provider/github: init OIDC provider for GitHub (#1281)

GitHub has a special OIDC provider with provider ID := github.

This contains a certain number of interesting special properties w.r.t.
to email retrieval logic (select the primary email, etc.).

It's superior to the generic OIDC one.

Signed-off-by: Raito Bezarius <[email protected]>

Author: RaitoBezarius

docs/resources/oidc_github_identity_provider.md

@@ -0,0 +1,73 @@
+---
+page_title: "keycloak_oidc_github_identity_provider Resource"
+---
+
+# keycloak\_oidc\_github\_identity\_provider Resource
+
+Allows for creating and managing **GitHub**-based OIDC Identity Providers within Keycloak.
+
+OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.
+
+The GitHub variant is specialized for the public GitHub instance (github.com) or GitHub Enterprise deployments.
+
+For example, it will obtain automatically the primary email from the logged in account.
+
+## Example Usage
+
+```hcl
+resource "keycloak_realm" "realm" {
+  realm   = "my-realm"
+  enabled = true
+}
+
+resource "keycloak_oidc_github_identity_provider" "github" {
+  realm         = keycloak_realm.realm.id
+  client_id     = var.github_identity_provider_client_id
+  client_secret = var.github_identity_provider_client_secret
+  trust_email   = true
+  sync_mode     = "IMPORT"
+
+  extra_config = {
+    "myCustomConfigKey" = "myValue"
+  }
+}
+```
+
+## Argument Reference
+
+- `realm` - (Required) The name of the realm. This is unique across Keycloak.
+- `client_id` - (Required) The client or client identifier registered within the identity provider.
+- `client_secret` - (Required) The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
+- `alias` - (Optional) The alias for the GitHub identity provider.
+- `display_name` - (Optional) Display name for the GitHub identity provider in the GUI.
+- `enabled` - (Optional) When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
+- `store_token` - (Optional) When `true`, tokens will be stored after authenticating users. Defaults to `true`.
+- `add_read_token_role_on_create` - (Optional) When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
+- `link_only` - (Optional) When `true`, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
+- `trust_email` - (Optional) When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
+- `first_broker_login_flow_alias` - (Optional) The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
+- `post_broker_login_flow_alias` - (Optional) The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
+- `provider_id` - (Optional) The ID of the identity provider to use. Defaults to `github`, which should be used unless you have extended Keycloak and provided your own implementation.
+- `base_url` - (Optional) The GitHub base URL, defaults to `https://github.com`
+- `api_url` - (Optional) The GitHub API URL, defaults to `https://api.github.com`.
+- `github_json_format` (Optional) When `true`, GitHub API is told explicitly to accept JSON during token authentication requests. Defaults to `false`.
+- `default_scopes` - (Optional) The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `user:email`.
+- `disable_user_info` - (Optional) When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
+- `hide_on_login_page` - (Optional) When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
+- `sync_mode` - (Optional) The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
+- `gui_order` - (Optional) A number defining the order of this identity provider in the GUI.
+- `extra_config` - (Optional) A map of key/value pairs to add extra configuration to this identity provider. This can be used for custom oidc provider implementations, or to add configuration that is not yet supported by this Terraform provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
+
+## Attribute Reference
+
+- `internal_id` - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
+
+## Import
+
+GitHub Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.
+
+Example:
+
+```bash
+$ terraform import keycloak_oidc_github_identity_provider.github.github_identity_provider my-realm/my-github-idp
+```

keycloak/identity_provider.go

@@ -56,6 +56,9 @@ type IdentityProviderConfig struct {
 	Issuer                          string                    `json:"issuer,omitempty"`
 	OrgRedirectModeEmailMatches     types.KeycloakBoolQuoted  `json:"kc.org.broker.redirect.mode.email-matches,omitempty"`
 	OrgDomain                       string                    `json:"kc.org.domain,omitempty"`
+	ApiUrl                          string                    `json:"apiUrl,omitempty"`
+	BaseUrl                         string                    `json:"baseUrl,omitempty"`
+	GithubJsonFormat                types.KeycloakBoolQuoted  `json:"githubJsonFormat,omitempty"`
 }
 
 type IdentityProvider struct {

provider/provider.go

@@ -102,6 +102,7 @@ func KeycloakProvider(client *keycloak.KeycloakClient) *schema.Provider {
 			"keycloak_custom_identity_provider_mapper":                   resourceKeycloakCustomIdentityProviderMapper(),
 			"keycloak_saml_identity_provider":                            resourceKeycloakSamlIdentityProvider(),
 			"keycloak_oidc_google_identity_provider":                     resourceKeycloakOidcGoogleIdentityProvider(),
+			"keycloak_oidc_github_identity_provider":                     resourceKeycloakOidcGithubIdentityProvider(),
 			"keycloak_oidc_identity_provider":                            resourceKeycloakOidcIdentityProvider(),
 			"keycloak_openid_client_authorization_resource":              resourceKeycloakOpenidClientAuthorizationResource(),
 			"keycloak_openid_client_group_policy":                        resourceKeycloakOpenidClientAuthorizationGroupPolicy(),

provider/resource_keycloak_attribute_importer_identity_provider_mapper.go

@@ -67,7 +67,7 @@ func getAttributeImporterIdentityProviderMapperFromData(ctx context.Context, dat
 		}
 
