---
- name: "Creating realm <{{ current_realm_name }}>"
  community.general.keycloak_realm:
    enabled: true
    id: "{{ current_realm_name }}"
    realm: "{{ current_realm_name }}"
    display_name: "{{ current_realm_display_name }}"
    auth_realm: "master"
    auth_client_id: "admin-cli"
    auth_username: "{{ keycloak_admin_username }}"
    auth_password: "{{ keycloak_admin_password }}"
    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
    account_theme: "smardigo-theme"
    admin_theme: "smardigo-theme"
    login_theme: "smardigo-theme"
    registration_allowed: no
    reset_password_allowed: yes
    login_with_email_allowed: no
    duplicate_emails_allowed: yes
    internationalization_enabled: yes
    default_locale: "de"
    password_policy: "{{ current_realm_password_policy | default('forceExpiredPasswordChange(60) and passwordHistory(3) and length(8) and notUsername(undefined) and upperCase(2) and lowerCase(2) and specialChars(2) and digits(1)') }}"
    supported_locales:
    - "de"
    - "en"
    events_enabled: yes
    events_expiration: 604800
    admin_events_enabled: yes
    smtp_server:
      host: "{{ shared_service_mail_hostname }}"
      from: "{{ keycloak_id }}@smardigo.digital"
    events_listeners:
    - "jboss-logging"
    - "metrics-listener"
    state: present
  tags:
    - update_realms

- name: "Creating client <{{ client.clientId }}> in realm <{{ current_realm_name }}>"
  community.general.keycloak_client:
    auth_realm: "master"
    auth_client_id: "admin-cli"
    auth_username: "{{ keycloak_admin_username }}"
    auth_password: "{{ keycloak_admin_password }}"
    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
    state: present
    realm: "{{ current_realm_name }}"
    client_id: "{{ client.clientId }}"
    id: "{{ client.clientId }}"
    name: "{{ client.name }}"
    root_url: "{{ client.root_url }}"
    admin_url: "{{ client.admin_url }}"
    secret: "{{ client.secret }}"
    redirect_uris: "{{ client.redirect_uris }}"
    web_origins: "{{ client.web_origins }}"
    bearer_only: false
    consent_required: false
    standard_flow_enabled: true
    implicit_flow_enabled: false
    service_accounts_enabled: true
    authorization_services_enabled: true
    public_client: false
    frontchannel_logout: false
    protocol: openid-connect
    full_scope_allowed: true
    node_re_registration_timeout: -1
    surrogate_auth_required: false
    attributes:
      saml.authnstatement: false
      saml.client.signature: false
      saml.force.post.binding: false
      saml.server.signature: false
      saml_force_name_id_format: false
      request.object.signature.alg: none
    protocol_mappers:
      - name: "username"
        consentRequired: false
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
        config:
          claim.name: "sub"
          user.attribute: "username"
          id.token.claim: true
          access.token.claim: true
          userinfo.token.claim: true
          jsonType.label: String
      - name: "groups"
        protocol: openid-connect
        protocolMapper: oidc-group-membership-mapper
        consentRequired: false
        config:
          claim.name: "groups"
          full.path: false
          id.token.claim: true
          access.token.claim: true
          userinfo.token.claim: true
          jsonType.label: String
  with_items: "{{ current_realm_clients | default([]) }}"
  loop_control:
    loop_var: client