k*.py: normalize docs (#9391)

* k*.py: normalize docs * Update plugins/modules/keycloak_realm_keys_metadata_info.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/kibana_plugin.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de>
2025-04-06 10:40:32 -07:00 · 2024-12-27 01:42:44 +13:00 · 2024-12-27 01:42:44 +13:00 · 49ed3d4acf
commit 49ed3d4acf
parent 6aadcc72d1
34 changed files with 4402 additions and 4882 deletions
--- a/plugins/modules/kdeconfig.py
+++ b/plugins/modules/kdeconfig.py
@ -7,15 +7,13 @@ from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
-DOCUMENTATION = r'''
+DOCUMENTATION = r"""
 ---
 module: kdeconfig
 short_description: Manage KDE configuration files
 version_added: "6.5.0"
 description:
  - Add or change individual settings in KDE configuration files.
  - It uses B(kwriteconfig) under the hood.
 options:
  path:
    description:
@ -24,8 +22,7 @@ options:
    required: true
  kwriteconfig_path:
    description:
-      - Path to the kwriteconfig executable. If not specified, Ansible will try
+      - Path to the kwriteconfig executable. If not specified, Ansible will try to discover it.
        to discover it.
    type: path
  values:
    description:
@ -74,9 +71,9 @@ requirements:
  - kwriteconfig
 author:
  - Salvatore Mesoraca (@smeso)
-'''
+"""
-EXAMPLES = r'''
+EXAMPLES = r"""
 - name: Ensure "Homepage=https://www.ansible.com/" in group "Branding"
  community.general.kdeconfig:
    path: /etc/xdg/kickoffrc
@ -97,9 +94,9 @@ EXAMPLES = r'''
        key: KEY
        value: VALUE
    backup: true
-'''
+"""
-RETURN = r''' # '''
+RETURN = r""" # """
 import os
 import shutil
--- a/plugins/modules/kernel_blacklist.py
+++ b/plugins/modules/kernel_blacklist.py
@ -9,8 +9,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: kernel_blacklist
 author:
  - Matthias Vogelgesang (@matze)
@ -34,22 +33,21 @@ options:
    type: str
    description:
      - Whether the module should be present in the blacklist or absent.
-        choices: [ absent, present ]
+    choices: [absent, present]
    default: present
  blacklist_file:
    type: str
    description:
-            - If specified, use this blacklist file instead of
+      - If specified, use this blacklist file instead of C(/etc/modprobe.d/blacklist-ansible.conf).
              C(/etc/modprobe.d/blacklist-ansible.conf).
    default: /etc/modprobe.d/blacklist-ansible.conf
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Blacklist the nouveau driver module
  community.general.kernel_blacklist:
    name: nouveau
    state: present
-'''
+"""
 import os
 import re
--- a/plugins/modules/keycloak_authentication.py
+++ b/plugins/modules/keycloak_authentication.py
@ -7,8 +7,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authentication
 short_description: Configure authentication in Keycloak
@ -16,7 +15,6 @@ short_description: Configure authentication in Keycloak
 description:
  - This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
  - It can also delete the flow.
 version_added: "3.3.0"
 attributes:
@ -45,7 +43,7 @@ options:
  providerId:
    description:
      - C(providerId) for the new flow when not copied from an existing flow.
-        choices: [ "basic-flow", "client-flow" ]
+    choices: ["basic-flow", "client-flow"]
    type: str
  copyFrom:
    description:
@ -68,7 +66,7 @@ options:
      requirement:
        description:
          - Control status of the subflow or execution.
-                choices: [ "REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL" ]
+        choices: ["REQUIRED", "ALTERNATIVE", "DISABLED", "CONDITIONAL"]
        type: str
      flowAlias:
        description:
@ -93,7 +91,7 @@ options:
  state:
    description:
      - Control if the authentication flow must exists or not.
-        choices: [ "present", "absent" ]
+    choices: ["present", "absent"]
    default: present
    type: str
  force:
@ -101,7 +99,6 @@ options:
    default: false
    description:
      - If V(true), allows to remove the authentication flow and recreate it.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -110,9 +107,9 @@ extends_documentation_fragment:
 author:
  - Philippe Gauthier (@elfelip)
  - Gaëtan Daubresse (@Gaetan2907)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create an authentication flow from first broker login and add an execution to it.
  community.general.keycloak_authentication:
    auth_keycloak_url: http://localhost:8080/auth
@ -184,9 +181,9 @@ EXAMPLES = '''
    realm: master
    alias: "Copy of first broker login"
    state: absent
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -222,7 +219,7 @@ end_state:
      "providerId": "basic-flow",
      "topLevel": true
    }
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \
    import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included
--- a/plugins/modules/keycloak_authentication_required_actions.py
+++ b/plugins/modules/keycloak_authentication_required_actions.py
@ -9,8 +9,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authentication_required_actions
 short_description: Allows administration of Keycloak authentication required actions
@ -18,7 +17,6 @@ short_description: Allows administration of Keycloak authentication required act
 description:
  - This module can register, update and delete required actions.
  - It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
 version_added: 7.1.0
 attributes:
@ -71,7 +69,7 @@ options:
        type: str
    type: list
  state:
-        choices: [ "absent", "present" ]
+    choices: ["absent", "present"]
    description:
      - Control if the realm authentication required actions are going to be registered/updated (V(present)) or deleted (V(absent)).
    required: true
@ -84,9 +82,9 @@ extends_documentation_fragment:
 author:
  - Skrekulko (@Skrekulko)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Register a new required action.
  community.general.keycloak_authentication_required_actions:
    auth_client_id: "admin-cli"
@ -126,9 +124,9 @@ EXAMPLES = '''
    required_action:
      - alias: "TERMS_AND_CONDITIONS"
    state: "absent"
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -174,8 +172,7 @@ end_state:
        - Provider ID of the required action. Required for registration.
      sample: test-provider-id
      type: str
-
+"""
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_authz_authorization_scope.py
+++ b/plugins/modules/keycloak_authz_authorization_scope.py
@ -9,27 +9,21 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authz_authorization_scope
-short_description: Allows administration of Keycloak client authorization scopes via Keycloak API
+short_description: Allows administration of Keycloak client authorization scopes using Keycloak API
 version_added: 6.6.0
 description:
-    - This module allows the administration of Keycloak client Authorization Scopes via the Keycloak REST
+  - This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available
-      API. Authorization Scopes are only available if a client has Authorization enabled.
+    if a client has Authorization enabled.
-
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
-    - This module requires access to the REST API via OpenID Connect; the user connecting and the realm
+    rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
      being used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate realm definition with the scope tailored
    to your needs and a user having the expected roles.
-
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
-    - The names of module options are snake_cased versions of the camelCase options used by Keycloak.
+    have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
      The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
      U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
 attributes:
  check_mode:
    support: full
@ -81,9 +75,9 @@ extends_documentation_fragment:
 author:
  - Samuli Seppänen (@mattock)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Manage Keycloak file:delete authorization scope
  keycloak_authz_authorization_scope:
    name: file:delete
@ -95,9 +89,9 @@ EXAMPLES = '''
    auth_username: keycloak
    auth_password: keycloak
    auth_realm: master
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -128,8 +122,7 @@ end_state:
      type: str
      returned: when O(state=present)
      sample: http://localhost/icon.png
-
+"""
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_authz_custom_policy.py
+++ b/plugins/modules/keycloak_authz_custom_policy.py
@ -9,28 +9,21 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authz_custom_policy
-short_description: Allows administration of Keycloak client custom Javascript policies via Keycloak API
+short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API
 version_added: 7.5.0
 description:
-    - This module allows the administration of Keycloak client custom Javascript via the Keycloak REST
+  - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only
-      API. Custom Javascript policies are only available if a client has Authorization enabled and if
+    available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
-      they have been deployed to the Keycloak server as JAR files.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
-
+    rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
    - This module requires access to the REST API via OpenID Connect; the user connecting and the realm
      being used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate realm definition with the scope tailored
    to your needs and a user having the expected roles.
-
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
-    - The names of module options are snake_cased versions of the camelCase options used by Keycloak.
+    have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
      The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
      U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
 attributes:
  check_mode:
    support: full
@ -78,9 +71,9 @@ extends_documentation_fragment:
 author:
  - Samuli Seppänen (@mattock)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Manage Keycloak custom authorization policy
  community.general.keycloak_authz_custom_policy:
    name: OnlyOwner
@ -92,9 +85,9 @@ EXAMPLES = '''
    auth_username: keycloak
    auth_password: keycloak
    auth_realm: master
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -115,8 +108,7 @@ end_state:
      type: str
      returned: when I(state=present)
      sample: File delete
-
+"""
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_authz_permission.py
+++ b/plugins/modules/keycloak_authz_permission.py
@ -9,35 +9,26 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authz_permission
 version_added: 7.2.0
-short_description: Allows administration of Keycloak client authorization permissions via Keycloak API
+short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
 description:
-    - This module allows the administration of Keycloak client authorization permissions via the Keycloak REST
+  - This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are
-      API. Authorization permissions are only available if a client has Authorization enabled.
+    only available if a client has Authorization enabled.
-
+  - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted
-    - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular
+    at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests
-      POST and PUT operations are targeted at permission endpoints, whereas GET requests go to policies
+    return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things
-      endpoint. To make matters more interesting the JSON responses from GET requests return data in a
+    like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization
-      different format than what is expected for POST and PUT. The end result is that it is not possible to
+    permissions instead of attempting to determine if changes are truly needed.
-      detect changes to things like policies, scopes or resources - at least not without a large number of
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
-      additional API calls. Therefore this module always updates authorization permissions instead of
+    rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
      attempting to determine if changes are truly needed.
    - This module requires access to the REST API via OpenID Connect; the user connecting and the realm
      being used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate realm definition with the scope tailored
    to your needs and a user having the expected roles.
-
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
-    - The names of module options are snake_cased versions of the camelCase options used by Keycloak.
+    have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
      The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
      U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
 attributes:
  check_mode:
    support: full
@ -128,9 +119,9 @@ extends_documentation_fragment:
 author:
  - Samuli Seppänen (@mattock)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Manage scope-based Keycloak authorization permission
  community.general.keycloak_authz_permission:
    name: ScopePermission
@ -164,9 +155,9 @@ EXAMPLES = '''
    auth_username: keycloak
    auth_password: keycloak
    auth_realm: master
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -225,7 +216,7 @@ end_state:
      returned: when O(state=present)
      sample:
        - 9da05cd2-b273-4354-bbd8-0c133918a454
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_authz_permission_info.py
+++ b/plugins/modules/keycloak_authz_permission_info.py
@ -9,8 +9,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_authz_permission_info
 version_added: 7.2.0
@ -18,19 +17,13 @@ version_added: 7.2.0
 short_description: Query Keycloak client authorization permissions information
 description:
-    - This module allows querying information about Keycloak client authorization permissions from the
+  - This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST
-      resources endpoint via the Keycloak REST API. Authorization permissions are only available if a
+    API. Authorization permissions are only available if a client has Authorization enabled.
-      client has Authorization enabled.
+  - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
-
+    rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
    - This module requires access to the REST API via OpenID Connect; the user connecting and the realm
      being used must have the requisite access rights. In a default Keycloak installation, admin-cli
      and an admin user would work, as would a separate realm definition with the scope tailored
    to your needs and a user having the expected roles.
-
+  - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
-    - The names of module options are snake_cased versions of the camelCase options used by Keycloak.
+    have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
      The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
      U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
 attributes:
  action_group:
    version_added: 10.2.0
@ -61,9 +54,9 @@ extends_documentation_fragment:
 author:
  - Samuli Seppänen (@mattock)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Query Keycloak authorization permission
  community.general.keycloak_authz_permission_info:
    name: ScopePermission
@ -73,9 +66,9 @@ EXAMPLES = '''
    auth_username: keycloak
    auth_password: keycloak
    auth_realm: master
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -114,7 +107,7 @@ queried_state:
      description: Configuration of the permission (empty in all observed cases).
      type: dict
      sample: {}
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@ -8,28 +8,21 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_client
-short_description: Allows administration of Keycloak clients via Keycloak API
+short_description: Allows administration of Keycloak clients using Keycloak API
 description:
-    - This module allows the administration of Keycloak clients via the Keycloak REST API. It
+  - This module allows the administration of Keycloak clients using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      requires access to the REST API via OpenID Connect; the user connecting and the client being
+    the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    Aliases are provided so camelCased versions can be used as well.
-
+  - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and
-    - The Keycloak API does not always sanity check inputs e.g. you can set
+    the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
      If you do not specify a setting, usually a sensible default is chosen.
 attributes:
  check_mode:
    support: full
@ -41,9 +34,9 @@ attributes:
 options:
  state:
    description:
-            - State of the client
+      - State of the client.
      - On V(present), the client will be created (or updated if it exists already).
