Skip to content

keycloak_user: email_verified is not idempotent #11747

Open
#11749
Open
keycloak_user: email_verified is not idempotent#11747
#11749
Labels
bugThis issue/PR relates to a bugmodulemodulepluginsplugin (any type)
@felix-grzelka

Description

@felix-grzelka
felix-grzelka
opened on Apr 7, 2026

Summary

When running a Playbook with the keycloak_user module and the user already exists and has verified their email, the email_verified / emailVerified flag is reset.
I would expect the default behavior to not change it, if it is not set.
There is currently no obvious way to leave it as is.

Further, check_mode is not implemented correctly, as changes are made, even when using check mode.

Issue Type

Bug Report

Component Name

keycloak_user

Ansible Version

$ ansible --version
ansible [core 2.18.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/python/current/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/python/current/bin/ansible
  python version = 3.11.14 (main, Oct 16 2025, 12:50:06) [GCC 11.4.0] (/usr/local/python/current/bin/python3)
  jinja version = 3.1.6
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /root/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 12.5.0 

# /usr/local/python/current/lib/python3.11/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 10.7.0

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None
PAGER(env: PAGER) = less

GALAXY_SERVERS:

OS / Environment

No response

Steps to Reproduce

    - name: Create users intended for administrative purposes
      community.general.keycloak_user:
        auth_keycloak_url: "{{ auth_keycloak_url }}"
        auth_username: "{{ auth_username }}"
        auth_password: "{{ auth_password }}"
        auth_realm: "{{ auth_realm }}"
        realm: "{{ realm }}"

        username: "{{ item.name }}"
        firstName: "{{ item.name | split('.') | first }}"
        lastName: "{{ item.name | split('.') | last }}"
        email: "{{ item.email }}"
        enabled: true
        state: present
      register: "r_keycloak_user"
      loop: "{{ present_users }}"

Expected Results

I expect the example above to not change the emailVerified flag.

Actual Results

emailVerified is set to false

Code of Conduct

  • I agree to follow the Ansible Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue/PR relates to a bugmodulemodulepluginsplugin (any type)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions