feat: support signed JWT client authentication (#1250)

Signed-off-by: Tuan Kiet Truong <[email protected]>

Author: tuankiettruong

docs/index.md

@@ -16,8 +16,7 @@ If you are using the legacy Wildfly distribution of Keycloak, you will need to s
 
 ## Keycloak Setup
 
-This Terraform provider can be configured to use the [client credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/)
-or [password](https://www.oauth.com/oauth2-servers/access-tokens/password-grant/) grant types. If you aren't
+This Terraform provider can be configured to use the [client credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) or [password](https://www.oauth.com/oauth2-servers/access-tokens/password-grant/) grant types. If you aren't
 sure which to use, the client credentials grant is recommended, as it was designed for machine to machine authentication.
 
 ### Client Credentials Grant Setup (recommended)
@@ -31,6 +30,18 @@ like to manage your entire Keycloak instance, or in any other realm if you only
     1. Set `Service Accounts Enabled` to `ON`.
 1. Grant required roles for managing Keycloak via the `Service Account Roles` tab in the client you created in step 1, see [Assigning Roles](#assigning-roles) section below.
 
+Out of the many [authentication methods](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) of the client credentials grant type, this Terraform provider supports the authentication using the `client secret` or the `private key signed JWT`.
+
+#### Client Secret Authentication Type Setup
+
+This is the default client authentication type and requires no further step.
+
+#### Private Key Signed JWT Authentication Type Setup
+These steps assume that you have already followed the steps for the client credentials grant and have created the client `terraform`.
+
+1. Change the `Client authenticator` in the `Credentials`tab to `Signed JWT`.
+1. Generate or import a key pair via `Keys`. In case the key pair is generated by the Keycloak server, a keystore file would be downloaded and you have to extract the private key and keep it safe.
+
 ### Password Grant Setup
 
 These steps will assume that you are using the `admin-cli` client, which is already correctly configured for this type
@@ -52,7 +63,7 @@ account within the `foo` realm.
 the realm clients to a user or service account within the `master` realm. For example, given a Keycloak instance with realms
 `master`, `foo`, and `bar`, assign the `create-client` client role from the clients `master-realm`, `foo-realm`, and `bar-realm`.
 
-## Example Usage (client credentials grant)
+## Example Usage (client credentials grant - client secret)
 
 ```hcl
 provider "keycloak" {
@@ -62,6 +73,16 @@ provider "keycloak" {
 }
 ```
 
+## Example Usage (client credentials grant - private key signed JWT)
+
+```hcl
+provider "keycloak" {
+	client_id       = "terraform"
+	jwt_signing_key = "<pem-formatted-private-key>"
+	url             = "http://localhost:8080"
+}
+```
+
 ## Example Usage (password grant)
 
 ```hcl
@@ -82,6 +103,8 @@ The following arguments are supported:
 - `client_secret` - (Optional) The secret for the client used by the provider for authentication via the client credentials grant. This can be found or changed using the "Credentials" tab in the client settings. Defaults to the environment variable `KEYCLOAK_CLIENT_SECRET`. This attribute is required when using the client credentials grant, and cannot be set when using the password grant.
 - `username` - (Optional) The username of the user used by the provider for authentication via the password grant. Defaults to the environment variable `KEYCLOAK_USER`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant.
 - `password` - (Optional) The password of the user used by the provider for authentication via the password grant. Defaults to the environment variable `KEYCLOAK_PASSWORD`. This attribute is required when using the password grant, and cannot be set when using the client credentials grant.
+- `jwt_signing_key` - (Optional) The PEM-formatted private key used by provider to generate a signed JWT for authentication.
+- `jwt_signing_alg` - (Optional) The signing algorithm used by provider to generate a signed JWT for authentication. Defaults to `RS256`.
 - `realm` - (Optional) The realm used by the provider for authentication. Defaults to the environment variable `KEYCLOAK_REALM`, or `master` if the environment variable is not specified.
 - `initial_login` - (Optional) Optionally avoid Keycloak login during provider setup, for when Keycloak itself is being provisioned by terraform. Defaults to true, which is the original method.
 - `client_timeout` - (Optional) Sets the timeout of the client when addressing Keycloak, in seconds. Defaults to the environment variable `KEYCLOAK_CLIENT_TIMEOUT`, or `15` if the environment variable is not specified.

go.mod

@@ -2,6 +2,7 @@ module github.com/keycloak/terraform-provider-keycloak
 
 require (
 	dario.cat/mergo v1.0.2
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/go-retryablehttp v0.7.8

go.sum

@@ -35,6 +35,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

keycloak/keycloak_client.go

@@ -16,9 +16,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 
+	"github.com/golang-jwt/jwt/v5"
+
 	"golang.org/x/net/publicsuffix"
 
 	"github.com/hashicorp/go-retryablehttp"
@@ -38,19 +41,22 @@ type KeycloakClient struct {
 }
 
 type ClientCredentials struct {
-	ClientId     string
-	ClientSecret string
-	Username     string
-	Password     string
-	GrantType    string
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	TokenType    string `json:"token_type"`
+	ClientId      string
+	ClientSecret  string
+	JWTSigningKey string
+	JWTSigningAlg string
+	Username      string
+	Password      string
+	GrantType     string
+	AccessToken   string `json:"access_token"`
+	RefreshToken  string `json:"refresh_token"`
+	TokenType     string `json:"token_type"`
 }
 
 const (
-	apiUrl   = "/admin"
-	tokenUrl = "%s/realms/%s/protocol/openid-connect/token"
+	apiUrl    = "/admin"
+	issuerUrl = "%s/realms/%s"
+	tokenUrl  = "%s/realms/%s/protocol/openid-connect/token"
 )
 
 // https://access.redhat.com/articles/2342881
@@ -60,20 +66,23 @@ var redHatSSO7VersionMap = map[int]string{
 	4: "9.0.17",
 }
 
-func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
+func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecret, realm, username, password, jwtSigningAlg, jwtSigningKey string, initialLogin bool, clientTimeout int, caCert string, tlsInsecureSkipVerify bool, userAgent string, redHatSSO bool, additionalHeaders map[string]string) (*KeycloakClient, error) {
