pulumi-keycloak-kotlin/com.pulumi.keycloak.openid.kotlin/ClientArgs

ClientArgs

data class ClientArgs(val accessTokenLifespan: Output<String>? = null, val accessType: Output<String>? = null, val adminUrl: Output<String>? = null, val authenticationFlowBindingOverrides: Output<ClientAuthenticationFlowBindingOverridesArgs>? = null, val authorization: Output<ClientAuthorizationArgs>? = null, val backchannelLogoutRevokeOfflineSessions: Output<Boolean>? = null, val backchannelLogoutSessionRequired: Output<Boolean>? = null, val backchannelLogoutUrl: Output<String>? = null, val baseUrl: Output<String>? = null, val clientAuthenticatorType: Output<String>? = null, val clientId: Output<String>? = null, val clientOfflineSessionIdleTimeout: Output<String>? = null, val clientOfflineSessionMaxLifespan: Output<String>? = null, val clientSecret: Output<String>? = null, val clientSessionIdleTimeout: Output<String>? = null, val clientSessionMaxLifespan: Output<String>? = null, val consentRequired: Output<Boolean>? = null, val consentScreenText: Output<String>? = null, val description: Output<String>? = null, val directAccessGrantsEnabled: Output<Boolean>? = null, val displayOnConsentScreen: Output<Boolean>? = null, val enabled: Output<Boolean>? = null, val excludeSessionStateFromAuthResponse: Output<Boolean>? = null, val extraConfig: Output<Map<String, Any>>? = null, val frontchannelLogoutEnabled: Output<Boolean>? = null, val frontchannelLogoutUrl: Output<String>? = null, val fullScopeAllowed: Output<Boolean>? = null, val implicitFlowEnabled: Output<Boolean>? = null, val import: Output<Boolean>? = null, val loginTheme: Output<String>? = null, val name: Output<String>? = null, val oauth2DeviceAuthorizationGrantEnabled: Output<Boolean>? = null, val oauth2DeviceCodeLifespan: Output<String>? = null, val oauth2DevicePollingInterval: Output<String>? = null, val pkceCodeChallengeMethod: Output<String>? = null, val realmId: Output<String>? = null, val rootUrl: Output<String>? = null, val serviceAccountsEnabled: Output<Boolean>? = null, val standardFlowEnabled: Output<Boolean>? = null, val useRefreshTokens: Output<Boolean>? = null, val useRefreshTokensClientCredentials: Output<Boolean>? = null, val validPostLogoutRedirectUris: Output<List<String>>? = null, val validRedirectUris: Output<List<String>>? = null, val webOrigins: Output<List<String>>? = null) : ConvertibleToJava<ClientArgs>

# keycloak.openid.Client

Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
    realmId: realm.id,
    clientId: "test-client",
    name: "test client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openid_client",
    realm_id=realm.id,
    client_id="test-client",
    name="test client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        RealmId = realm.Id,
        ClientId = "test-client",
        Name = "test client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("test-client"),
			Name:       pulumi.String("test client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var openidClient = new Client("openidClient", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("test-client")
            .name("test client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      realmId: ${realm.id}
      clientId: test-client
      name: test client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm this client is attached to.
client_id - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.
name - (Optional) The display name of this client in the GUI.
enabled - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
description - (Optional) The description of this client in the GUI.
access_type - (Required) Specifies the type of client, which can be one of the following:

CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.

client_secret - (Optional) The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute.
standard_flow_enabled - (Optional) When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
implicit_flow_enabled - (Optional) When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
direct_access_grants_enabled - (Optional) When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
service_accounts_enabled - (Optional) When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
valid_redirect_uris - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
web_origins - (Optional) A list of allowed CORS origins. + can be used to permit all valid redirect URIs, and * can be used to permit all origins.
admin_url - (Optional) URL to the admin interface of the client.
base_url - (Optional) Default URL to use when the auth server needs to redirect or link back to the client.
pkce_code_challenge_method - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
full_scope_allowed - (Optional) - Allow to include all roles mappings in the access token.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

service_account_user_id - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

Import

Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example:

$ terraform import keycloak_openid_client.openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

Constructors

ClientArgs

constructor(accessTokenLifespan: Output<String>? = null, accessType: Output<String>? = null, adminUrl: Output<String>? = null, authenticationFlowBindingOverrides: Output<ClientAuthenticationFlowBindingOverridesArgs>? = null, authorization: Output<ClientAuthorizationArgs>? = null, backchannelLogoutRevokeOfflineSessions: Output<Boolean>? = null, backchannelLogoutSessionRequired: Output<Boolean>? = null, backchannelLogoutUrl: Output<String>? = null, baseUrl: Output<String>? = null, clientAuthenticatorType: Output<String>? = null, clientId: Output<String>? = null, clientOfflineSessionIdleTimeout: Output<String>? = null, clientOfflineSessionMaxLifespan: Output<String>? = null, clientSecret: Output<String>? = null, clientSessionIdleTimeout: Output<String>? = null, clientSessionMaxLifespan: Output<String>? = null, consentRequired: Output<Boolean>? = null, consentScreenText: Output<String>? = null, description: Output<String>? = null, directAccessGrantsEnabled: Output<Boolean>? = null, displayOnConsentScreen: Output<Boolean>? = null, enabled: Output<Boolean>? = null, excludeSessionStateFromAuthResponse: Output<Boolean>? = null, extraConfig: Output<Map<String, Any>>? = null, frontchannelLogoutEnabled: Output<Boolean>? = null, frontchannelLogoutUrl: Output<String>? = null, fullScopeAllowed: Output<Boolean>? = null, implicitFlowEnabled: Output<Boolean>? = null, import: Output<Boolean>? = null, loginTheme: Output<String>? = null, name: Output<String>? = null, oauth2DeviceAuthorizationGrantEnabled: Output<Boolean>? = null, oauth2DeviceCodeLifespan: Output<String>? = null, oauth2DevicePollingInterval: Output<String>? = null, pkceCodeChallengeMethod: Output<String>? = null, realmId: Output<String>? = null, rootUrl: Output<String>? = null, serviceAccountsEnabled: Output<Boolean>? = null, standardFlowEnabled: Output<Boolean>? = null, useRefreshTokens: Output<Boolean>? = null, useRefreshTokensClientCredentials: Output<Boolean>? = null, validPostLogoutRedirectUris: Output<List<String>>? = null, validRedirectUris: Output<List<String>>? = null, webOrigins: Output<List<String>>? = null)