 		rec.Config.Claim = data.Get("claim_name").(string)
-	} else if identityProvider.ProviderId == "apple" || identityProvider.ProviderId == "facebook" || identityProvider.ProviderId == "google" {
+	} else if identityProvider.ProviderId == "apple" || identityProvider.ProviderId == "facebook" || identityProvider.ProviderId == "google" || identityProvider.ProviderId == "github" {
 		rec.IdentityProviderMapper = fmt.Sprintf("%s-user-attribute-mapper", identityProvider.ProviderId)
 		rec.Config.JsonField = data.Get("claim_name").(string)
 		rec.Config.UserAttributeName = data.Get("user_attribute").(string)

provider/resource_keycloak_oidc_github_identity_provider.go

@@ -0,0 +1,129 @@
+package provider
+
+import (
+	"dario.cat/mergo"
+	"github.com/hashicorp/go-version"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak"
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
+)
+
+func resourceKeycloakOidcGithubIdentityProvider() *schema.Resource {
+	oidcGithubSchema := map[string]*schema.Schema{
+		"alias": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Computed:    true,
+			Description: "The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of github this is computed and always github",
+		},
+		"display_name": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Computed:    true,
+			Description: "The human-friendly name of the identity provider, used in the log in form.",
+		},
+		"provider_id": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Default:     "github",
+			Description: "provider id, is always github, unless you have a extended custom implementation",
+		},
+		"client_id": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Description: "Client ID.",
+		},
+		"client_secret": {
+			Type:        schema.TypeString,
+			Required:    true,
+			Sensitive:   true,
+			Description: "Client Secret.",
+		},
+		"base_url": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Default:     "https://github.com",
+			Description: "Base URL for the GitHub instance, defaults to https://github.com",
+		},
+		"api_url": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Default:     "https://api.github.com",
+			Description: "API URL for the GitHub instance, defaults to https://api.github.com",
+		},
+		"github_json_format": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "Whether GitHub API shoulds accept JSON explicitly during token authentication requests, defaults to false",
+		},
+		"default_scopes": { //defaultScope
+			Type:        schema.TypeString,
+			Optional:    true,
+			Default:     "user:email",
+			Description: "The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value'. Default to 'user:email'",
+		},
+		"hide_on_login_page": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "Hide On Login Page.",
+		},
+	}
+	oidcResource := resourceKeycloakIdentityProvider()
+	oidcResource.Schema = mergeSchemas(oidcResource.Schema, oidcGithubSchema)
+	oidcResource.CreateContext = resourceKeycloakIdentityProviderCreate(getOidcGithubIdentityProviderFromData, setOidcGithubIdentityProviderData)
+	oidcResource.ReadContext = resourceKeycloakIdentityProviderRead(setOidcGithubIdentityProviderData)
+	oidcResource.UpdateContext = resourceKeycloakIdentityProviderUpdate(getOidcGithubIdentityProviderFromData, setOidcGithubIdentityProviderData)
+	return oidcResource
+}
+
+func getOidcGithubIdentityProviderFromData(data *schema.ResourceData, keycloakVersion *version.Version) (*keycloak.IdentityProvider, error) {
+	rec, defaultConfig := getIdentityProviderFromData(data, keycloakVersion)
+	rec.ProviderId = data.Get("provider_id").(string)
+
+	aliasRaw, ok := data.GetOk("alias")
+	if ok {
+		rec.Alias = aliasRaw.(string)
+	} else {
+		rec.Alias = "github"
+	}
+
+	githubOidcIdentityProviderConfig := &keycloak.IdentityProviderConfig{
+		ClientId:         data.Get("client_id").(string),
+		ClientSecret:     data.Get("client_secret").(string),
+		DefaultScope:     data.Get("default_scopes").(string),
+		GithubJsonFormat: types.KeycloakBoolQuoted(data.Get("github_json_format").(bool)),
+		BaseUrl:          data.Get("base_url").(string),
+		ApiUrl:           data.Get("api_url").(string),
+
+		//since keycloak v26 moved to IdentityProvider - still here fore backward compatibility
+		HideOnLoginPage: types.KeycloakBoolQuoted(data.Get("hide_on_login_page").(bool)),
+	}
+
+	if err := mergo.Merge(githubOidcIdentityProviderConfig, defaultConfig); err != nil {
+		return nil, err
+	}
+
+	rec.Config = githubOidcIdentityProviderConfig
+
+	return rec, nil
+}
+
+func setOidcGithubIdentityProviderData(data *schema.ResourceData, identityProvider *keycloak.IdentityProvider, keycloakVersion *version.Version) error {
+	setIdentityProviderData(data, identityProvider, keycloakVersion)
+	data.Set("provider_id", identityProvider.ProviderId)
+	data.Set("client_id", identityProvider.Config.ClientId)
+	data.Set("github_json_format", identityProvider.Config.GithubJsonFormat)
+	data.Set("base_url", identityProvider.Config.BaseUrl)
+	data.Set("api_url", identityProvider.Config.ApiUrl)
+	data.Set("default_scopes", identityProvider.Config.DefaultScope)
+
+	if keycloakVersion.LessThan(keycloak.Version_26.AsVersion()) {
+		// Since keycloak v26 the attribute "hideOnLoginPage" is not part of the identity provider config anymore!
+		data.Set("hide_on_login_page", identityProvider.Config.HideOnLoginPage)
+		return nil
+	}
+
+	return nil
+}