reference-ansible/inventories/vagrant/host_vars/backend/keycloak.yml

# Keycloak configuration for vagrant environment
keycloak_domain: keycloak.local.test
keycloak_admin_password: admin

# Enable provisioning via Keycloak Admin API
keycloak_provisioning_enabled: true

# Realm configuration
keycloak_realm: "vagrant"
keycloak_realm_display_name: "Vagrant Test Realm"

# Groups to provision
keycloak_groups:
  - name: admins
  - name: users
  - name: developers

# Local users to provision
keycloak_local_users:
  - username: testadmin
    first_name: "Test"
    last_name: "Admin"
    email: "admin@local.test"
    password: "admin"
    groups:
      - name: admins
  - username: testuser
    first_name: "Test"
    last_name: "User"
    email: "user@local.test"
    password: "user"
    groups:
      - name: users

# OIDC clients to provision
keycloak_oidc_clients:
  - client_id: nextcloud
    name: "Nextcloud"
    client_secret: "nextcloud-secret-change-in-production"
    redirect_uris:
      - "https://nextcloud.local.test/apps/user_oidc/code"
    default_client_scopes:
      - openid
      - email
      - profile
  - client_id: httpbin
    name: "HTTPBin Test App"
    client_secret: "httpbin-secret-change-in-production"
    redirect_uris:
      - "https://httpbin.local.test/callback"
    default_client_scopes:
      - openid
      - email
      - profile
  - client_id: opencloud
    name: "OpenCloud"
    client_secret: "opencloud-secret-change-in-production"
    redirect_uris:
      - "https://opencloud.local.test/"
      - "https://opencloud.local.test/oidc-callback.html"
      - "https://opencloud.local.test/oidc-silent-redirect.html"
    default_client_scopes:
      - openid
      - email
      - profile

# Identity providers (external login sources)
# Uncomment and configure for production use with real credentials
# keycloak_identity_providers:
#   - alias: entra-id
#     display_name: "Login with Microsoft"
#     provider_id: oidc
#     config:
#       clientId: "your-entra-client-id"
#       clientSecret: "your-entra-client-secret"
#       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
#       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
#       defaultScope: "openid profile email"

# Resources to remove (for cleanup when removing items from above lists)
keycloak_removed_users: []
keycloak_removed_groups: []
keycloak_removed_clients: []
keycloak_removed_identity_providers: []