-            - On V(absent), the client will be removed if it exists
+      - On V(absent), the client will be removed if it exists.
    choices: ['present', 'absent']
    default: 'present'
    type: str
@ -56,17 +49,15 @@ options:
  client_id:
    description:
-            - Client id of client to be worked on. This is usually an alphanumeric name chosen by
+      - Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or O(id) is required. If you specify
-              you. Either this or O(id) is required. If you specify both, O(id) takes precedence.
+        both, O(id) takes precedence. This is C(clientId) in the Keycloak REST API.
              This is 'clientId' in the Keycloak REST API.
    aliases:
      - clientId
    type: str
  id:
    description:
-            - Id of client to be worked on. This is usually an UUID. Either this or O(client_id)
+      - Id of client to be worked on. This is usually an UUID. Either this or O(client_id) is required. If you specify both, this takes precedence.
              is required. If you specify both, this takes precedence.
    type: str
  name:
@ -81,24 +72,21 @@ options:
  root_url:
    description:
-            - Root URL appended to relative URLs for this client.
+      - Root URL appended to relative URLs for this client. This is C(rootUrl) in the Keycloak REST API.
              This is 'rootUrl' in the Keycloak REST API.
    aliases:
      - rootUrl
    type: str
  admin_url:
    description:
-            - URL to the admin interface of the client.
+      - URL to the admin interface of the client. This is C(adminUrl) in the Keycloak REST API.
              This is 'adminUrl' in the Keycloak REST API.
    aliases:
      - adminUrl
    type: str
  base_url:
    description:
-            - Default URL to use when the auth server needs to redirect or link back to the client
+      - Default URL to use when the auth server needs to redirect or link back to the client This is C(baseUrl) in the Keycloak REST API.
              This is 'baseUrl' in the Keycloak REST API.
    aliases:
      - baseUrl
    type: str
@ -110,13 +98,12 @@ options:
  client_authenticator_type:
    description:
-            - How do clients authenticate with the auth server? Either V(client-secret),
+      - How do clients authenticate with the auth server? Either V(client-secret), V(client-jwt), or V(client-x509) can be chosen. When using
-              V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter
+        V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and
-              O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url),
+        C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys
-              C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter
+        C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to
-              to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison)
+        accept.
-              and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept.
+      - This is C(clientAuthenticatorType) in the Keycloak REST API.
            - This is 'clientAuthenticatorType' in the Keycloak REST API.
    choices: ['client-secret', 'client-jwt', 'client-x509']
    aliases:
      - clientAuthenticatorType
@ -124,26 +111,22 @@ options:
  secret:
    description:
-            - When using O(client_authenticator_type=client-secret) (the default), you can
+      - When using O(client_authenticator_type=client-secret) (the default), you can specify a secret here (otherwise one will be generated if
-              specify a secret here (otherwise one will be generated if it does not exit). If
+        it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved).
              changing this secret, the module will not register a change currently (but the
              changed secret will be saved).
    type: str
  registration_access_token:
    description:
-            - The registration access token provides access for clients to the client registration
+      - The registration access token provides access for clients to the client registration service. This is C(registrationAccessToken) in the
-              service.
+        Keycloak REST API.
              This is 'registrationAccessToken' in the Keycloak REST API.
    aliases:
      - registrationAccessToken
    type: str
  default_roles:
    description:
-            - list of default roles for this client. If the client roles referenced do not exist
+      - List of default roles for this client. If the client roles referenced do not exist yet, they will be created. This is C(defaultRoles) in
-              yet, they will be created.
+        the Keycloak REST API.
              This is 'defaultRoles' in the Keycloak REST API.
    aliases:
      - defaultRoles
    type: list
@ -151,8 +134,7 @@ options:
  redirect_uris:
    description:
-            - Acceptable redirect URIs for this client.
+      - Acceptable redirect URIs for this client. This is C(redirectUris) in the Keycloak REST API.
              This is 'redirectUris' in the Keycloak REST API.
    aliases:
      - redirectUris
    type: list
@ -160,8 +142,7 @@ options:
  web_origins:
    description:
-            - List of allowed CORS origins.
+      - List of allowed CORS origins. This is C(webOrigins) in the Keycloak REST API.
              This is 'webOrigins' in the Keycloak REST API.
    aliases:
      - webOrigins
    type: list
@ -169,80 +150,71 @@ options:
  not_before:
    description:
-            - Revoke any tokens issued before this date for this client (this is a UNIX timestamp).
+      - Revoke any tokens issued before this date for this client (this is a UNIX timestamp). This is C(notBefore) in the Keycloak REST API.
              This is 'notBefore' in the Keycloak REST API.
    type: int
    aliases:
      - notBefore
  bearer_only:
    description:
-            - The access type of this client is bearer-only.
+      - The access type of this client is bearer-only. This is C(bearerOnly) in the Keycloak REST API.
              This is 'bearerOnly' in the Keycloak REST API.
    aliases:
      - bearerOnly
    type: bool
  consent_required:
    description:
-            - If enabled, users have to consent to client access.
+      - If enabled, users have to consent to client access. This is C(consentRequired) in the Keycloak REST API.
              This is 'consentRequired' in the Keycloak REST API.
    aliases:
      - consentRequired
    type: bool
  standard_flow_enabled:
    description:
-            - Enable standard flow for this client or not (OpenID connect).
+      - Enable standard flow for this client or not (OpenID connect). This is C(standardFlowEnabled) in the Keycloak REST API.
              This is 'standardFlowEnabled' in the Keycloak REST API.
    aliases:
      - standardFlowEnabled
    type: bool
  implicit_flow_enabled:
    description:
-            - Enable implicit flow for this client or not (OpenID connect).
+      - Enable implicit flow for this client or not (OpenID connect). This is C(implicitFlowEnabled) in the Keycloak REST API.
              This is 'implicitFlowEnabled' in the Keycloak REST API.
    aliases:
      - implicitFlowEnabled
    type: bool
  direct_access_grants_enabled:
    description:
-            - Are direct access grants enabled for this client or not (OpenID connect).
+      - Are direct access grants enabled for this client or not (OpenID connect). This is C(directAccessGrantsEnabled) in the Keycloak REST API.
              This is 'directAccessGrantsEnabled' in the Keycloak REST API.
    aliases:
      - directAccessGrantsEnabled
    type: bool
  service_accounts_enabled:
    description:
-            - Are service accounts enabled for this client or not (OpenID connect).
+      - Are service accounts enabled for this client or not (OpenID connect). This is C(serviceAccountsEnabled) in the Keycloak REST API.
              This is 'serviceAccountsEnabled' in the Keycloak REST API.
    aliases:
      - serviceAccountsEnabled
    type: bool
  authorization_services_enabled:
    description:
-            - Are authorization services enabled for this client or not (OpenID connect).
+      - Are authorization services enabled for this client or not (OpenID connect). This is C(authorizationServicesEnabled) in the Keycloak REST
-              This is 'authorizationServicesEnabled' in the Keycloak REST API.
+        API.
    aliases:
      - authorizationServicesEnabled
    type: bool
  public_client:
    description:
-            - Is the access type for this client public or not.
+      - Is the access type for this client public or not. This is C(publicClient) in the Keycloak REST API.
              This is 'publicClient' in the Keycloak REST API.
    aliases:
      - publicClient
    type: bool
  frontchannel_logout:
    description:
-            - Is frontchannel logout enabled for this client or not.
+      - Is frontchannel logout enabled for this client or not. This is C(frontchannelLogout) in the Keycloak REST API.
              This is 'frontchannelLogout' in the Keycloak REST API.
    aliases:
      - frontchannelLogout
    type: bool
@ -257,66 +229,58 @@ options:
  full_scope_allowed:
    description:
-            - Is the "Full Scope Allowed" feature set for this client or not.
+      - Is the "Full Scope Allowed" feature set for this client or not. This is C(fullScopeAllowed) in the Keycloak REST API.
              This is 'fullScopeAllowed' in the Keycloak REST API.
    aliases:
      - fullScopeAllowed
    type: bool
  node_re_registration_timeout:
    description:
-            - Cluster node re-registration timeout for this client.
+      - Cluster node re-registration timeout for this client. This is C(nodeReRegistrationTimeout) in the Keycloak REST API.
              This is 'nodeReRegistrationTimeout' in the Keycloak REST API.
    type: int
    aliases:
      - nodeReRegistrationTimeout
  registered_nodes:
    description:
-            - dict of registered cluster nodes (with C(nodename) as the key and last registration
+      - Dict of registered cluster nodes (with C(nodename) as the key and last registration time as the value). This is C(registeredNodes) in the
-              time as the value).
+        Keycloak REST API.
              This is 'registeredNodes' in the Keycloak REST API.
    type: dict
    aliases:
      - registeredNodes
  client_template:
    description:
-            - Client template to use for this client. If it does not exist this field will silently
+      - Client template to use for this client. If it does not exist this field will silently be dropped. This is C(clientTemplate) in the Keycloak
-              be dropped.
+        REST API.
              This is 'clientTemplate' in the Keycloak REST API.
    type: str
    aliases:
      - clientTemplate
  use_template_config:
    description:
-            - Whether or not to use configuration from the O(client_template).
+      - Whether or not to use configuration from the O(client_template). This is C(useTemplateConfig) in the Keycloak REST API.
              This is 'useTemplateConfig' in the Keycloak REST API.
    aliases:
      - useTemplateConfig
    type: bool
  use_template_scope:
    description:
-            - Whether or not to use scope configuration from the O(client_template).
+      - Whether or not to use scope configuration from the O(client_template). This is C(useTemplateScope) in the Keycloak REST API.
              This is 'useTemplateScope' in the Keycloak REST API.
    aliases:
      - useTemplateScope
    type: bool
  use_template_mappers:
    description:
-            - Whether or not to use mapper configuration from the O(client_template).
+      - Whether or not to use mapper configuration from the O(client_template). This is C(useTemplateMappers) in the Keycloak REST API.
              This is 'useTemplateMappers' in the Keycloak REST API.
    aliases:
      - useTemplateMappers
    type: bool
  always_display_in_console:
    description:
-            - Whether or not to display this client in account console, even if the
+      - Whether or not to display this client in account console, even if the user does not have an active session.
              user does not have an active session.
    aliases:
      - alwaysDisplayInConsole
    type: bool
@ -324,17 +288,16 @@ options:
  surrogate_auth_required:
    description:
-            - Whether or not surrogate auth is required.
+      - Whether or not surrogate auth is required. This is C(surrogateAuthRequired) in the Keycloak REST API.
              This is 'surrogateAuthRequired' in the Keycloak REST API.
    aliases:
      - surrogateAuthRequired
    type: bool
  authorization_settings:
    description:
-            - a data structure defining the authorization settings for this client. For reference,
+      - A data structure defining the authorization settings for this client. For reference, please see the Keycloak API docs at
-              please see the Keycloak API docs at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
+        U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
-              This is 'authorizationSettings' in the Keycloak REST API.
+        This is C(authorizationSettings) in the Keycloak REST API.
    type: dict
    aliases:
      - authorizationSettings
@ -347,15 +310,13 @@ options:
      browser:
        description:
          - Flow ID of the browser authentication flow.
-                    - O(authentication_flow_binding_overrides.browser)
+          - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
                      and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
        type: str
      browser_name:
        description:
          - Flow name of the browser authentication flow.
-                    - O(authentication_flow_binding_overrides.browser)
+          - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
                      and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
        aliases:
          - browserName
        type: str
@ -364,8 +325,8 @@ options:
      direct_grant:
        description:
          - Flow ID of the direct grant authentication flow.
-                    - O(authentication_flow_binding_overrides.direct_grant)
+          - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually
-                      and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
+            exclusive.
        aliases:
          - directGrant
        type: str
@ -373,8 +334,8 @@ options:
      direct_grant_name:
        description:
          - Flow name of the direct grant authentication flow.
-                    - O(authentication_flow_binding_overrides.direct_grant)
+          - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually
-                      and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
+            exclusive.
        aliases:
          - directGrantName
        type: str
@ -403,8 +364,7 @@ options:
  protocol_mappers:
    description:
-            - a list of dicts defining protocol mappers for this client.
+      - A list of dicts defining protocol mappers for this client. This is C(protocolMappers) in the Keycloak REST API.
              This is 'protocolMappers' in the Keycloak REST API.
    aliases:
      - protocolMappers
    type: list
@ -438,151 +398,120 @@ options:
      protocolMapper:
        description:
-                    - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
+          - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
-                      impossible to provide since this may be extended through SPIs by the user of Keycloak,
+            be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
-                      by default Keycloak as of 3.4 ships with at least:"
+          - V(docker-v2-allow-all-mapper).
-                    - V(docker-v2-allow-all-mapper)
+          - V(oidc-address-mapper).
-                    - V(oidc-address-mapper)
+          - V(oidc-full-name-mapper).
-                    - V(oidc-full-name-mapper)
+          - V(oidc-group-membership-mapper).
-                    - V(oidc-group-membership-mapper)
+          - V(oidc-hardcoded-claim-mapper).
-                    - V(oidc-hardcoded-claim-mapper)
+          - V(oidc-hardcoded-role-mapper).
-                    - V(oidc-hardcoded-role-mapper)
+          - V(oidc-role-name-mapper).
-                    - V(oidc-role-name-mapper)
+          - V(oidc-script-based-protocol-mapper).
-                    - V(oidc-script-based-protocol-mapper)
+          - V(oidc-sha256-pairwise-sub-mapper).
-                    - V(oidc-sha256-pairwise-sub-mapper)
+          - V(oidc-usermodel-attribute-mapper).
-                    - V(oidc-usermodel-attribute-mapper)
+          - V(oidc-usermodel-client-role-mapper).
-                    - V(oidc-usermodel-client-role-mapper)
+          - V(oidc-usermodel-property-mapper).
-                    - V(oidc-usermodel-property-mapper)
+          - V(oidc-usermodel-realm-role-mapper).
-                    - V(oidc-usermodel-realm-role-mapper)
+          - V(oidc-usersessionmodel-note-mapper).
-                    - V(oidc-usersessionmodel-note-mapper)
+          - V(saml-group-membership-mapper).
-                    - V(saml-group-membership-mapper)
+          - V(saml-hardcode-attribute-mapper).
-                    - V(saml-hardcode-attribute-mapper)
+          - V(saml-hardcode-role-mapper).
-                    - V(saml-hardcode-role-mapper)
+          - V(saml-role-list-mapper).
-                    - V(saml-role-list-mapper)
+          - V(saml-role-name-mapper).
-                    - V(saml-role-name-mapper)
+          - V(saml-user-attribute-mapper).
-                    - V(saml-user-attribute-mapper)
+          - V(saml-user-property-mapper).
-                    - V(saml-user-property-mapper)
+          - V(saml-user-session-note-mapper).
-                    - V(saml-user-session-note-mapper)
+          - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
-                    - An exhaustive list of available mappers on your installation can be obtained on
+            and looking under 'protocol-mapper'.
                      the admin console by going to Server Info -> Providers and looking under
                      'protocol-mapper'.
        type: str
      config:
        description:
-                    - Dict specifying the configuration options for the protocol mapper; the
+          - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
-                      contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
+            O(protocol_mappers[].protocolMapper)
-                      other than by the source of the mappers and its parent class(es). An example is given
+            and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
-                      below. It is easiest to obtain valid config values by dumping an already-existing
+            to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
-                      protocol mapper configuration through check-mode in the RV(existing) field.
+            field.
        type: dict
  attributes:
    description:
-            - A dict of further attributes for this client. This can contain various configuration
+      - A dict of further attributes for this client. This can contain various configuration settings; an example is given in the examples section.
-              settings; an example is given in the examples section. While an exhaustive list of
+        While an exhaustive list of permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak API
-              permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak
+        does not validate whether a given option is appropriate for the protocol used; if specified anyway, Keycloak will simply not use it.
              API does not validate whether a given option is appropriate for the protocol used; if specified
              anyway, Keycloak will simply not use it.
    type: dict
    suboptions:
      saml.authnstatement:
        description:
-                    - For SAML clients, boolean specifying whether or not a statement containing method and timestamp
+          - For SAML clients, boolean specifying whether or not a statement containing method and timestamp should be included in the login response.
                      should be included in the login response.
      saml.client.signature:
        description:
          - For SAML clients, boolean specifying whether a client signature is required and validated.
      saml.encrypt:
        description:
          - Boolean specifying whether SAML assertions should be encrypted with the client's public key.
      saml.force.post.binding:
        description:
          - For SAML clients, boolean specifying whether always to use POST binding for responses.
      saml.onetimeuse.condition:
        description:
          - For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses.
      saml.server.signature:
        description:
          - Boolean specifying whether SAML documents should be signed by the realm.
      saml.server.signature.keyinfo.ext:
        description:
-                    - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion
+          - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion of the signing key
-                      of the signing key id in the SAML Extensions element.
+            id in the SAML Extensions element.
      saml.signature.algorithm:
        description:
          - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1).
      saml.signing.certificate:
        description:
          - SAML signing key certificate, base64-encoded.
      saml.signing.private.key:
        description:
          - SAML signing key private key, base64-encoded.
      saml_assertion_consumer_url_post:
        description:
          - SAML POST Binding URL for the client's assertion consumer service (login responses).
      saml_assertion_consumer_url_redirect:
        description:
          - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
      saml_force_name_id_format:
        description:
          - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
      saml_name_id_format:
        description:
-                    - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent))
+          - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)).
      saml_signature_canonicalization_method:
        description:
-                    - SAML signature canonicalization method. This is one of four values, namely
+          - SAML signature canonicalization method. This is one of four values, namely V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
-                      V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
+            V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
-                      V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
+            for INCLUSIVE, and V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
                      V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and
                      V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
      saml_single_logout_service_url_post:
        description:
          - SAML POST binding url for the client's single logout service.
      saml_single_logout_service_url_redirect:
        description:
          - SAML redirect binding url for the client's single logout service.
      user.info.response.signature.alg:
        description:
          - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned).
      request.object.signature.alg:
        description:
-                    - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending
+          - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of V(any), V(none),
-                      OIDC request object. One of V(any), V(none), V(RS256).
+            V(RS256).
      use.jwks.url:
        description:
-                    - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client
+          - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client public keys.
                      public keys.
      jwks.url:
        description:
          - For OpenID-Connect clients, URL where client keys in JWK are stored.
      jwt.credential.certificate:
        description:
-                    - For OpenID-Connect clients, client certificate for validating JWT issued by
+          - For OpenID-Connect clients, client certificate for validating JWT issued by client and signed by its key, base64-encoded.
                      client and signed by its key, base64-encoded.
      x509.subjectdn:
        description:
          - For OpenID-Connect clients, subject which will be used to authenticate the client.
@ -602,9 +531,9 @@ extends_documentation_fragment:
 author:
  - Eike Frost (@eikef)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create or update Keycloak client (minimal example), authentication with credentials
  community.general.keycloak_client:
    auth_keycloak_url: https://auth.example.com/auth
@ -744,9 +673,9 @@ EXAMPLES = '''
      jwks.url: JWKS_URL_FOR_CLIENT_AUTH_JWT
      jwt.credential.certificate: JWT_CREDENTIAL_CERTIFICATE_FOR_CLIENT_AUTH
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -757,32 +686,20 @@ proposed:
  description: Representation of proposed client.
  returned: always
  type: dict
-    sample: {
+  sample: {clientId: "test"}
      clientId: "test"
    }
 existing:
  description: Representation of existing client (sample is truncated).
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description: Representation of client after module execution (sample is truncated).
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
--- a/plugins/modules/keycloak_client_rolemapping.py
+++ b/plugins/modules/keycloak_client_rolemapping.py
@ -8,8 +8,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_client_rolemapping
 short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API
@ -17,22 +16,16 @@ short_description: Allows administration of Keycloak client_rolemapping with the
 version_added: 3.5.0
 description:
-    - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
-      and an admin user would work, as would a separate client definition with the scope tailored
+    expected roles.
-      to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
-
+  - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
-    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
+    into the role ID.
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
    - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup
      to the API to translate the name into the role ID.
 attributes:
  check_mode:
    support: full
@ -64,14 +57,12 @@ options:
    description:
      - Name of the group to be mapped.
      - This parameter is required (can be replaced by gid for less API call).
  parents:
    version_added: "7.1.0"
    type: list
    description:
      - List of parent groups for the group to handle sorted top to bottom.
-            - >-
+      - Set this if your group is a subgroup and you do not provide the GID in O(gid).
              Set this if your group is a subgroup and you do not provide the GID in O(gid).
    elements: dict
    suboptions:
      id:
@ -80,38 +71,31 @@ options:
          - Identify parent by ID.
          - Needs less API calls than using O(parents[].name).
          - A deep parent chain can be started at any point when first given parent is given as ID.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
      name:
        type: str
        description:
          - Identify parent by name.
          - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
          - When giving a parent chain with only names it must be complete up to the top.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
  gid:
    type: str
    description:
      - Id of the group to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  client_id:
    type: str
    description:
      - Name of the client to be mapped (different than O(cid)).
      - This parameter is required (can be replaced by cid for less API call).
  cid:
    type: str
    description:
      - Id of the client to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  roles:
    description:
      - Roles to be mapped to the group.
@ -127,9 +111,8 @@ options:
        type: str
        description:
          - The unique identifier for this role_representation.
-                    - This parameter is not required for updating or deleting a role_representation but
+          - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
-                      providing it will reduce the number of API calls required.
+            required.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -137,9 +120,9 @@ extends_documentation_fragment:
 author:
  - Gaëtan Daubresse (@Gaetan2907)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Map a client role to a group, authentication with credentials
  community.general.keycloak_client_rolemapping:
    realm: MyCustomRealm
@ -209,10 +192,9 @@ EXAMPLES = '''
      - name: role_name2
        id: role_id2
  delegate_to: localhost
 """
-'''
+RETURN = r"""
 RETURN = '''
 msg:
  description: Message as to what action was taken.
  returned: always
@ -223,9 +205,7 @@ proposed:
  description: Representation of proposed client role mapping.
  returned: always
  type: dict
-    sample: {
+  sample: {clientId: "test"}
      clientId: "test"
    }
 existing:
  description:
@ -233,12 +213,7 @@ existing:
    - The sample is truncated.
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description:
@ -246,13 +221,8 @@ end_state:
    - The sample is truncated.
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
    KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,
--- a/plugins/modules/keycloak_client_rolescope.py
+++ b/plugins/modules/keycloak_client_rolescope.py
@ -8,27 +8,20 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_client_rolescope
-short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications.
+short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications
 version_added: 8.6.0
 description:
-    - This module allows you to add or remove Keycloak roles from clients scope via the Keycloak REST API.
+  - This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
      and an admin user would work, as would a separate client definition with the scope tailored
      to your needs and a user having the expected roles.
  - Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
-
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
 attributes:
  check_mode:
    support: full
@ -60,7 +53,6 @@ options:
    required: true
    description:
      - Roles provided in O(role_names) while be added to this client scope.
  client_scope_id:
    type: str
    description:
@ -74,8 +66,6 @@ options:
      - Names of roles to manipulate.
      - If O(client_scope_id) is present, all roles must be under this client.
      - If O(client_scope_id) is absent, all roles must be under the realm.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -83,9 +73,9 @@ extends_documentation_fragment:
 author:
  - Andre Desrosiers (@desand01)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Add roles to public client scope
  community.general.keycloak_client_rolescope:
    auth_keycloak_url: https://auth.example.com/auth
@ -123,9 +113,9 @@ EXAMPLES = '''
    role_names:
      - realm-role-admin
      - realm-role-user
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -153,7 +143,7 @@ end_state:
        "name": "backend-role-user"
      }
    ]
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_clientscope.py
+++ b/plugins/modules/keycloak_clientscope.py
@ -8,31 +8,23 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_clientscope
-short_description: Allows administration of Keycloak client_scopes via Keycloak API
+short_description: Allows administration of Keycloak client_scopes using Keycloak API
 version_added: 3.4.0
 description:
-    - This module allows you to add, remove or modify Keycloak client_scopes via the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+  - When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the
-
+    name into the client_scope ID.
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
    - When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup
      to the API to translate the name into the client_scope ID.
 attributes:
  check_mode:
    support: full
@ -58,7 +50,6 @@ options:
    description:
      - Name of the client_scope.
      - This parameter is required only when creating or updating the client_scope.
  realm:
    type: str
    description:
@ -69,15 +60,12 @@ options:
    type: str
    description:
      - The unique identifier for this client_scope.
-            - This parameter is not required for updating or deleting a client_scope but
+      - This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  description:
    type: str
    description:
      - Description for this client_scope.
      - This parameter is not required for updating or deleting a client_scope.
  protocol:
    description:
      - Type of client.
@ -88,7 +76,7 @@ options:
  protocol_mappers:
    description:
      - A list of dicts defining protocol mappers for this client.
-            - This is 'protocolMappers' in the Keycloak REST API.
+      - This is C(protocolMappers) in the Keycloak REST API.
    aliases:
      - protocolMappers
    type: list
@ -97,40 +85,38 @@ options:
      protocol:
        description:
          - This specifies for which protocol this protocol mapper.
-                    - is active.
+          - Is active.
        choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
        type: str
      protocolMapper:
        description:
-                    - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
+          - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
-                      impossible to provide since this may be extended through SPIs by the user of Keycloak,
+            be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
-                      by default Keycloak as of 3.4 ships with at least:"
+          - V(docker-v2-allow-all-mapper).
-                    - V(docker-v2-allow-all-mapper)
+          - V(oidc-address-mapper).
-                    - V(oidc-address-mapper)
+          - V(oidc-full-name-mapper).
-                    - V(oidc-full-name-mapper)
+          - V(oidc-group-membership-mapper).
-                    - V(oidc-group-membership-mapper)
+          - V(oidc-hardcoded-claim-mapper).
-                    - V(oidc-hardcoded-claim-mapper)
+          - V(oidc-hardcoded-role-mapper).
-                    - V(oidc-hardcoded-role-mapper)
+          - V(oidc-role-name-mapper).
-                    - V(oidc-role-name-mapper)
+          - V(oidc-script-based-protocol-mapper).
-                    - V(oidc-script-based-protocol-mapper)
+          - V(oidc-sha256-pairwise-sub-mapper).
-                    - V(oidc-sha256-pairwise-sub-mapper)
+          - V(oidc-usermodel-attribute-mapper).
-                    - V(oidc-usermodel-attribute-mapper)
+          - V(oidc-usermodel-client-role-mapper).
-                    - V(oidc-usermodel-client-role-mapper)
+          - V(oidc-usermodel-property-mapper).
-                    - V(oidc-usermodel-property-mapper)
+          - V(oidc-usermodel-realm-role-mapper).
-                    - V(oidc-usermodel-realm-role-mapper)
+          - V(oidc-usersessionmodel-note-mapper).
-                    - V(oidc-usersessionmodel-note-mapper)
+          - V(saml-group-membership-mapper).
-                    - V(saml-group-membership-mapper)
+          - V(saml-hardcode-attribute-mapper).
-                    - V(saml-hardcode-attribute-mapper)
+          - V(saml-hardcode-role-mapper).
-                    - V(saml-hardcode-role-mapper)
+          - V(saml-role-list-mapper).
-                    - V(saml-role-list-mapper)
+          - V(saml-role-name-mapper).
-                    - V(saml-role-name-mapper)
+          - V(saml-user-attribute-mapper).
-                    - V(saml-user-attribute-mapper)
+          - V(saml-user-property-mapper).
-                    - V(saml-user-property-mapper)
+          - V(saml-user-session-note-mapper).
-                    - V(saml-user-session-note-mapper)
+          - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
-                    - An exhaustive list of available mappers on your installation can be obtained on
+            and looking under 'protocol-mapper'.
                      the admin console by going to Server Info -> Providers and looking under
                      'protocol-mapper'.
        type: str
      name:
@ -145,11 +131,11 @@ options:
      config:
        description:
-                    - Dict specifying the configuration options for the protocol mapper; the
+          - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
-                      contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
+            O(protocol_mappers[].protocolMapper)
-                      other than by the source of the mappers and its parent class(es). An example is given
+            and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
-                      below. It is easiest to obtain valid config values by dumping an already-existing
+            to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
-                      protocol mapper configuration through check-mode in the RV(existing) return value.
+            return value.
        type: dict
  attributes:
@ -157,7 +143,6 @@ options:
    description:
      - A dict of key/value pairs to set as custom attributes for the client_scope.
      - Values may be single values (for example a string) or a list of strings.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -165,9 +150,9 @@ extends_documentation_fragment:
 author:
  - Gaëtan Daubresse (@Gaetan2907)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create a Keycloak client_scopes, authentication with credentials
  community.general.keycloak_clientscope:
    name: my-new-kc-clientscope
@ -263,9 +248,9 @@ EXAMPLES = '''
        - list
        - items
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -276,32 +261,20 @@ proposed:
  description: Representation of proposed client scope.
  returned: always
  type: dict
-    sample: {
+  sample: {clientId: "test"}
      clientId: "test"
    }
 existing:
  description: Representation of existing client scope (sample is truncated).
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description: Representation of client scope after module execution (sample is truncated).
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
--- a/plugins/modules/keycloak_clientscope_type.py
+++ b/plugins/modules/keycloak_clientscope_type.py
@ -9,22 +9,17 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_clientscope_type
-short_description: Set the type of aclientscope in realm or client via Keycloak API
+short_description: Set the type of aclientscope in realm or client using Keycloak API
 version_added: 6.6.0
 description:
-  - This module allows you to set the type (optional, default) of clientscopes
+  - This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using
-    via the Keycloak REST API. It requires access to the REST API via OpenID
+    OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-    Connect; the user connecting and the client being used must have the
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
    requisite access rights. In a default Keycloak installation, admin-cli and
    an admin user would work, as would a separate client definition with the
    scope tailored to your needs and a user having the expected roles.
 attributes:
  check_mode:
    support: full
@ -66,9 +61,9 @@ extends_documentation_fragment:
 author:
  - Simon Pahl (@simonpahl)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Set default client scopes on realm level
  community.general.keycloak_clientscope_type:
    auth_client_id: admin-cli
@ -91,9 +86,9 @@ EXAMPLES = '''
    default_clientscopes: ['profile', 'roles']
    optional_clientscopes: ['phone']
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -103,30 +98,21 @@ proposed:
  description: Representation of proposed client-scope types mapping.
  returned: always
  type: dict
-    sample: {
+  sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
      default_clientscopes: ["profile", "role"],
      optional_clientscopes: []
    }
 existing:
  description:
    - Representation of client scopes before module execution.
  returned: always
  type: dict
-    sample: {
+  sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: ["phone"]}
      default_clientscopes: ["profile", "role"],
      optional_clientscopes: ["phone"]
    }
 end_state:
  description:
    - Representation of client scopes after module execution.
    - The sample is truncated.
  returned: on success
  type: dict
-    sample: {
+  sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
-      default_clientscopes: ["profile", "role"],
+"""
      optional_clientscopes: []
    }
 '''
 from ansible.module_utils.basic import AnsibleModule
--- a/plugins/modules/keycloak_clientsecret_info.py
+++ b/plugins/modules/keycloak_clientsecret_info.py
@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_clientsecret_info
-short_description: Retrieve client secret via Keycloak API
+short_description: Retrieve client secret using Keycloak API
 version_added: 6.1.0
 description:
-  - This module allows you to get a Keycloak client secret via the Keycloak
+  - This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the
-    REST API. It requires access to the REST API via OpenID Connect; the user
+    user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
-    connecting and the client being used must have the requisite access rights.
+    user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-    In a default Keycloak installation, admin-cli and an admin user would work,
+  - When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to
-    as would a separate client definition with the scope tailored to your needs
+    the API to translate the O(client_id) into the client ID.
-    and a user having the expected roles.
+  - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
  - When retrieving a new client secret, where possible provide the client's
    O(id) (not O(client_id)) to the module. This removes a lookup to the API to
    translate the O(client_id) into the client ID.
  - "Note that this module returns the client secret. To avoid this showing up in the logs,
     please add C(no_log: true) to the task."
 attributes:
  action_group:
    version_added: 10.2.0
@ -46,14 +37,12 @@ options:
  id:
    description:
      - The unique identifier for this client.
-      - This parameter is not required for getting or generating a client secret but
+      - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
        providing it will reduce the number of API calls required.
    type: str
  client_id:
    description:
-      - The O(client_id) of the client. Passing this instead of O(id) results in an
+      - The O(client_id) of the client. Passing this instead of O(id) results in an extra API call.
        extra API call.
    aliases:
      - clientId
    type: str
@ -68,9 +57,9 @@ extends_documentation_fragment:
 author:
  - Fynn Chen (@fynncfchen)
  - John Cant (@johncant)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Get a Keycloak client secret, authentication with credentials
  community.general.keycloak_clientsecret_info:
    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -102,16 +91,16 @@ EXAMPLES = '''
    token: TOKEN
  delegate_to: localhost
  no_log: true
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
-  description: Textual description of whether we succeeded or failed
+  description: Textual description of whether we succeeded or failed.
  returned: always
  type: str
 clientsecret_info:
-  description: Representation of the client secret
+  description: Representation of the client secret.
  returned: on success
  type: complex
  contains:
@ -125,7 +114,7 @@ clientsecret_info:
      type: str
      returned: always
      sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
    KeycloakAPI, KeycloakError, get_token)
--- a/plugins/modules/keycloak_clientsecret_regenerate.py
+++ b/plugins/modules/keycloak_clientsecret_regenerate.py
@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_clientsecret_regenerate
-short_description: Regenerate Keycloak client secret via Keycloak API
+short_description: Regenerate Keycloak client secret using Keycloak API
 version_added: 6.1.0
 description:
-  - This module allows you to regenerate a Keycloak client secret via the
+  - This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-    Keycloak REST API. It requires access to the REST API via OpenID Connect;
+    the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
-    the user connecting and the client being used must have the requisite access
+    admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-    rights. In a default Keycloak installation, admin-cli and an admin user
+  - When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API
-    would work, as would a separate client definition with the scope tailored to
+    to translate the client_id into the client ID.
-    your needs and a user having the expected roles.
+  - 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
  - When regenerating a client secret, where possible provide the client's id
    (not client_id) to the module. This removes a lookup to the API to
    translate the client_id into the client ID.
  - "Note that this module returns the client secret. To avoid this showing up in the logs,
     please add C(no_log: true) to the task."
 attributes:
  check_mode:
    support: full
@ -50,14 +41,12 @@ options:
  id:
    description:
      - The unique identifier for this client.
-      - This parameter is not required for getting or generating a client secret but
+      - This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
        providing it will reduce the number of API calls required.
    type: str
  client_id:
    description:
-      - The client_id of the client. Passing this instead of id results in an
+      - The client_id of the client. Passing this instead of id results in an extra API call.
        extra API call.
    aliases:
      - clientId
    type: str
@ -71,9 +60,9 @@ extends_documentation_fragment:
 author:
  - Fynn Chen (@fynncfchen)
  - John Cant (@johncant)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Regenerate a Keycloak client secret, authentication with credentials
  community.general.keycloak_clientsecret_regenerate:
    id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -105,16 +94,16 @@ EXAMPLES = '''
    token: TOKEN
  delegate_to: localhost
  no_log: true
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
  type: str
 end_state:
-  description: Representation of the client credential after module execution
+  description: Representation of the client credential after module execution.
  returned: on success
  type: complex
  contains:
@ -128,8 +117,7 @@ end_state:
      type: str
      returned: always
      sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
-
+"""
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
    KeycloakAPI, KeycloakError, get_token)
--- a/plugins/modules/keycloak_clienttemplate.py
+++ b/plugins/modules/keycloak_clienttemplate.py
@ -8,26 +8,19 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_clienttemplate
-short_description: Allows administration of Keycloak client templates via Keycloak API
+short_description: Allows administration of Keycloak client templates using Keycloak API
 description:
-    - This module allows the administration of Keycloak client templates via the Keycloak REST API. It
+  - This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID
-      requires access to the REST API via OpenID Connect; the user connecting and the client being
+    Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-
+  - The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html)
    - The Keycloak API does not always enforce for only sensible settings to be used -- you can set
      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
      If you do not specify a setting, usually a sensible default is chosen.
 attributes:
  check_mode:
    support: full
@ -41,7 +34,7 @@ options:
    description:
      - State of the client template.
      - On V(present), the client template will be created (or updated if it exists already).
-            - On V(absent), the client template will be removed if it exists
+      - On V(absent), the client template will be removed if it exists.
    choices: ['present', 'absent']
    default: 'present'
    type: str
@ -76,14 +69,12 @@ options:
  full_scope_allowed:
    description:
-            - Is the "Full Scope Allowed" feature set for this client template or not.
+      - Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API.
              This is 'fullScopeAllowed' in the Keycloak REST API.
    type: bool
  protocol_mappers:
    description:
-            - a list of dicts defining protocol mappers for this client template.
+      - A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API.
              This is 'protocolMappers' in the Keycloak REST API.
    type: list
    elements: dict
    suboptions:
@ -115,59 +106,55 @@ options:
      protocolMapper:
        description:
-                    - "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
+          - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
-                      impossible to provide since this may be extended through SPIs by the user of Keycloak,
+            be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
-                      by default Keycloak as of 3.4 ships with at least:"
+          - V(docker-v2-allow-all-mapper).
-                    - V(docker-v2-allow-all-mapper)
+          - V(oidc-address-mapper).
-                    - V(oidc-address-mapper)
+          - V(oidc-full-name-mapper).
-                    - V(oidc-full-name-mapper)
+          - V(oidc-group-membership-mapper).
-                    - V(oidc-group-membership-mapper)
+          - V(oidc-hardcoded-claim-mapper).
-                    - V(oidc-hardcoded-claim-mapper)
+          - V(oidc-hardcoded-role-mapper).
-                    - V(oidc-hardcoded-role-mapper)
+          - V(oidc-role-name-mapper).
-                    - V(oidc-role-name-mapper)
+          - V(oidc-script-based-protocol-mapper).
-                    - V(oidc-script-based-protocol-mapper)
+          - V(oidc-sha256-pairwise-sub-mapper).
-                    - V(oidc-sha256-pairwise-sub-mapper)
+          - V(oidc-usermodel-attribute-mapper).
-                    - V(oidc-usermodel-attribute-mapper)
+          - V(oidc-usermodel-client-role-mapper).
-                    - V(oidc-usermodel-client-role-mapper)
+          - V(oidc-usermodel-property-mapper).
-                    - V(oidc-usermodel-property-mapper)
+          - V(oidc-usermodel-realm-role-mapper).
-                    - V(oidc-usermodel-realm-role-mapper)
+          - V(oidc-usersessionmodel-note-mapper).
-                    - V(oidc-usersessionmodel-note-mapper)
+          - V(saml-group-membership-mapper).
-                    - V(saml-group-membership-mapper)
+          - V(saml-hardcode-attribute-mapper).
-                    - V(saml-hardcode-attribute-mapper)
+          - V(saml-hardcode-role-mapper).
-                    - V(saml-hardcode-role-mapper)
+          - V(saml-role-list-mapper).
-                    - V(saml-role-list-mapper)
+          - V(saml-role-name-mapper).
-                    - V(saml-role-name-mapper)
+          - V(saml-user-attribute-mapper).
-                    - V(saml-user-attribute-mapper)
+          - V(saml-user-property-mapper).
-                    - V(saml-user-property-mapper)
+          - V(saml-user-session-note-mapper).
-                    - V(saml-user-session-note-mapper)
+          - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
-                    - An exhaustive list of available mappers on your installation can be obtained on
+            and looking under 'protocol-mapper'.
                      the admin console by going to Server Info -> Providers and looking under
                      'protocol-mapper'.
        type: str
      config:
        description:
-                    - Dict specifying the configuration options for the protocol mapper; the
+          - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
-                      contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
+            O(protocol_mappers[].protocolMapper)
-                      other than by the source of the mappers and its parent class(es). An example is given
+            and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
-                      below. It is easiest to obtain valid config values by dumping an already-existing
+            to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
-                      protocol mapper configuration through check-mode in the RV(existing) field.
+            field.
        type: dict
  attributes:
    description:
-            - A dict of further attributes for this client template. This can contain various
+      - A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation
-              configuration settings, though in the default installation of Keycloak as of 3.4, none
+        of Keycloak as of 3.4, none are documented or known, so this is usually empty.
              are documented or known, so this is usually empty.
    type: dict
 notes:
-    - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled),
+  - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
-      C(implicitFlowEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and
+    C(directAccessGrantsEnabled),
-      C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect on
+    C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect
-      Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such,
+    on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available
-      they are not available through this module.
+    through this module.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -175,9 +162,9 @@ extends_documentation_fragment:
 author:
  - Eike Frost (@eikef)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create or update Keycloak client template (minimal), authentication with credentials
  community.general.keycloak_client:
    auth_client_id: admin-cli
@ -236,9 +223,9 @@ EXAMPLES = '''
    full_scope_allowed: false
    id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -249,34 +236,20 @@ proposed:
  description: Representation of proposed client template.
  returned: always
  type: dict
-    sample: {
+  sample: {name: "test01"}
      name: "test01"
    }
 existing:
  description: Representation of existing client template (sample is truncated).
  returned: always
  type: dict
-    sample: {
+  sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
        "description": "test01",
        "fullScopeAllowed": false,
        "id": "9c3712ab-decd-481e-954f-76da7b006e5f",
        "name": "test01",
        "protocol": "saml"
    }
 end_state:
  description: Representation of client template after module execution (sample is truncated).
  returned: on success
  type: dict
-    sample: {
+  sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
-        "description": "test01",
+"""
        "fullScopeAllowed": false,
        "id": "9c3712ab-decd-481e-954f-76da7b006e5f",
        "name": "test01",
        "protocol": "saml"
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_component.py
+++ b/plugins/modules/keycloak_component.py
@ -8,25 +8,20 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_component
-short_description: Allows administration of Keycloak components via Keycloak API
+short_description: Allows administration of Keycloak components using Keycloak API
 version_added: 10.0.0
 description:
-    - This module allows the administration of Keycloak components via the Keycloak REST API. It
+  - This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      requires access to the REST API via OpenID Connect; the user connecting and the realm being
+    the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an
-      used must have the requisite access rights. In a default Keycloak installation, C(admin-cli)
+    C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
-      and an C(admin) user would work, as would a separate realm definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
    Aliases are provided so camelCased versions can be used as well.
 attributes:
  check_mode:
    support: full
@ -61,8 +56,8 @@ options:
    required: true
  provider_type:
    description:
-            - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider),
+      - The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider),
-              V(org.keycloak.userprofile.UserProfileProvider), ...
+        ...
      - See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
    type: str
    required: true
@ -79,9 +74,9 @@ extends_documentation_fragment:
 author:
  - Björn Bösel (@fivetide)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Manage Keycloak User Storage Provider
  community.general.keycloak_component:
    auth_keycloak_url: http://localhost:8080/auth
@ -97,9 +92,9 @@ EXAMPLES = '''
      myCustomKey: "my_custom_key"
      cachePolicy: "NO_CACHE"
      enabled: true
-'''
+"""
-RETURN = '''
+RETURN = r"""
 end_state:
  description: Representation of the keycloak_component after module execution.
  returned: on success
@ -130,9 +125,9 @@ end_state:
      type: str
      returned: when O(state=present)
    config:
-            description: component configuration.
+      description: Component configuration.
      type: dict
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_component_info.py
+++ b/plugins/modules/keycloak_component_info.py
@ -8,17 +8,15 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_component_info
-short_description: Retrive component info in Keycloak
+short_description: Retrieve component info in Keycloak
 version_added: 8.2.0
 description:
-    - This module retrive information on component from Keycloak.
+  - This module retrieve information on component from Keycloak.
 attributes:
  action_group:
    version_added: 10.2.0
@ -36,12 +34,9 @@ options:
  provider_type:
    description:
      - Provider type of components.
-            - "Example:
+      - 'Examples: V(org.keycloak.storage.UserStorageProvider),
-                V(org.keycloak.storage.UserStorageProvider),
+        V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider),
-                V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy),
+        V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
                V(org.keycloak.keys.KeyProvider),
                V(org.keycloak.userprofile.UserProfileProvider),
                V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper)."
    type: str
  parent_id:
    description:
@ -57,10 +52,10 @@ extends_documentation_fragment:
 author:
  - Andre Desrosiers (@desand01)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
-    - name: Retrive info of a UserStorageProvider named myldap
+- name: Retrive info of a UserStorageProvider named myldap
  community.general.keycloak_component_info:
    auth_keycloak_url: http://localhost:8080/auth
    auth_sername: admin
@ -70,7 +65,7 @@ EXAMPLES = '''
    name: myldap
    provider_type: org.keycloak.storage.UserStorageProvider
-    - name: Retrive key info component
+- name: Retrive key info component
  community.general.keycloak_component_info:
    auth_keycloak_url: http://localhost:8080/auth
    auth_sername: admin
@ -80,7 +75,7 @@ EXAMPLES = '''
    name: rsa-enc-generated
    provider_type: org.keycloak.keys.KeyProvider
-    - name: Retrive all component from realm master
+- name: Retrive all component from realm master
  community.general.keycloak_component_info:
    auth_keycloak_url: http://localhost:8080/auth
    auth_sername: admin
@ -88,7 +83,7 @@ EXAMPLES = '''
    auth_realm: master
    realm: myrealm
-    - name: Retrive all sub components of parent component filter by type
+- name: Retrive all sub components of parent component filter by type
  community.general.keycloak_component_info:
    auth_keycloak_url: http://localhost:8080/auth
    auth_sername: admin
@ -98,16 +93,15 @@ EXAMPLES = '''
    parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
    provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
 """
-'''
+RETURN = r"""
 RETURN = '''
 components:
  description: JSON representation of components.
  returned: always
  type: list
  elements: dict
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_group.py
+++ b/plugins/modules/keycloak_group.py
@ -8,29 +8,21 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_group
-short_description: Allows administration of Keycloak groups via Keycloak API
+short_description: Allows administration of Keycloak groups using Keycloak API
 description:
-    - This module allows you to add, remove or modify Keycloak groups via the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
-
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
+  - When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the
-
+    group ID.
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
    - When updating a group, where possible provide the group ID to the module. This removes a lookup
      to the API to translate the name into the group ID.
 attributes:
  check_mode:
    support: full
@ -44,9 +36,8 @@ options:
    description:
      - State of the group.
      - On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
-            - >-
+      - On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its
-              On V(absent), the group will be removed if it exists. Be aware that absenting
+        subgroups too.
              a group with subgroups will automatically delete all its subgroups too.
    default: 'present'
    type: str
    choices:
@ -58,7 +49,6 @@ options:
    description:
      - Name of the group.
      - This parameter is required only when creating or updating the group.
  realm:
    type: str
    description:
@ -69,26 +59,20 @@ options:
    type: str
    description:
      - The unique identifier for this group.
-            - This parameter is not required for updating or deleting a group but
+      - This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  attributes:
    type: dict
    description:
      - A dict of key/value pairs to set as custom attributes for the group.
-            - Values may be single values (e.g. a string) or a list of strings.
+      - Values may be single values (for example a string) or a list of strings.
  parents:
    version_added: "6.4.0"
    type: list
    description:
      - List of parent groups for the group to handle sorted top to bottom.
-            - >-
+      - Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name.
-              Set this to create a group as a subgroup of another group or groups (parents) or
+      - Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily
-              when accessing an existing subgroup by name.
+        knowing its parent(s).
            - >-
              Not necessary to set when accessing an existing subgroup by its C(ID) because in
              that case the group can be directly queried without necessarily knowing its parent(s).
    elements: dict
    suboptions:
      id:
@ -97,23 +81,19 @@ options:
          - Identify parent by ID.
          - Needs less API calls than using O(parents[].name).
          - A deep parent chain can be started at any point when first given parent is given as ID.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
      name:
        type: str
        description:
          - Identify parent by name.
          - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
          - When giving a parent chain with only names it must be complete up to the top.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
 notes:
-    - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API
+  - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only
-      are read-only for groups. This limitation will be removed in a later version of this module.
+    for groups. This limitation will be removed in a later version of this module.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -121,9 +101,9 @@ extends_documentation_fragment:
 author:
  - Adam Goossens (@adamgoossens)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create a Keycloak group, authentication with credentials
  community.general.keycloak_group:
    name: my-new-kc-group
@ -258,9 +238,9 @@ EXAMPLES = '''
    parents:
      - id: "{{ result_new_kcgrp_sub.end_state.id }}"
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -298,8 +278,7 @@ end_state:
      returned: always
      sample: []
    subGroups:
-            description: A list of groups that are children of this group. These groups will have the same parameters as
+      description: A list of groups that are children of this group. These groups will have the same parameters as documented here.
                         documented here.
      type: list
      returned: always
    clientRoles:
@ -315,7 +294,7 @@ end_state:
        manage: true
        manageMembership: true
        view: true
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
@ -372,7 +351,7 @@ def main():
    parents = module.params.get('parents')
    # attributes in Keycloak have their values returned as lists
-    # via the API. attributes is a dict, so we'll transparently convert
+    # using the API. attributes is a dict, so we'll transparently convert
    # the values to lists.
    if attributes is not None:
        for key, val in module.params['attributes'].items():
--- a/plugins/modules/keycloak_identity_provider.py
+++ b/plugins/modules/keycloak_identity_provider.py
@ -8,24 +8,20 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_identity_provider
-short_description: Allows administration of Keycloak identity providers via Keycloak API
+short_description: Allows administration of Keycloak identity providers using Keycloak API
 version_added: 3.6.0
 description:
-    - This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
-      and an admin user would work, as would a separate client definition with the scope tailored
+    expected roles.
-      to your needs and a user having the expected roles.
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-
+    U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
 attributes:
  check_mode:
    support: full
@ -93,8 +89,8 @@ options:
  link_only:
    description:
-            - If true, users cannot log in through this provider. They can only link to this provider.
+      - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login
-              This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
+        from the provider, but want to integrate with a provider.
    aliases:
      - linkOnly
    type: bool
@ -129,9 +125,9 @@ options:
  config:
    description:
-            - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
+      - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
-              Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing
+        given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration
-              identity provider configuration through check-mode in the RV(existing) field.
+        through check-mode in the RV(existing) field.
    type: dict
    suboptions:
      hide_on_login_page:
@ -273,8 +269,7 @@ options:
      config:
        description:
-                    - Dict specifying the configuration options for the mapper; the contents differ depending on the value of
+          - Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper).
                      O(mappers[].identityProviderMapper).
        type: dict
 extends_documentation_fragment:
@ -284,9 +279,9 @@ extends_documentation_fragment:
 author:
  - Laurent Paumier (@laurpaum)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create OIDC identity provider, authentication with credentials
  community.general.keycloak_identity_provider:
    state: present
@ -347,9 +342,9 @@ EXAMPLES = '''
          attribute.friendly.name: User Roles
          attribute.name: roles
          syncMode: INHERIT
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -428,7 +423,7 @@ end_state:
        "storeToken": false,
        "trustEmail": false,
    }
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_realm.py
+++ b/plugins/modules/keycloak_realm.py
@ -9,29 +9,22 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_realm
-short_description: Allows administration of Keycloak realm via Keycloak API
+short_description: Allows administration of Keycloak realm using Keycloak API
 version_added: 3.0.0
 description:
-    - This module allows the administration of Keycloak realm via the Keycloak REST API. It
+  - This module allows the administration of Keycloak realm using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      requires access to the REST API via OpenID Connect; the user connecting and the realm being
+    the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate realm definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    Aliases are provided so camelCased versions can be used as well.
