateAuthRequired:              &client.SurrogateAuthRequired,
+		WebOrigins:                         &client.WebOrigins,
+		AuthenticationFlowBindingOverrides: &client.AuthenticationFlowBindingOverrides,
 	}
 
 	// Set the admin URL to the web URL for backwards compatibility.

pkg/client/keycloak/adapter/gocloak_adapter.go

@@ -305,7 +305,7 @@ func (a GoCloakAdapter) getAuthFlowID(realmName string, flow *KeycloakAuthFlow)
 		return "", errAuthFlowNotFound
 	}
 
-	flows, err := a.getRealmAuthFlows(realmName)
+	flows, err := a.GetRealmAuthFlows(realmName)
 	if err != nil {
 		return "", errors.Wrap(err, "unable to get realm auth flows")
 	}
@@ -334,7 +334,7 @@ func (a GoCloakAdapter) getFlowExecution(realmName string, flow *KeycloakAuthFlo
 	return nil, errAuthFlowNotFound
 }
 
-func (a GoCloakAdapter) getRealmAuthFlows(realmName string) ([]KeycloakAuthFlow, error) {
+func (a GoCloakAdapter) GetRealmAuthFlows(realmName string) ([]KeycloakAuthFlow, error) {
 	var flows []KeycloakAuthFlow
 
 	resp, err := a.startRestyRequest().
@@ -540,7 +540,7 @@ func (a GoCloakAdapter) unsetBrowserFlow(realmName, flowAlias string) (realm *go
 		return realm, false, nil
 	}
 
-	authFlows, err := a.getRealmAuthFlows(realmName)
+	authFlows, err := a.GetRealmAuthFlows(realmName)
 	if err != nil {
 		return nil, false, errors.Wrapf(err, "unable to get auth flows for realm: %s", realmName)
 	}