From 7cb616c7cec3d98eba287bf2c0d0625235d7585f Mon Sep 17 00:00:00 2001
From: Chris Coutinho <chris@coutinho.io>
Date: Sun, 2 Nov 2025 22:03:14 +0100
Subject: [PATCH] feat: Auto-configure impersonation role in Keycloak realm
 import
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add service account user with impersonation role to realm-export.json
so that Tier 1 impersonation works out-of-the-box without requiring
manual CLI configuration.

Changes:
- Add service-account-nextcloud-mcp-server user to realm import
- Grant "impersonation" role from "realm-management" client
- Eliminates need for manual `kcadm.sh add-roles` command

Benefits:
- Impersonation tests now pass automatically
- No manual permission configuration required
- Consistent development environment setup

Verified:
- Manual test: tests/manual/test_impersonation.py ✅ PASS
- Integration tests: tests/integration/auth/test_token_exchange_legacy_v1.py ✅ 3 PASS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 keycloak/realm-export.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/keycloak/realm-export.json b/keycloak/realm-export.json
index 7464f38..e082b3d 100644
--- a/keycloak/realm-export.json
+++ b/keycloak/realm-export.json
@@ -150,6 +150,16 @@
           "1073741824"
         ]
       }
+    },
+    {
+      "username": "service-account-nextcloud-mcp-server",
+      "enabled": true,
+      "serviceAccountClientId": "nextcloud-mcp-server",
+      "clientRoles": {
+        "realm-management": [
+          "impersonation"
+        ]
+      }
     }
   ],
   "clients": [