feat: Auto-configure impersonation role in Keycloak realm import

cbcoutinho · claude · cbcoutinho · commit 7cb616c7cec3 · 2025-11-02T22:03:22.000+01:00
Add service account user with impersonation role to realm-export.json so that Tier 1 impersonation works out-of-the-box without requiring manual CLI configuration. Changes: - Add service-account-nextcloud-mcp-server user to realm import - Grant "impersonation" role from "realm-management" client - Eliminates need for manual `kcadm.sh add-roles` command Benefits: - Impersonation tests now pass automatically - No manual permission configuration required - Consistent development environment setup Verified: - Manual test: tests/manual/test_impersonation.py ✅ PASS - Integration tests: tests/integration/auth/test_token_exchange_legacy_v1.py ✅ 3 PASS 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/keycloak/realm-export.json b/keycloak/realm-export.json
@@ -150,6 +150,16 @@
           "1073741824"
         ]
       }
+    },
+    {
+      "username": "service-account-nextcloud-mcp-server",
+      "enabled": true,
+      "serviceAccountClientId": "nextcloud-mcp-server",
+      "clientRoles": {
+        "realm-management": [
+          "impersonation"
+        ]
+      }
     }
   ],
   "clients": [

Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,16 @@`
`150`	`150`	`"1073741824"`
`151`	`151`	`]`
`152`	`152`	`}`
	`153`	`+ },`
	`154`	`+ {`
	`155`	`+ "username": "service-account-nextcloud-mcp-server",`
	`156`	`+ "enabled": true,`
	`157`	`+ "serviceAccountClientId": "nextcloud-mcp-server",`
	`158`	`+ "clientRoles": {`
	`159`	`+ "realm-management": [`
	`160`	`+ "impersonation"`
	`161`	`+ ]`
	`162`	`+ }`
`153`	`163`	`}`
`154`	`164`	`],`
`155`	`165`	`"clients": [`