 	clientCredentials := &ClientCredentials{
-		ClientId:     clientId,
-		ClientSecret: clientSecret,
+		ClientId:      clientId,
+		ClientSecret:  clientSecret,
+		JWTSigningKey: jwtSigningKey,
+		JWTSigningAlg: jwtSigningAlg,
 	}
+
 	if password != "" && username != "" {
 		clientCredentials.Username = username
 		clientCredentials.Password = password
 		clientCredentials.GrantType = "password"
-	} else if clientSecret != "" {
+	} else if clientSecret != "" || jwtSigningKey != "" {
 		clientCredentials.GrantType = "client_credentials"
 	} else {
 		if initialLogin {
-			return nil, fmt.Errorf("must specify client id, username and password for password grant, or client id and secret for client credentials grant")
+			return nil, fmt.Errorf("must specify client id, username and password for password grant, either client id and client secret or JWT Signing Key for client credentials grant")
 		} else {
 			tflog.Warn(ctx, "missing required keycloak credentials, but proceeding anyways as initial_login is false")
 		}
@@ -113,7 +122,10 @@ func NewKeycloakClient(ctx context.Context, url, basePath, clientId, clientSecre
 
 func (keycloakClient *KeycloakClient) login(ctx context.Context) error {
 	accessTokenUrl := fmt.Sprintf(tokenUrl, keycloakClient.baseUrl, keycloakClient.realm)
-	accessTokenData := keycloakClient.getAuthenticationFormData()
+	accessTokenData, err := keycloakClient.getAuthenticationFormData(ctx, accessTokenUrl)
+	if err != nil {
+		return err
+	}
 
 	tflog.Debug(ctx, "Login request", map[string]interface{}{
 		"request": accessTokenData.Encode(),
@@ -204,7 +216,10 @@ func (keycloakClient *KeycloakClient) login(ctx context.Context) error {
 
 func (keycloakClient *KeycloakClient) Refresh(ctx context.Context) error {
 	refreshTokenUrl := fmt.Sprintf(tokenUrl, keycloakClient.baseUrl, keycloakClient.realm)
-	refreshTokenData := keycloakClient.getAuthenticationFormData()
+	refreshTokenData, err := keycloakClient.getAuthenticationFormData(ctx, refreshTokenUrl)
+	if err != nil {
+		return err
+	}
 
 	tflog.Debug(ctx, "Refresh request", map[string]interface{}{
 		"request": refreshTokenData.Encode(),
@@ -258,7 +273,7 @@ func (keycloakClient *KeycloakClient) Refresh(ctx context.Context) error {
 	return nil
 }
 
-func (keycloakClient *KeycloakClient) getAuthenticationFormData() url.Values {
+func (keycloakClient *KeycloakClient) getAuthenticationFormData(ctx context.Context, kc_url string) (url.Values, error) {
 	authenticationFormData := url.Values{}
 	authenticationFormData.Set("client_id", keycloakClient.clientCredentials.ClientId)
 	authenticationFormData.Set("grant_type", keycloakClient.clientCredentials.GrantType)
@@ -272,10 +287,26 @@ func (keycloakClient *KeycloakClient) getAuthenticationFormData() url.Values {
 		}
 
 	} else if keycloakClient.clientCredentials.GrantType == "client_credentials" {
-		authenticationFormData.Set("client_secret", keycloakClient.clientCredentials.ClientSecret)
+		if keycloakClient.clientCredentials.JWTSigningKey != "" {
+			signedJWT, err := newSignedJWT(
+				ctx,
+				fmt.Sprintf(issuerUrl, keycloakClient.baseUrl, keycloakClient.realm),
+				keycloakClient.clientCredentials.ClientId,
+				keycloakClient.clientCredentials.JWTSigningAlg,
+				keycloakClient.clientCredentials.JWTSigningKey,
+			)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create signed JWT: %v", err)
+			}
+			authenticationFormData.Set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+			authenticationFormData.Set("client_assertion", signedJWT)
+		} else {
+			authenticationFormData.Set("client_secret", keycloakClient.clientCredentials.ClientSecret)