-
+  - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and
-    - The Keycloak API does not always sanity check inputs e.g. you can set
+    also the other way around. B(Be careful). If you do not specify a setting, usually a sensible default is chosen.
      SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
      If you do not specify a setting, usually a sensible default is chosen.
 attributes:
  check_mode:
    support: full
@ -523,9 +516,9 @@ extends_documentation_fragment:
 author:
  - Christophe Gilles (@kris2kris)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create or update Keycloak realm (minimal example)
  community.general.keycloak_realm:
    auth_client_id: admin-cli
@ -546,10 +539,9 @@ EXAMPLES = '''
    auth_password: PASSWORD
    id: test
    state: absent
 """
-'''
+RETURN = r"""
 RETURN = '''
 msg:
  description: Message as to what action was taken.
  returned: always
@ -560,32 +552,20 @@ proposed:
  description: Representation of proposed realm.
  returned: always
  type: dict
-    sample: {
+  sample: {id: "test"}
      id: "test"
    }
 existing:
  description: Representation of existing realm (sample is truncated).
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description: Representation of realm after module execution (sample is truncated).
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_realm_info.py
+++ b/plugins/modules/keycloak_realm_info.py
@ -8,24 +8,19 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_realm_info
-short_description: Allows obtaining Keycloak realm public information via Keycloak API
+short_description: Allows obtaining Keycloak realm public information using Keycloak API
 version_added: 4.3.0
 description:
-    - This module allows you to get Keycloak realm public information via the Keycloak REST API.
+  - This module allows you to get Keycloak realm public information using the Keycloak REST API.
-
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
 extends_documentation_fragment:
  - community.general.attributes
  - community.general.attributes.info_module
@ -52,17 +47,17 @@ options:
 author:
  - Fynn Chen (@fynncfchen)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Get a Keycloak public key
  community.general.keycloak_realm_info:
    realm: MyCustomRealm
    auth_keycloak_url: https://auth.example.com/auth
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -99,7 +94,7 @@ realm_info:
      type: int
      returned: always
      sample: 0
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI
 from ansible.module_utils.basic import AnsibleModule
--- a/plugins/modules/keycloak_realm_key.py
+++ b/plugins/modules/keycloak_realm_key.py
@ -9,35 +9,25 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_realm_key
-short_description: Allows administration of Keycloak realm keys via Keycloak API
+short_description: Allows administration of Keycloak realm keys using Keycloak API
 version_added: 7.5.0
 description:
-    - This module allows the administration of Keycloak realm keys via the Keycloak REST API. It
+  - This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      requires access to the REST API via OpenID Connect; the user connecting and the realm being
+    the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate realm definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    Aliases are provided so camelCased versions can be used as well.
-
+  - This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside
-    - This module is unable to detect changes to the actual cryptographic key after importing it.
+    the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can
-      However, if some other property is changed alongside the cryptographic key, then the key
+    be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not.
-      will also get changed as a side-effect, as the JSON payload needs to include the private key.
+  - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
-      This can be considered either a bug or a feature, as the alternative would be to always
+    to the desired state (which may be empty) is not possible.
      update the realm key whether it has changed or not.
    - If certificate is not explicitly provided it will be dynamically created by Keycloak.
      Therefore comparing the current state of the certificate to the desired state (which may be
      empty) is not possible.
 attributes:
  check_mode:
    support: full
@ -62,10 +52,9 @@ options:
    required: true
  force:
    description:
-            - Enforce the state of the private key and certificate. This is not automatically the
+      - Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current
-              case as this module is unable to determine the current state of the private key and
+        state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even
-              thus cannot trigger an update based on an actual divergence. That said, a private key
+        if force is false as a side-effect of other changes.
              update may happen even if force is false as a side-effect of other changes.
    default: false
    type: bool
  parent_id:
@ -87,14 +76,12 @@ options:
    suboptions:
      active:
        description:
-                    - Whether they key is active or inactive. Not to be confused with the state
+          - Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
                      of the Ansible resource managed by the O(state) parameter.
        default: true
        type: bool
      enabled:
        description:
-                    - Whether the key is enabled or disabled. Not to be confused with the state
+          - Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
                      of the Ansible resource managed by the O(state) parameter.
        default: true
        type: bool
      priority:
@ -105,39 +92,30 @@ options:
      algorithm:
        description:
          - Key algorithm.
-                    - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5),
+          - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general
-                      V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general 8.2.0.
+            8.2.0.
        default: RS256
        choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
        type: str
      private_key:
        description:
-                    - The private key as an ASCII string. Contents of the key must match O(config.algorithm)
+          - The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
-                      and O(provider_id).
+          - Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true)
-                    - Please note that the module cannot detect whether the private key specified differs from the
+            to force the module to update the private key if you expect it to be updated.
                      current state's private key. Use O(force=true) to force the module to update the private key
                      if you expect it to be updated.
        required: true
        type: str
      certificate:
        description:
-                    - A certificate signed with the private key as an ASCII string. Contents of the
+          - A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
-                      key must match O(config.algorithm) and O(provider_id).
+          - If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string.
                    - If you want Keycloak to automatically generate a certificate using your private key
                      then set this to an empty string.
        required: true
        type: str
 notes:
-    - Current value of the private key cannot be fetched from Keycloak.
+  - Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible.
-      Therefore comparing its desired state to the current state is not
+  - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
-      possible.
+    to the desired state (which may be empty) is not possible.
-    - If certificate is not explicitly provided it will be dynamically created
+  - Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always
-      by Keycloak. Therefore comparing the current state of the certificate to
+    update if you know that the private key might have changed.
      the desired state (which may be empty) is not possible.
    - Due to the private key and certificate options the module is
      B(not fully idempotent). You can use O(force=true) to force the module
      to always update if you know that the private key might have changed.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -145,9 +123,9 @@ extends_documentation_fragment:
 author:
  - Samuli Seppänen (@mattock)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Manage Keycloak realm key (certificate autogenerated by Keycloak)
  community.general.keycloak_realm_key:
    name: custom
@ -182,9 +160,9 @@ EXAMPLES = '''
      active: true
      priority: 120
      algorithm: RS256
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -223,13 +201,8 @@ end_state:
      description: Realm key configuration.
      type: dict
      returned: when O(state=present)
-            sample: {
+      sample: {"active": ["true"], "algorithm": ["RS256"], "enabled": ["true"], "priority": ["140"]}
-              "active": ["true"],
+"""
              "algorithm": ["RS256"],
              "enabled": ["true"],
              "priority": ["140"]
            }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_realm_keys_metadata_info.py
+++ b/plugins/modules/keycloak_realm_keys_metadata_info.py
@ -9,20 +9,17 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = """
+DOCUMENTATION = r"""
 ---
 module: keycloak_realm_keys_metadata_info
-short_description: Allows obtaining Keycloak realm keys metadata via Keycloak API
+short_description: Allows obtaining Keycloak realm keys metadata using Keycloak API
 version_added: 9.3.0
 description:
-    - This module allows you to get Keycloak realm keys metadata via the Keycloak REST API.
+  - This module allows you to get Keycloak realm keys metadata using the Keycloak REST API.
-
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
 attributes:
  action_group:
    version_added: 10.2.0
@ -44,7 +41,7 @@ author:
  - Thomas Bach (@thomasbach-dev)
 """
-EXAMPLES = """
+EXAMPLES = r"""
 - name: Fetch Keys metadata
  community.general.keycloak_realm_keys_metadata_info:
    auth_keycloak_url: https://auth.example.com/auth
@ -67,7 +64,7 @@ EXAMPLES = """
  delegate_to: localhost
 """
-RETURN = """
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -76,9 +73,7 @@ msg:
 keys_metadata:
  description:
-        - Representation of the realm keys metadata (see
+    - Representation of the realm keys metadata (see U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
          U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
  returned: always
  type: dict
  contains:
--- a/plugins/modules/keycloak_realm_rolemapping.py
+++ b/plugins/modules/keycloak_realm_rolemapping.py
@ -8,8 +8,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_realm_rolemapping
 short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API
@ -17,24 +16,16 @@ short_description: Allows administration of Keycloak realm role mappings into gr
 version_added: 8.2.0
 description:
-    - This module allows you to add, remove or modify Keycloak realm role
+  - This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to
-      mappings into groups with the Keycloak REST API. It requires access to the
+    the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak
-      REST API via OpenID Connect; the user connecting and the client being used
+    installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user
-      must have the requisite access rights. In a default Keycloak installation,
+    having the expected roles.
-      admin-cli and an admin user would work, as would a separate client
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      definition with the scope tailored to your needs and a user having the
+    U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
-      expected roles.
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+  - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
+    into the role ID.
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
    - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup
      to the API to translate the name into the role ID.
 attributes:
  check_mode:
    support: full
@ -66,13 +57,11 @@ options:
    description:
      - Name of the group to be mapped.
      - This parameter is required (can be replaced by gid for less API call).
  parents:
    type: list
    description:
      - List of parent groups for the group to handle sorted top to bottom.
-            - >-
+      - Set this if your group is a subgroup and you do not provide the GID in O(gid).
              Set this if your group is a subgroup and you do not provide the GID in O(gid).
    elements: dict
    suboptions:
      id:
@ -81,25 +70,21 @@ options:
          - Identify parent by ID.
          - Needs less API calls than using O(parents[].name).
          - A deep parent chain can be started at any point when first given parent is given as ID.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
      name:
        type: str
        description:
          - Identify parent by name.
          - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
          - When giving a parent chain with only names it must be complete up to the top.
-              - Note that in principle both ID and name can be specified at the same time
+          - Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
-                but current implementation only always use just one of them, with ID
+            with ID being preferred.
                being preferred.
  gid:
    type: str
    description:
      - ID of the group to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  roles:
    description:
      - Roles to be mapped to the group.
@ -115,9 +100,8 @@ options:
        type: str
        description:
          - The unique identifier for this role_representation.
-                    - This parameter is not required for updating or deleting a role_representation but
+          - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
-                      providing it will reduce the number of API calls required.
+            required.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -127,9 +111,9 @@ author:
  - Gaëtan Daubresse (@Gaetan2907)
  - Marius Huysamen (@mhuysamen)
  - Alexander Groß (@agross)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Map a client role to a group, authentication with credentials
  community.general.keycloak_realm_rolemapping:
    realm: MyCustomRealm
@ -195,9 +179,9 @@ EXAMPLES = '''
      - name: role_name2
        id: role_id2
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -208,9 +192,7 @@ proposed:
  description: Representation of proposed client role mapping.
  returned: always
  type: dict
-    sample: {
+  sample: {clientId: "test"}
      clientId: "test"
    }
 existing:
  description:
@ -218,12 +200,7 @@ existing:
    - The sample is truncated.
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description:
@ -231,13 +208,8 @@ end_state:
    - The sample is truncated.
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
    KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,
--- a/plugins/modules/keycloak_role.py
+++ b/plugins/modules/keycloak_role.py
@ -8,28 +8,21 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_role
-short_description: Allows administration of Keycloak roles via Keycloak API
+short_description: Allows administration of Keycloak roles using Keycloak API
 version_added: 3.4.0
 description:
-    - This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
 attributes:
  check_mode:
    support: full
@ -56,12 +49,10 @@ options:
    description:
      - Name of the role.
      - This parameter is required.
  description:
    type: str
    description:
      - The role description.
  realm:
    type: str
    description:
@ -73,12 +64,11 @@ options:
    description:
      - If the role is a client role, the client id under which it resides.
      - If this parameter is absent, the role is considered a realm role.
  attributes:
    type: dict
    description:
      - A dict of key/value pairs to set as custom attributes for the role.
-            - Values may be single values (e.g. a string) or a list of strings.
+      - Values may be single values (for example a string) or a list of strings.
  composite:
    description:
      - If V(true), the role is a composition of other realm and/or client role.
