fix client secret injection, make direct access grants configurable, make group protocol mapper a default

playbooks/roles/deploy-rhbk/templates/realm-import-template.yaml.j2

@@ -563,7 +563,9 @@ spec:
         enabled: true
         alwaysDisplayInConsole: false
         clientAuthenticatorType: client-secret
-        secret: '{{ client.secret | default(omit) }}'
+{% if client.secret is defined %}
+        secret: '{{ client.secret }}'
+{% endif %}
         redirectUris:
           - {{ client.base_url }}/*
         webOrigins:
@@ -573,7 +575,7 @@ spec:
         consentRequired: false
         standardFlowEnabled: true
         implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
+        directAccessGrantsEnabled: {{ client.direct_grants | default(true) | bool }}
         serviceAccountsEnabled: false
         publicClient: false
         frontchannelLogout: true
@@ -605,6 +607,23 @@ spec:
         authenticationFlowBindingOverrides: {}
         fullScopeAllowed: true
         nodeReRegistrationTimeout: -1
+{% if client.map_groups | default(true) %}
+        protocolMappers:
+          - id: {{ ((rhbk.name | default('sso')) + '-' + (rhbk.realm | default('sample-realm')) + '-client-openshift-pm-groups') | ansible.builtin.to_uuid }}
+            name: groups
+            protocol: openid-connect
+            protocolMapper: oidc-group-membership-mapper
+            consentRequired: false
+            config:
+              claim.name: groups
+              full.path: false
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+              introspection.token.claim: true
+              lightweight.claim: false
+              multivalued: true
+{% endif %}
         defaultClientScopes:
           - web-origins
           - acr