+		}
+
 	}
 
-	return authenticationFormData
+	return authenticationFormData, nil
 }
 
 func (keycloakClient *KeycloakClient) addRequestHeaders(request *http.Request) {
@@ -556,3 +587,55 @@ func newHttpClient(tlsInsecureSkipVerify bool, clientTimeout int, caCert string)
 
 	return httpClient, nil
 }
+
+func newSignedJWT(ctx context.Context, url, clientId, alg, jwtSigningKey string) (string, error) {
+	// Create the Claims
+	jti, err := uuid.GenerateUUID()
+	if err != nil {
+		return "", fmt.Errorf("failed to generate JWT ID: %v", err)
+	}
+
+	claims := jwt.MapClaims{
+		"jti": jti,
+		"iss": clientId,
+		"sub": clientId,
+		"aud": url,
+		"exp": jwt.NewNumericDate(time.Now().Add(time.Second * 60)),
+		"iat": jwt.NewNumericDate(time.Now()),
+	}
+
+	signingMethod := jwt.GetSigningMethod(alg)
+	if signingMethod == nil {
+		return "", fmt.Errorf("unsupported signing method: %s", alg)
+	}
+
+	// Create the token
+	token := jwt.NewWithClaims(jwt.GetSigningMethod(alg), claims)
+
+	var key any
+	if _, isRsa := signingMethod.(*jwt.SigningMethodRSA); isRsa {
+		key, err = jwt.ParseRSAPrivateKeyFromPEM([]byte(jwtSigningKey))
+	} else if _, isEcdsa := signingMethod.(*jwt.SigningMethodECDSA); isEcdsa {
+		key, err = jwt.ParseECPrivateKeyFromPEM([]byte(jwtSigningKey))
+	} else if _, isEd25519 := signingMethod.(*jwt.SigningMethodEd25519); isEd25519 {
+		key, err = jwt.ParseEdPrivateKeyFromPEM([]byte(jwtSigningKey))
+	} else {
+		err = fmt.Errorf("unsupported signing method: %s", signingMethod)
+	}
+
+	if err != nil {
+		return "", err
+	}
+	tokenString, err := token.SignedString(key)
+	if err != nil {
+		fmt.Println(err)
+		return "", err
+	}
+
+	jwtClientAssertionArgs := map[string]any{
+		"jti": jti,
+	}
+	tflog.Debug(ctx, "Generated client_assertion", jwtClientAssertionArgs)
+
+	return tokenString, nil
+}

keycloak/keycloak_client_test.go

@@ -2,10 +2,11 @@ package keycloak
 
 import (
 	"context"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"os"
 	"strconv"
 	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 )
 
 var requiredEnvironmentVariables = []string{
@@ -48,7 +49,7 @@ func TestAccKeycloakApiClientRefresh(t *testing.T) {
 		t.Fatal("KEYCLOAK_CLIENT_TIMEOUT must be an integer")
 	}
 
-	keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "", false, "", false, map[string]string{
+	keycloakClient, err := NewKeycloakClient(ctx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), "", "", true, clientTimeout, "", false, "", false, map[string]string{
 		"foo": "bar",
 	})
 	if err != nil {

provider/provider.go

@@ -149,6 +149,19 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 				Type:        schema.TypeString,
 				DefaultFunc: schema.EnvDefaultFunc("KEYCLOAK_PASSWORD", nil),
 			},
+			"jwt_signing_alg": {
+				Optional:    true,
+				Type:        schema.TypeString,
+				Description: "The algorithm used to sign the JWT when client-jwt is used. Defaults to RS256.",
+				Default:     "RS256",
+			},
+			"jwt_signing_key": {
+				Optional:    true,
+				Type:        schema.TypeString,
+				Description: "The PEM-formatted private key used to sign the JWT when client-jwt is used.",
+				Sensitive:   true,
+				DefaultFunc: schema.EnvDefaultFunc("KEYCLOAK_JWT_SIGNING_KEY", nil),
+			},
 			"realm": {
 				Optional:    true,
 				Type:        schema.TypeString,
@@ -216,6 +229,8 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 		clientSecret := data.Get("client_secret").(string)
 		username := data.Get("username").(string)
 		password := data.Get("password").(string)
+		jwtSigningAlg := data.Get("jwt_signing_alg").(string)
+		jwtSigningKey := data.Get("jwt_signing_key").(string)
 		realm := data.Get("realm").(string)
 		initialLogin := data.Get("initial_login").(bool)
