Update doc, fmt, examples

custom-user-federation-example/src/main/kotlin/com/github/mrparkers/keycloak/CustomIdentityProviderFactory.kt

@@ -17,7 +17,7 @@ class CustomIdentityProviderFactory : AbstractIdentityProviderFactory<CustomIden
 		return CustomIdentityProvider(session, CustomIdentityProviderConfig(model))
 	}
 
-	fun parseConfig(session: KeycloakSession, inputStream: InputStream): Map<String, String> {
+	override fun parseConfig(session: KeycloakSession, inputStream: InputStream): Map<String, String> {
 		return parseOIDCConfig(session, inputStream)
 	}
 

docker-compose.yml

@@ -35,13 +35,16 @@ services:
     - KC_DB_USERNAME=keycloak
     - KC_DB_PASSWORD=password
     - KC_FEATURES=preview
+    - QUARKUS_HTTP_ACCESS_LOG_ENABLED=true
+    - QUARKUS_HTTP_RECORD_REQUEST_START_TIME=true
+
 # Enable for remote java debugging
 #    - PREPEND_JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8787
     ports:
     - 8080:8080
 # Enable for remote java debugging
 #    - 8787:8787
     volumes:
+    - ./provider/misc:/opt/keycloak/certs:ro
 # Make the custom-user-federation-example extension available to Keycloak. The :z option is required and tells Docker that the volume content will be shared between containers.
     - ./custom-user-federation-example/build/libs/custom-user-federation-example.jar:/opt/keycloak/providers/custom-user-federation-example.jar:z
-    - ./provider/misc:/opt/keycloak/certs:ro

docs/resources/realm_user_profile.md

@@ -4,16 +4,10 @@ page_title: "keycloak_realm_user_profile Resource"
 
 # keycloak_realm_user_profile Resource
 
-Allows for managing Realm User Profiles within Keycloak.
+Allows for managing Realm [User Profile](https://www.keycloak.org/docs/latest/server_admin/index.html#user-profile) within Keycloak.
 
 A user profile defines a schema for representing user attributes and how they are managed within a realm.
-This is a preview feature, hence not fully supported and disabled by default.
-To enable it, start the server with one of the following flags:
-- WildFly distribution: `-Dkeycloak.profile.feature.declarative_user_profile=enabled`
-- Quarkus distribution: `--features=preview` or `--features=declarative-user-profile`
 
-The realm linked to the `keycloak_realm_user_profile` resource must have the user profile feature enabled.
-It can be done via the administration UI, or by setting the `userProfileEnabled` realm attribute to `true`.
 
 ## Example Usage
 
@@ -29,11 +23,114 @@ resource "keycloak_realm" "realm" {
 resource "keycloak_realm_user_profile" "userprofile" {
   realm_id = keycloak_realm.my_realm.id
 
+  unmanaged_attribute_policy = "DISABLED"
+
+
+  attribute {
+    name         = "username"
+    display_name = "$${username}"
+
+    validator {
+      name = "length"
+      config = {
+        min = "3"
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+    validator {
+      name = "up-username-not-idn-homograph"
+    }
+
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+
+    multivalued = false
+  }
+
+  attribute {
+    name         = "email"
+    display_name = "$${email}"
+
+    validator {
+      name = "email"
+    }
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+
+    required_for_roles = ["user"]
+
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+
+    multivalued = false
+  }
+
+  attribute {
+    name         = "firstName"
+    display_name = "$${firstName}"
+
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+
+    required_for_roles = ["user"]
+
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+
+    multivalued = false
+  }
+
+  attribute {
+    name         = "lastName"
+    display_name = "$${lastName}"
+
+    validator {
+      name = "length"
+      config = {
+        max = "255"
+      }
+    }
+    validator {
+      name = "person-name-prohibited-characters"
+    }
+
+    required_for_roles = ["user"]
+
+    permissions {
+      view = ["admin", "user"]
+      edit = ["admin", "user"]
+    }
+
+    multivalued = false
+  }
+
   attribute {
     name         = "field1"
     display_name = "Field 1"
     group        = "group1"
 
+    multivalued = false
+
     enabled_when_scope = ["offline_access"]
 
     required_for_roles  = ["user"]
@@ -96,6 +193,11 @@ resource "keycloak_realm_user_profile" "userprofile" {
 ## Argument Reference
 
 - `realm_id` - (Required) The ID of the realm the user profile applies to.
+- `unmanaged_attribute_policy` - (Optional) Configure your realm using different policies to define how they are handled by the server.
+  - `DISABLED` - This is the default policy so that unmanaged attributes are disabled from all user profile contexts. (default value)
+  - `ENABLED` - This policy enables unmanaged attributes to all user profile contexts.
+  - `ADMIN_VIEW` - This policy enables unmanaged attributes only from the administrative context as read-only.
+  - `ADMIN_EDIT` - This policy enables unmanaged attributes only from the administrative context for reads and writes.
 - `attribute` - (Optional) An ordered list of [attributes](#attribute-arguments).
 - `group` - (Optional) A list of [groups](#group-arguments).
 
