reCAPTCHA values aren't populated in keycloak.authentication.ExecutionConfig

[shaidar]

Describe what happened

Regardless of what values are passed in the config of keycloak.authentication.ExecutionConfig, when checking the Keycloak UI, the values are not populated and no error is thrown by pulumi during its run. Tried different string values with no success.

Sample program

https://github.com/mitodl/ol-infrastructure/blob/main/src/ol_infrastructure/substructure/keycloak/__main__.py#L880-L881

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI
Version 3.144.1
Go Version go1.23.4
Go Compiler gc

Host
OS darwin
Version 15.1.1
Arch arm64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[VenelinMartinov]

Hey @shaidar, thanks for reporting the issue and sorry you've had trouble here.

The pulumi keycloak provider uses the terraform keycloak provider under the hood, which uses the keycloak API. Given your issue I suspect one of the two are not doing the right thing here. To correctly identify the problem, can I ask you to:

1. Try making the config change via the keycloak API: https://www.keycloak.org/docs-api/latest/rest-api/index.html#AuthenticatorConfigRepresentation
2. If that works, can you try with a short Terraform program. I use https://www.pulumi.com/ai to help with that.
3. If that also works correctly, can you please produce a self-contained repro of the problem? The program you've linked is quite involved and requires external configuration which we'll have trouble running.

Thank you!

[shaidar]

Hey @VenelinMartinov! I'm familiar with the fact that this is based on terraform but wasn't sure if I was doing something wrong passing in config values but doesn't appear to be the case. Regarding 1, that works fine when directly using the API. As far as 2, that does not seem to work with the issue being the error below even after verifying that registration-recaptcha-action is the correct id and in fact that's what the API used and it worked.

Error: error sending POST request to /admin/realms/olapps/authentication/flows/ol-registration-flow/executions/execution: 400 Bad Request. Response body: {"error":"No authentication provider found for id: registration-recaptcha-action"}
│
│   with keycloak_authentication_execution.recaptcha,
│   on main.tf line 59, in resource "keycloak_authentication_execution" "recaptcha":
│   59: resource "keycloak_authentication_execution" "recaptcha" {

Tried different provider id's with no luck. I'm assuming we'll need to open an issue on the terraform repo, but would be helpful getting some confirmation that you're experiencing the same thing.

Below is very basic terraform to try it out:

terraform {
  required_providers {
    keycloak = {
      source = "keycloak/keycloak"
      version = "5.0.0"
    }
  }
}

# Variables
variable "keycloak_url" {
  type        = string
  description = "The URL of the Keycloak instance"
  nullable    = false
}

variable "keycloak_realm" {
  type        = string
  description = "The Keycloak realm name"
  default     = "olapps"
}

variable "keycloak_client_id" {
  type        = string
  description = "The client ID for Keycloak authentication"
  nullable    = false
}

variable "keycloak_client_secret" {
  type        = string
  description = "The client secret for Keycloak authentication"
  sensitive   = true
  nullable    = false
}

variable "recaptcha_site_key" {
  type        = string
  description = "Google reCAPTCHA site key"
  nullable    = false
}

variable "recaptcha_secret_key" {
  type        = string
  description = "Google reCAPTCHA secret key"
  sensitive   = true
  nullable    = false
}

# Provider configuration
provider "keycloak" {
  client_id     = var.keycloak_client_id
  client_secret = var.keycloak_client_secret
  url           = var.keycloak_url
  realm         = var.keycloak_realm
}

# Create new authentication flow
resource "keycloak_authentication_flow" "recaptcha_flow" {
  realm_id    = var.keycloak_realm
  alias       = "recaptcha-only-flow"
  description = "Flow with only reCAPTCHA verification"
  provider_id = "basic-flow"
}

# Add reCAPTCHA execution to the flow
resource "keycloak_authentication_execution" "recaptcha" {
  realm_id          = var.keycloak_realm
  parent_flow_alias = keycloak_authentication_flow.recaptcha_flow.alias
  authenticator     = "recaptcha"  # Changed from registration-recaptcha-action
  requirement       = "REQUIRED"

  depends_on = [keycloak_authentication_flow.recaptcha_flow]
}

# Configure reCAPTCHA execution
resource "keycloak_authentication_execution_config" "recaptcha_config" {
  realm_id     = var.keycloak_realm
  execution_id = keycloak_authentication_execution.recaptcha.id
  alias        = "recaptcha-config"

  config = {
    "site.key"   = var.recaptcha_site_key
    "secret.key" = var.recaptcha_secret_key
  }

  depends_on = [keycloak_authentication_execution.recaptcha]
}

# Outputs
output "flow_id" {
  value       = keycloak_authentication_flow.recaptcha_flow.id
  description = "ID of the created authentication flow"
}

output "recaptcha_execution_id" {
  value       = keycloak_authentication_execution.recaptcha.id
  description = "ID of the reCAPTCHA execution"
}

output "recaptcha_config_id" {
  value       = keycloak_authentication_execution_config.recaptcha_config.id
  description = "ID of the reCAPTCHA configuration"
}

[VenelinMartinov]

Hey @shaidar in the program you pasted you've changed registration-recaptcha-action to recaptcha. Could that be the source of the error TF is complaining about?

Otherwise you are correct, I think your best bet is raising the issue upstream to terraform-keycloak. Note that we just released a new major version - you might want to try with the newest version in case the issue was fixed.

[shaidar]

@VenelinMartinov Yeah I tried it with different values and must've pasted the one with recaptcha and they all threw the same error. Will open an issue on the terraform repo and hopefully we can get it fixed.