 		clientTimeout := data.Get("client_timeout").(int)
@@ -231,7 +246,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 
 		userAgent := fmt.Sprintf("HashiCorp Terraform/%s (+https://www.terraform.io) Terraform Plugin SDK/%s", provider.TerraformVersion, meta.SDKVersionString())
 
-		keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders)
+		keycloakClient, err := keycloak.NewKeycloakClient(ctx, url, basePath, clientId, clientSecret, realm, username, password, jwtSigningAlg, jwtSigningKey, initialLogin, clientTimeout, rootCaCertificate, tlsInsecureSkipVerify, userAgent, redHatSSO, additionalHeaders)
 		if err != nil {
 			diags = append(diags, diag.Diagnostic{
 				Severity: diag.Error,

provider/provider_signed_jwt_test.go

@@ -0,0 +1,39 @@
+package provider
+
+import (
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func TestAccKeycloakProvider_signedJWT(t *testing.T) {
+	t.Parallel()
+	jwtSigningKey := "-----BEGIN PRIVATE KEY-----\r\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEgtQWZtM/nSIX\r\npuJ9aJ9elurICPD1FEKOaIQBg6MihHYDDQxkIT93FkGLTRPMNFNgSXUKKj7IW9Ih\r\nxpv7v4ltsRaNmT0n2CFmVDGQI9404M1vz7V6Gj70feHWtcwzF42kvsCMEETwsW0j\r\nkOSX2RXun7RPaLSfXavki0w1ql3/nKVxQMuFgmMZrQzpIGh/EPpRjEWgL9HRYlp4\r\nX5wbW/GGzDuUldJoJBWhBWb8uOVSJcmXcgZ45k5LxkGTjTXPlgYJorVSdS8bkoBx\r\nBRa3COwilTwUFiBNna4HwnMmLFiKEYMhCGO+HvyFm4AKzhhShHQSm8VrISWsD05F\r\ng0Uo/LEHAgMBAAECggEANe9gjat4NKAIoOw9gsUp5LjQRMnrdKC0aci23oGGT22C\r\nxHCa44qalDFoGPc1RVlhPu66cGlK5QwKnxmXa1/VNOWjdobGGb8A38ig99pYXTQM\r\nPrGIMjSs7cb1Ksyn+KfwyPRP/cFjYpqYBWh5zVGYau+rehYXaRw5FxfCeYJCnWqi\r\ndPKZPb8num2NOr4ts3zFGbf7Ni47k4Ma07alEuAi9Whi+ONagFI9P0sgyYl63Zen\r\nJTshWkKNuljkvKfNS7a8PGkSar2iYDJE3GkfiGP2sOJzpvPDQbWDhZMFhlHzS9hK\r\n8BELVcR/qIaSlXY4AekeQTONaXOwwX9Fj/7fKMVUZQKBgQDmiGuaAfDGfAY3uO73\r\n6keESta35yoFz2IarzTW2GhJagNfJX7wUOLvjPEmgwI+QU4PA9hisEePSyjHaz4V\r\nRLn47pmV9aQDwKfKjZdLL8G63gMbhWup5keTKpXU8LpWWiTK0C9ouV/M2HO2IymC\r\n0dv1RHaVpBhOSMbxX26TQ8O+3QKBgQDaOEEXaEe7uAqIlj0W7HbZevaGLz4PVE17\r\nYqWBD50T+hiXTgCRnOee5sQPVjUrmBjk7QQ8sBentoVlL418XFH1MY+IcNy9B7/d\r\nKpxpwPCEjJchFdKAZvDs9QFdf2VOAvxM1HAZM01qdGMrq/wXLTMHPnB3Os3cTWaB\r\ncWgvcvInMwKBgQCp0pkhjIhoTvjtl4hCjQ0+ATuHofys5waoDaVpF2ZLnpL5Rk/q\r\njEuAmF0VN7ExVz4/hV+j46PzhTR3IyNK26P8Ixh1Bc1bDlMMvZ1UP8wA8odrgK+9\r\nKuxTFy3k/ajm7+TmmtIx3U0bQ+CJrgFoY1wbo+GPfqCBGs+jA+AbD/Jk6QKBgG3F\r\nVID41PTJ/Ip+wNYyNwrpfu86/oXpi1xg4A5PE14ENbCO7VxSSHU3cjKg0/hM92DZ\r\nFYONtSiJeQrQY+TF7/heaOxikbeJGWugzrOn+ZVDv5ZGCvDKV7FrAbfNqOEYQWBI\r\nkOcsVmoRh/1k81eZRg0DzME9VGbYjJLawGT19nffAoGADDoFR5YT3Hj1gi4xrCv7\r\nUsdorG0VqXJNpkFEv53MHUO5zZocd9Iv7zcQ+weTDlJE38nTEixBcfXHzyPcY8IW\r\nrRMDTOcfL/vPSADig7pRyLankKEtaS2QE2BKwDP7hkoQMkllVDe4OPflghmCclYd\r\nDamFJ27n4ONrNiy142vb+MY=\r\n-----END PRIVATE KEY-----"
+	testAccProvider = KeycloakProvider(keycloakClient)
+
+	os.Setenv("KEYCLOAK_CLIENT_ID", "terraform-jwt")
+	os.Setenv("KEYCLOAK_JWT_SIGNING_KEY", jwtSigningKey)
+
+	defer func() {
+		os.Setenv("KEYCLOAK_CLIENT_ID", "terraform")
+		os.Unsetenv("KEYCLOAK_JWT_SIGNING_KEY")
+	}()
+
+	clientId := acctest.RandomWithPrefix("tf-acc")
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"keycloak": func() (*schema.Provider, error) {
+				return testAccProvider, nil
+			},
+		},
+		PreCheck: func() { testAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakOpenidClient_basic(clientId),
+			},
+		},
+	})
+}

provider/provider_test.go

@@ -58,7 +58,7 @@ func init() {
 		}
 	}
 
-	keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", true, 120, "", false, userAgent, false, map[string]string{
+	keycloakClient, err = keycloak.NewKeycloakClient(testCtx, os.Getenv("KEYCLOAK_URL"), "", os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), "", "", "", "", true, 120, "", false, userAgent, false, map[string]string{
 		"foo": "bar",
 	})
 	if err != nil {