@@ -104,6 +206,7 @@ resource "keycloak_realm_user_profile" "userprofile" {
 - `name` - (Required) The name of the attribute.
 - `display_name` - (Optional) The display name of the attribute.
 - `group` - (Optional) The group that the attribute belong to.
+- `multivalued` - (Optional) If enabled, the attribute supports multiple values
 - `enabled_when_scope` - (Optional) A list of scopes. The attribute will only be enabled when these scopes are requested by clients.
 - `required_for_roles` - (Optional) A list of roles for which the attribute will be required.
 - `required_for_scopes` - (Optional) A list of scopes for which the attribute will be required.

example/client_authorization_policys.tf

@@ -1,12 +1,12 @@
-resource keycloak_realm test_authorization {
+resource "keycloak_realm" "test_authorization" {
   realm                = "test_authorization"
   enabled              = true
   display_name         = "foo"
   account_theme        = "base"
   access_code_lifespan = "30m"
 }
 
-resource keycloak_openid_client test {
+resource "keycloak_openid_client" "test" {
   client_id                = "test-openid-client"
   name                     = "test-openid-client"
   realm_id                 = keycloak_realm.test_authorization.id
@@ -15,6 +15,7 @@ resource keycloak_openid_client test {
   service_accounts_enabled = true
   access_type              = "CONFIDENTIAL"
   client_secret            = "secret"
+
   valid_redirect_uris = [
     "http://localhost:5555/callback",
   ]
@@ -27,12 +28,12 @@ resource keycloak_openid_client test {
 # create aggregate_policy
 #
 
-resource keycloak_role test_authorization {
+resource "keycloak_role" "test_authorization" {
   realm_id = keycloak_realm.test_authorization.id
   name     = "aggregate_policy_role"
 }
 
-resource keycloak_openid_client_role_policy test {
+resource "keycloak_openid_client_role_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "keycloak_openid_client_role_policy"
@@ -45,7 +46,7 @@ resource keycloak_openid_client_role_policy test {
   }
 }
 
-resource keycloak_openid_client_aggregate_policy test {
+resource "keycloak_openid_client_aggregate_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "keycloak_openid_client_aggregate_policy"
@@ -58,7 +59,7 @@ resource keycloak_openid_client_aggregate_policy test {
 # create client policy
 #
 
-resource keycloak_openid_client_client_policy test {
+resource "keycloak_openid_client_client_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "keycloak_openid_client_client_policy"
@@ -71,12 +72,12 @@ resource keycloak_openid_client_client_policy test {
 # create group policy
 #
 
-resource keycloak_group test {
+resource "keycloak_group" "test" {
   realm_id = keycloak_realm.test_authorization.id
   name     = "foo"
 }
 
-resource keycloak_openid_client_group_policy test {
+resource "keycloak_openid_client_group_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "client_group_policy_test"
@@ -94,12 +95,12 @@ resource keycloak_openid_client_group_policy test {
 #  create role policy
 #
 
-resource keycloak_role test_authorization2 {
+resource "keycloak_role" "test_authorization2" {
   realm_id = keycloak_realm.test_authorization.id
   name     = "new_role"
 }
 
-resource keycloak_openid_client_role_policy test1 {
+resource "keycloak_openid_client_role_policy" "test1" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "keycloak_openid_client_role_policy1"
@@ -116,7 +117,7 @@ resource keycloak_openid_client_role_policy test1 {
 # create time policy
 #
 
-resource keycloak_openid_client_time_policy test {
+resource "keycloak_openid_client_time_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "%s"
@@ -140,7 +141,7 @@ resource keycloak_openid_client_time_policy test {
 # create user policy
 #
 
-resource keycloak_user test {
+resource "keycloak_user" "test" {
   realm_id = keycloak_realm.test_authorization.id
   username = "test-user"
 
@@ -149,7 +150,7 @@ resource keycloak_user test {
   last_name  = "Tester"
 }
 
-resource keycloak_openid_client_user_policy test {
+resource "keycloak_openid_client_user_policy" "test" {
   resource_server_id = keycloak_openid_client.test.resource_server_id
   realm_id           = keycloak_realm.test_authorization.id
   name               = "client_user_policy_test"
@@ -164,15 +165,15 @@ resource "keycloak_users_permissions" "my_permission" {
   realm_id = keycloak_realm.test_authorization.id
 
   view_scope {
-    policies          = [
+    policies = [
       keycloak_openid_client_user_policy.test.id
     ]
     description       = "view_scope"
     decision_strategy = "CONSENSUS"
   }
 
   manage_scope {
-    policies          = [
+    policies = [
       keycloak_openid_client_user_policy.test.id
     ]
     description       = "manage_scope"
@@ -185,7 +186,7 @@ resource "keycloak_openid_client_permissions" "my_permission" {
   client_id = keycloak_openid_client.test.id
 
   view_scope {
-    policies          = [
+    policies = [
       keycloak_openid_client_user_policy.test.id,
     ]
     description       = "my description"

example/external_token_exchange_example.tf

@@ -21,7 +21,7 @@ resource "keycloak_realm" "token-exchange_destination_realm" {
   enabled = true
 }
 
-resource keycloak_oidc_identity_provider token-exchange_source_oidc_idp {
+resource "keycloak_oidc_identity_provider" "token-exchange_source_oidc_idp" {
   realm              = keycloak_realm.token-exchange_destination_realm.id
   alias              = "source"
   authorization_url  = "http://localhost:8080/auth/realms/${keycloak_realm.token-exchange_source_realm.id}/protocol/openid-connect/auth"
@@ -32,6 +32,7 @@ resource keycloak_oidc_identity_provider token-exchange_source_oidc_idp {
   client_id          = keycloak_openid_client.token-exchange_destination_client.client_id
   client_secret      = keycloak_openid_client.token-exchange_destination_client.client_secret
   default_scopes     = "openid"
+  sync_mode          = "LEGACY"
 }
 
 resource "keycloak_openid_client" "token-exchange_webapp_client" {