@ -123,9 +113,9 @@ extends_documentation_fragment:
 author:
  - Laurent Paumier (@laurpaum)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create a Keycloak realm role, authentication with credentials
  community.general.keycloak_role:
    name: my-new-kc-role
@ -190,9 +180,9 @@ EXAMPLES = '''
        - list
        - items
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -203,38 +193,22 @@ proposed:
  description: Representation of proposed role.
  returned: always
  type: dict
-    sample: {
+  sample: {"description": "My updated test description"}
        "description": "My updated test description"
    }
 existing:
  description: Representation of existing role.
  returned: always
  type: dict
-    sample: {
+  sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
-        "attributes": {},
+      client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
        "clientRole": true,
        "composite": false,
        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
        "description": "My client test role",
        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
        "name": "myrole"
    }
 end_state:
  description: Representation of role after module execution (sample is truncated).
  returned: on success
  type: dict
-    sample: {
+  sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
-        "attributes": {},
+      updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
-        "clientRole": true,
+"""
        "composite": false,
        "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
        "description": "My updated client test role",
        "id": "561703dd-0f38-45ff-9a5a-0c978f794547",
        "name": "myrole"
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
@ -290,7 +264,7 @@ def main():
    state = module.params.get('state')
    # attributes in Keycloak have their values returned as lists
-    # via the API. attributes is a dict, so we'll transparently convert
+    # using the API. attributes is a dict, so we'll transparently convert
    # the values to lists.
    if module.params.get('attributes') is not None:
        for key, val in module.params['attributes'].items():
--- a/plugins/modules/keycloak_user.py
+++ b/plugins/modules/keycloak_user.py
@ -9,8 +9,7 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_user
 short_description: Create and configure a user in Keycloak
 description:
@ -113,7 +112,7 @@ options:
      state:
        description:
          - Control whether the user must be member of this group or not.
-                choices: [ "present", "absent" ]
+        choices: ["present", "absent"]
        default: present
        type: str
  credentials:
@ -173,17 +172,17 @@ options:
      state:
        description:
          - Control whether the attribute must exists or not.
-                choices: [ "present", "absent" ]
+        choices: ["present", "absent"]
        default: present
        type: str
  access:
    description:
-            - list user access.
+      - List user access.
    required: false
    type: dict
  disableable_credential_types:
    description:
-            - list user Credential Type.
+      - List user Credential Type.
    default: []
    type: list
    elements: str
@ -191,18 +190,18 @@ options:
      - disableableCredentialTypes
  origin:
    description:
-            - user origin.
+      - User origin.
    required: false
    type: str
  self:
    description:
-            - user self administration.
+      - User self administration.
    required: false
    type: str
  state:
    description:
      - Control whether the user should exists or not.
-        choices: [ "present", "absent" ]
+    choices: ["present", "absent"]
    default: present
    type: str
  force:
@ -225,9 +224,9 @@ notes:
  - The module does not modify the user ID of an existing user.
 author:
  - Philippe Gauthier (@elfelip)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create a user user1
  community.general.keycloak_user:
    auth_keycloak_url: http://localhost:8080/auth
@ -327,9 +326,9 @@ EXAMPLES = '''
    realm: master
    username: user1
    state: absent
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -344,14 +343,15 @@ existing:
  returned: on success
  type: dict
 end_state:
-  description: Representation of the user after module execution
+  description: Representation of the user after module execution.
  returned: on success
  type: dict
 changed:
  description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise.
  returned: always
  type: bool
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError, is_struct_included
 from ansible.module_utils.basic import AnsibleModule
--- a/plugins/modules/keycloak_user_federation.py
+++ b/plugins/modules/keycloak_user_federation.py
@ -8,24 +8,19 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_user_federation
-short_description: Allows administration of Keycloak user federations via Keycloak API
+short_description: Allows administration of Keycloak user federations using Keycloak API
 version_added: 3.7.0
 description:
-    - This module allows you to add, remove or modify Keycloak user federations via the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak user federations using the Keycloak REST API. It requires access to the REST API using
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
    - The names of module options are snake_cased versions of the camelCase ones found in the
      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
 attributes:
  check_mode:
    support: full
@ -38,8 +33,7 @@ options:
  state:
    description:
      - State of the user federation.
-            - On V(present), the user federation will be created if it does not yet exist, or updated with
+      - On V(present), the user federation will be created if it does not yet exist, or updated with the parameters you provide.
              the parameters you provide.
      - On V(absent), the user federation will be removed if it exists.
    default: 'present'
    type: str
@ -55,8 +49,7 @@ options:
  id:
    description:
-            - The unique ID for this user federation. If left empty, the user federation will be searched
+      - The unique ID for this user federation. If left empty, the user federation will be searched by its O(name).
              by its O(name).
    type: str
  name:
@ -66,8 +59,8 @@ options:
  provider_id:
    description:
-            - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd).
+      - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). Custom user storage providers can also be
-              Custom user storage providers can also be used.
+        used.
    aliases:
      - providerId
    type: str
@ -97,15 +90,12 @@ options:
  bind_credential_update_mode:
    description:
-            - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses.
+      - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. Comparing the redacted value with the
-              Comparing the redacted value with the desired value always evaluates to not equal. This means
+        desired value always evaluates to not equal. This means the before and desired states are never equal if the parameter is set.
-              the before and desired states are never equal if the parameter is set.
+      - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. Because of the redacted value returned
-            - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state.
+        by Keycloak the module will always detect a change and make an update if a O(config.bindCredential) value is set.
-              Because of the redacted value returned by Keycloak the module will always detect a change
+      - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the desired state.
-              and make an update if a O(config.bindCredential) value is set.
+        The value of O(config.bindCredential) will only be updated if there are other changes to the user federation that require an update.
            - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the
              desired state. The value of O(config.bindCredential) will only be updated if there are other changes
              to the user federation that require an update.
    type: str
    default: always
    choices:
@ -115,9 +105,8 @@ options:
  config:
    description:
-            - Dict specifying the configuration options for the provider; the contents differ depending on
+      - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
-              the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd).
+        given below for V(ldap), V(kerberos) and V(sssd). It is easiest to obtain valid config values by dumping an already-existing user federation
              It is easiest to obtain valid config values by dumping an already-existing user federation
        configuration through check-mode in the RV(existing) field.
      - The value V(sssd) has been supported since community.general 4.2.0.
    type: dict
@ -136,15 +125,14 @@ options:
      importEnabled:
        description:
-                    - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured
+          - If V(true), LDAP users will be imported into Keycloak DB and synced by the configured sync policies.
                      sync policies.
        default: true
        type: bool
      editMode:
        description:
-                    - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP
+          - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP on demand. V(UNSYNCED) means user data
-                      on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP.
+            will be imported, but not synced back to LDAP.
        type: str
        choices:
          - READ_ONLY
@ -153,8 +141,7 @@ options:
      syncRegistrations:
        description:
-                    - Should newly created users be created within LDAP store? Priority effects which
+          - Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user.
                      provider is chosen to sync the new user.
        default: false
        type: bool
@ -166,35 +153,29 @@ options:
      usernameLDAPAttribute:
        description:
-                    - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server
+          - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be V(uid). For Active directory
-                      vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn).
+            it can be V(sAMAccountName) or V(cn). The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
                      The attribute should be filled for all LDAP user records you want to import from
                      LDAP to Keycloak.
        type: str
      rdnLDAPAttribute:
        description:
-                    - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN.
+          - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute,
-                      Usually it's the same as Username LDAP attribute, however it is not required. For
+            however it is not required. For example for Active directory, it is common to use V(cn) as RDN attribute when username attribute might
-                      example for Active directory, it is common to use V(cn) as RDN attribute when
+            be V(sAMAccountName).
                      username attribute might be V(sAMAccountName).
        type: str
      uuidLDAPAttribute:
        description:
-                    - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects
+          - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is
-                      in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different.
+            V(entryUUID); however some are different. For example for Active directory it should be V(objectGUID). If your LDAP server does not
-                      For example for Active directory it should be V(objectGUID). If your LDAP server does
+            support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree.
                      not support the notion of UUID, you can use any other attribute that is supposed to
                      be unique among LDAP users in tree.
        type: str
      userObjectClasses:
        description:
-                    - All values of LDAP objectClass attribute for users in LDAP divided by comma.
+          - All values of LDAP objectClass attribute for users in LDAP divided by comma. For example V(inetOrgPerson, organizationalPerson). Newly
-                      For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users
+            created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they
-                      will be written to LDAP with all those object classes and existing LDAP user records
+            contain all those object classes.
                      are found just if they contain all those object classes.
        type: str
      connectionUrl:
@ -209,15 +190,13 @@ options:
      customUserSearchFilter:
        description:
-                    - Additional LDAP Filter for filtering searched users. Leave this empty if you don't
+          - Additional LDAP Filter for filtering searched users. Leave this empty if you do not need additional filter.
                      need additional filter.
        type: str
      searchScope:
        description:
-                    - For one level, the search applies only for users in the DNs specified by User DNs.
+          - For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree.
-                      For subtree, the search applies to the whole subtree. See LDAP documentation for
+            See LDAP documentation for more details.
                      more details.
        default: '1'
        type: str
        choices:
@ -226,8 +205,7 @@ options:
      authType:
        description:
-                    - Type of the Authentication method used during LDAP Bind operation. It is used in
+          - Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server.
                      most of the requests sent to the LDAP server.
        default: 'none'
        type: str
        choices:
@ -252,35 +230,31 @@ options:
      usePasswordModifyExtendedOp:
        description:
-                    - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify
+          - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user
-                      extended operation usually requires that LDAP user already has password in the LDAP
+            already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP
-                      server. So when this is used with 'Sync Registrations', it can be good to add also
+            attribute mapper' with randomly generated initial password.
                      'Hardcoded LDAP attribute mapper' with randomly generated initial password.
        default: false
        type: bool
      validatePasswordPolicy:
        description:
-                    - Determines if Keycloak should validate the password with the realm password policy
+          - Determines if Keycloak should validate the password with the realm password policy before updating it.
                      before updating it.
        default: false
        type: bool
      trustEmail:
        description:
-                    - If enabled, email provided by this provider is not verified even if verification is
+          - If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
                      enabled for the realm.
        default: false
        type: bool
      useTruststoreSpi:
        description:
-                    - Specifies whether LDAP connection will use the truststore SPI with the truststore
+          - Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. V(always)
-                      configured in standalone.xml/domain.xml. V(always) means that it will always use it.
+            means that it will always use it. V(never) means that it will not use it. V(ldapsOnly) means that it will use if your connection URL
-                      V(never) means that it will not use it. V(ldapsOnly) means that it will use if
+            use ldaps.
-                      your connection URL use ldaps. Note even if standalone.xml/domain.xml is not
+          - Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by C(javax.net.ssl.trustStore)
-                      configured, the default Java cacerts or certificate specified by
+            property will be used.
                      C(javax.net.ssl.trustStore) property will be used.
        default: ldapsOnly
        type: str
        choices:
@ -321,44 +295,39 @@ options:
      connectionPoolingDebug:
        description:
-                    - A string that indicates the level of debug output to produce. Example valid values are
+          - A string that indicates the level of debug output to produce. Example valid values are V(fine) (trace connection creation and removal)
-                      V(fine) (trace connection creation and removal) and V(all) (all debugging information).
+            and V(all) (all debugging information).
        type: str
      connectionPoolingInitSize:
        description:
-                    - The number of connections per connection identity to create when initially creating a
+          - The number of connections per connection identity to create when initially creating a connection for the identity.
                      connection for the identity.
        type: int
      connectionPoolingMaxSize:
        description:
-                    - The maximum number of connections per connection identity that can be maintained
+          - The maximum number of connections per connection identity that can be maintained concurrently.
                      concurrently.
        type: int
      connectionPoolingPrefSize:
        description:
-                    - The preferred number of connections per connection identity that should be maintained
+          - The preferred number of connections per connection identity that should be maintained concurrently.
                      concurrently.
        type: int
      connectionPoolingProtocol:
        description:
-                    - A list of space-separated protocol types of connections that may be pooled.
+          - A list of space-separated protocol types of connections that may be pooled. Valid types are V(plain) and V(ssl).
                      Valid types are V(plain) and V(ssl).
        type: str
      connectionPoolingTimeout:
        description:
-                    - The number of milliseconds that an idle connection may remain in the pool without
+          - The number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool.
                      being closed and removed from the pool.
        type: int
      allowKerberosAuthentication:
        description:
-                    - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data
+          - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from
-                      about authenticated users will be provisioned from this LDAP server.
+            this LDAP server.
        default: false
        type: bool
@ -369,25 +338,21 @@ options:
      krbPrincipalAttribute:
        description:
-                    - Name of the LDAP attribute, which refers to Kerberos principal.
+          - Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO
-                      This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
+            authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part
-                      When this is empty, the LDAP user will be looked based on LDAP username corresponding
+            of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), it will assume that LDAP username is V(john).
                      to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
                      it will assume that LDAP username is V(john).
        type: str
        version_added: 8.1.0
      serverPrincipal:
        description:
-                    - Full name of server principal for HTTP service including server and domain name. For
+          - Full name of server principal for HTTP service including server and domain name. For example V(HTTP/host.foo.org@FOO.ORG). Use V(*)
-                      example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the
+            to accept any service principal in the KeyTab file.
                      KeyTab file.
        type: str
      keyTab:
        description:
-                    - Location of Kerberos KeyTab file containing the credentials of server principal. For
+          - Location of Kerberos KeyTab file containing the credentials of server principal. For example V(/etc/krb5.keytab).
                      example V(/etc/krb5.keytab).
        type: str
      debug:
@ -397,8 +362,8 @@ options:
      useKerberosForPasswordAuthentication:
        description:
-                    - Use Kerberos login module for authenticate username/password against Kerberos server
+          - Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server
-                      instead of authenticating against LDAP server with Directory Service API.
