# Unfortunately, documentation on this is lacking. I started to get close, so i want to leave it, but keycloak configuration is being done by hand. # # See https://www.keycloak.org/docs/10.0/server_admin/#_x509 # #resource "keycloak_authentication_flow" "x509-browser" { # realm_id = keycloak_realm.realm.id # alias = "X.509 Browser" #} # ## Note: the ordering of authentication executions within a flow must be specified using depends_on. ## ## Unfortunately, there is very little doc on what 'authenticator's are available. See https://github.com/mrparkers/terraform-provider-keycloak/issues/411 ## But there are some examples in https://github.com/mrparkers/terraform-provider-keycloak/blob/master/example/main.tf #resource "keycloak_authentication_execution" "execution_1" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_flow.x509-browser.alias # authenticator = "auth-cookie" # requirement = "ALTERNATIVE" #} # #resource "keycloak_authentication_execution" "execution_2" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_flow.x509-browser.alias # authenticator = "auth-spnego" # "kerberos" # requirement = "DISABLED" # # depends_on = [ # keycloak_authentication_execution.execution_1 # ] #} # #resource "keycloak_authentication_execution" "execution_3" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_flow.x509-browser.alias # authenticator = "identity-provider-redirector" # requirement = "ALTERNATIVE" # # depends_on = [ # keycloak_authentication_execution.execution_2 # ] #} # #resource "keycloak_authentication_execution" "execution_3" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_flow.x509-browser.alias # authenticator = "identity-provider-redirector" # requirement = "ALTERNATIVE" # # depends_on = [ # keycloak_authentication_execution.execution_2 # ] #} # #resource "keycloak_authentication_subflow" "subflow_3" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_flow.x509-browser.alias # alias = "browser-copy-flow-forms" # requirement = "ALTERNATIVE" # depends_on = [ # keycloak_authentication_execution.execution_3 # ] #} # #resource "keycloak_authentication_execution" "execution_4" { # realm_id = keycloak_realm.realm.id # parent_flow_alias = keycloak_authentication_subflow.subflow_3.alias # # authenticator = "auth-username-password-form" # requirement = "REQUIRED" # depends_on = [ # keycloak_authentication_subflow.subflow_3 # ] #} # ## No OTPs for us? ##resource "keycloak_authentication_execution" "execution_6" { ## realm_id = keycloak_realm.realm.id ## parent_flow_alias = keycloak_authentication_flow.x509-browser.alias ## authenticator = "auth-otp-form" ## requirement = "REQUIRED" ## depends_on = [ ## keycloak_authentication_execution.execution_3 ## ] ##} # ##resource "keycloak_authentication_execution_config" "config" { ## realm_id = keycloak_realm.realm.id ## parent_flow_alias = keycloak_authentication_flow.x509-browser.alias ## alias = "idp-XXX-config" ## config = { ## defaultProvider = "idp-XXX" ## } ## depends_on = [ ## keycloak_authentication_execution.execution_3 ## ] ##} ## #TODO: #resource "keycloak_openid_client" "test_client" { # client_id = "test-openid-client" # name = "test-openid-client" # realm_id = keycloak_realm.test.id # description = "a test openid client" # # standard_flow_enabled = true # service_accounts_enabled = true # # access_type = "CONFIDENTIAL" # # valid_redirect_uris = [ # "http://localhost:5555/callback", # ] # # client_secret = "secret" # # pkce_code_challenge_method = "plain" # # login_theme = "keycloak" #} #resource "keycloak_required_action" "custom-terms-and-conditions" { # realm_id = keycloak_realm.realm.realm # alias = "terms_and_conditions" # default_action = true # enabled = true # name = "Custom Terms and Conditions" #}