+            with Directory Service API.
        default: false
        type: bool
@ -464,9 +429,8 @@ options:
      referral:
        description:
-                    - Specifies if LDAP referrals should be followed or ignored. Please note that enabling
+          - Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it
-                      referrals can slow down authentication as it allows the LDAP server to decide which other
+            allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers.
                      LDAP servers to use. This could potentially include untrusted servers.
        type: str
        choices:
          - ignore
@ -491,8 +455,7 @@ options:
      parentId:
        description:
-                    - Unique ID for the parent of this mapper. ID of the user federation will automatically
+          - Unique ID for the parent of this mapper. ID of the user federation will automatically be used if left blank.
                      be used if left blank.
        type: str
      providerId:
@ -508,9 +471,7 @@ options:
      config:
        description:
-                    - Dict specifying the configuration options for the mapper; the contents differ
+          - Dict specifying the configuration options for the mapper; the contents differ depending on the value of I(identityProviderMapper).
                      depending on the value of I(identityProviderMapper).
                    # TODO: what is identityProviderMapper above???
        type: dict
 extends_documentation_fragment:
@ -520,10 +481,10 @@ extends_documentation_fragment:
 author:
  - Laurent Paumier (@laurpaum)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
-  - name: Create LDAP user federation
+- name: Create LDAP user federation
  community.general.keycloak_user_federation:
    auth_keycloak_url: https://keycloak.example.com/auth
    auth_realm: master
@ -570,7 +531,7 @@ EXAMPLES = '''
          read.only: true
          write.only: false
-  - name: Create Kerberos user federation
+- name: Create Kerberos user federation
  community.general.keycloak_user_federation:
    auth_keycloak_url: https://keycloak.example.com/auth
    auth_realm: master
@ -591,7 +552,7 @@ EXAMPLES = '''
      allowPasswordAuthentication: false
      updateProfileFirstLogin: false
-  - name: Create sssd user federation
+- name: Create sssd user federation
  community.general.keycloak_user_federation:
    auth_keycloak_url: https://keycloak.example.com/auth
    auth_realm: master
@ -607,7 +568,7 @@ EXAMPLES = '''
      enabled: true
      cachePolicy: DEFAULT
-  - name: Delete user federation
+- name: Delete user federation
  community.general.keycloak_user_federation:
    auth_keycloak_url: https://keycloak.example.com/auth
    auth_realm: master
@ -616,10 +577,9 @@ EXAMPLES = '''
    realm: my-realm
    name: my-federation
    state: absent
 """
-'''
+RETURN = r"""
 RETURN = '''
 msg:
  description: Message as to what action was taken.
  returned: always
@ -744,7 +704,7 @@ end_state:
        "providerId": "kerberos",
        "providerType": "org.keycloak.storage.UserStorageProvider"
    }
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_user_rolemapping.py
+++ b/plugins/modules/keycloak_user_rolemapping.py
@ -7,8 +7,7 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_user_rolemapping
 short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API
@ -16,22 +15,15 @@ short_description: Allows administration of Keycloak user_rolemapping with the K
 version_added: 5.7.0
 description:
-    - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API.
+  - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using
-      It requires access to the REST API via OpenID Connect; the user connecting and the client being
+    OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
-      used must have the requisite access rights. In a default Keycloak installation, admin-cli
+    and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
-      and an admin user would work, as would a separate client definition with the scope tailored
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-      to your needs and a user having the expected roles.
+    U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
-
+  - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
-    - The names of module options are snake_cased versions of the camelCase ones found in the
+    You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
-      Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
+  - When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
-
+    into the role ID.
    - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
      be returned that way by this module. You may pass single values for attributes when calling the module,
      and this will be translated into a list suitable for the API.
    - When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup
      to the API to translate the name into the role ID.
 attributes:
  check_mode:
    support: full
@ -63,35 +55,26 @@ options:
    description:
      - Username of the user roles are mapped to.
      - This parameter is not required (can be replaced by uid for less API call).
  uid:
    type: str
    description:
      - ID of the user to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  service_account_user_client_id:
    type: str
    description:
      - Client ID of the service-account-user to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  client_id:
    type: str
    description:
      - Name of the client to be mapped (different than O(cid)).
-            - This parameter is required if O(cid) is not provided (can be replaced by O(cid)
+      - This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made).
              to reduce the number of API calls that must be made).
  cid:
    type: str
    description:
      - ID of the client to be mapped.
-            - This parameter is not required for updating or deleting the rolemapping but
+      - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
              providing it will reduce the number of API calls required.
  roles:
    description:
      - Roles to be mapped to the user.
@ -107,9 +90,8 @@ options:
        type: str
        description:
          - The unique identifier for this role_representation.
-                    - This parameter is not required for updating or deleting a role_representation but
+          - This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
-                      providing it will reduce the number of API calls required.
+            required.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -117,9 +99,9 @@ extends_documentation_fragment:
 author:
  - Dušan Marković (@bratwurzt)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Map a client role to a user, authentication with credentials
  community.general.keycloak_user_rolemapping:
    realm: MyCustomRealm
@ -189,9 +171,9 @@ EXAMPLES = '''
      - name: role_name2
        id: role_id2
  delegate_to: localhost
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: Message as to what action was taken.
  returned: always
@ -202,9 +184,7 @@ proposed:
  description: Representation of proposed client role mapping.
  returned: always
  type: dict
-    sample: {
+  sample: {clientId: "test"}
      clientId: "test"
    }
 existing:
  description:
@ -212,12 +192,7 @@ existing:
    - The sample is truncated.
  returned: always
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
        "adminUrl": "http://www.example.com/admin_url",
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 end_state:
  description:
@ -225,13 +200,8 @@ end_state:
    - The sample is truncated.
  returned: on success
  type: dict
-    sample: {
+  sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
-        "adminUrl": "http://www.example.com/admin_url",
+"""
        "attributes": {
            "request.object.signature.alg": "RS256",
        }
    }
 '''
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keycloak_userprofile.py
+++ b/plugins/modules/keycloak_userprofile.py
@ -8,19 +8,17 @@
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: keycloak_userprofile
 short_description: Allows managing Keycloak User Profiles
 description:
-  - This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the "Unmanaged Attributes" with it.
+  - This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes"
-
+    with it.
-  - The names of module options are snake_cased versions of the camelCase ones found in the
+  - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
-    Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
+    U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
    For compatibility reasons, the module also accepts the camelCase versions of the options.
 version_added: "9.4.0"
 attributes:
@ -35,8 +33,7 @@ options:
  state:
    description:
      - State of the User Profile provider.
-            - On V(present), the User Profile provider will be created if it does not yet exist, or updated with
+      - On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide.
              the parameters you provide.
      - On V(absent), the User Profile provider will be removed if it exists.
    default: 'present'
    type: str
@ -267,9 +264,8 @@ options:
              - ADMIN_VIEW
 notes:
-    - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API).
+  - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can
-      However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries.
+    be multiple O(config.kc_user_profile_config[].attributes[]) entries.
 extends_documentation_fragment:
  - community.general.keycloak
  - community.general.keycloak.actiongroup_keycloak
@ -277,9 +273,9 @@ extends_documentation_fragment:
 author:
  - Eike Waldt (@yeoldegrove)
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Create a Declarative User Profile with default settings
  community.general.keycloak_userprofile:
    state: present
@ -397,9 +393,9 @@ EXAMPLES = '''
    config:
      kc_user_profile_config:
        - unmanagedAttributePolicy: ADMIN_VIEW
-'''
+"""
-RETURN = '''
+RETURN = r"""
 msg:
  description: The output message generated by the module.
  returned: always
@ -409,8 +405,8 @@ data:
  description: The data returned by the Keycloak API.
  returned: when state is present
  type: dict
-  sample: {...}
+  sample: {'...': '...'}
-'''
+"""
 from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
    keycloak_argument_spec, get_token, KeycloakError
--- a/plugins/modules/keyring.py
+++ b/plugins/modules/keyring.py
@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = r"""
 ---
 module: keyring
 version_added: 5.2.0
 author:
  - Alexander Hussey (@ahussey-redhat)
 short_description: Set or delete a passphrase using the Operating System's native keyring
 description: >-
-  This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
+  This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username
-  to set or delete passphrases for a given service and username from the OS' native keyring.
+  from the OS' native keyring.
 requirements:
  - keyring (Python library)
  - gnome-keyring (application - required for headless Gnome keyring access)
--- a/plugins/modules/keyring_info.py
+++ b/plugins/modules/keyring_info.py
@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 DOCUMENTATION = r"""
 ---
 module: keyring_info
 version_added: 5.2.0
 author:
  - Alexander Hussey (@ahussey-redhat)
 short_description: Get a passphrase using the Operating System's native keyring
 description: >-
-  This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
+  This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from
-  to retrieve passphrases for a given service and username from the OS' native keyring.
+  the OS' native keyring.
 requirements:
  - keyring (Python library)
  - gnome-keyring (application - required for headless Linux keyring access)
@ -45,20 +44,20 @@ options:
 """
 EXAMPLES = r"""
-  - name: Retrieve password for service_name/user_name
+- name: Retrieve password for service_name/user_name
  community.general.keyring_info:
    service: test
    username: test1
    keyring_password: "{{ keyring_password }}"
  register: test_password
-  - name: Display password
+- name: Display password
  ansible.builtin.debug:
    msg: "{{ test_password.passphrase }}"
 """
 RETURN = r"""
-  passphrase:
+passphrase:
  description: A string containing the password.
  returned: success and the password exists
  type: str
--- a/plugins/modules/kibana_plugin.py
+++ b/plugins/modules/kibana_plugin.py
@ -11,8 +11,7 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = '''
+DOCUMENTATION = r"""
 ---
 module: kibana_plugin
 short_description: Manage Kibana plugins
 description:
@ -40,11 +39,11 @@ options:
  url:
    description:
      - Set exact URL to download the plugin from.
-      - For local file, prefix its absolute path with file://
+      - For local file, prefix its absolute path with file://.
    type: str
  timeout:
    description:
-      - "Timeout setting: 30s, 1m, 1h etc."
+      - 'Timeout setting: V(30s), V(1m), V(1h) and so on.'
    default: 1m
    type: str
  plugin_bin:
@ -73,9 +72,9 @@ options:
    type: bool
    default: false
    version_added: 2.3.0
-'''
+"""
-EXAMPLES = '''
+EXAMPLES = r"""
 - name: Install Elasticsearch head plugin
  community.general.kibana_plugin:
    state: present
@ -91,38 +90,38 @@ EXAMPLES = '''
  community.general.kibana_plugin:
    state: absent
    name: elasticsearch/marvel
-'''
+"""
-RETURN = '''
+RETURN = r"""
 cmd:
-    description: the launched command during plugin management (install / remove)
+  description: The launched command during plugin management (install / remove).
  returned: success
  type: str
 name:
-    description: the plugin name to install or remove
+  description: The plugin name to install or remove.
  returned: success
  type: str
 url:
-    description: the url from where the plugin is installed from
+  description: The url from where the plugin is installed from.
  returned: success
  type: str
 timeout:
-    description: the timeout for plugin download
+  description: The timeout for plugin download.
  returned: success
  type: str
 stdout:
-    description: the command stdout
+  description: The command stdout.
  returned: success
  type: str
 stderr:
-    description: the command stderr
+  description: The command stderr.
  returned: success
  type: str
 state:
-    description: the state for the managed plugin
+  description: The state for the managed plugin.
  returned: success
  type: str
-'''
+"""
 import os
 from ansible.module_utils.basic import AnsibleModule
--- a/plugins/modules/krb_ticket.py
+++ b/plugins/modules/krb_ticket.py
@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
-DOCUMENTATION = r'''
+DOCUMENTATION = r"""
 ---
 module: krb_ticket
 short_description: Kerberos utils for managing tickets
 version_added: 10.0.0
@ -56,8 +55,9 @@ options:
  lifetime:
    description:
      - Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used.
-      - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.
+      - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum
-      - "The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
+        ticket lifetime.
      - 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.'
      - You cannot mix units; a value of V(3h30m) will result in an error.
      - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
    type: str
@ -73,7 +73,8 @@ options:
  renewable:
    description:
      - Requests renewable tickets, with a total lifetime equal to O(renewable).
-      - "The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
+      - 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) -
        days.'
      - You cannot mix units; a value of V(3h30m) will result in an error.
      - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
    type: str
@ -125,9 +126,9 @@ requirements:
  - krb5-user and krb5-config packages
 extends_documentation_fragment:
  - community.general.attributes
-'''
+"""
-EXAMPLES = r'''
+EXAMPLES = r"""
 - name: Get Kerberos ticket using default principal
  community.general.krb_ticket:
    password: some_password
@ -179,7 +180,7 @@ EXAMPLES = r'''
  community.general.krb_ticket:
    state: absent
    kdestroy_all: true
-'''
+"""
 from ansible.module_utils.basic import AnsibleModule, env_fallback
 from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt