pulumi-keycloak-kotlin/com.pulumi.keycloak.openid.kotlin/UserRealmRoleProtocolMapperArgs

UserRealmRoleProtocolMapperArgs

data class UserRealmRoleProtocolMapperArgs(val addToAccessToken: Output<Boolean>? = null, val addToIdToken: Output<Boolean>? = null, val addToUserinfo: Output<Boolean>? = null, val claimName: Output<String>? = null, val claimValueType: Output<String>? = null, val clientId: Output<String>? = null, val clientScopeId: Output<String>? = null, val multivalued: Output<Boolean>? = null, val name: Output<String>? = null, val realmId: Output<String>? = null, val realmRolePrefix: Output<String>? = null) : ConvertibleToJava<UserRealmRoleProtocolMapperArgs>

# keycloak.openid.UserRealmRoleProtocolMapper

Allows for creating and managing user realm role protocol mappers within Keycloak. User realm role protocol mappers allow you to define a claim containing the list of the realm roles. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.

Example Usage (Client)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
    realmId: realm.id,
    clientId: "test-client",
    name: "test client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper("user_realm_role_mapper", {
    realmId: realm.id,
    clientId: openidClient.id,
    name: "user-realm-role-mapper",
    claimName: "foo",
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openid_client",
    realm_id=realm.id,
    client_id="test-client",
    name="test client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"])
user_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper("user_realm_role_mapper",
    realm_id=realm.id,
    client_id=openid_client.id,
    name="user-realm-role-mapper",
    claim_name="foo")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        RealmId = realm.Id,
        ClientId = "test-client",
        Name = "test client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
    });
    var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper("user_realm_role_mapper", new()
    {
        RealmId = realm.Id,
        ClientId = openidClient.Id,
        Name = "user-realm-role-mapper",
        ClaimName = "foo",
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("test-client"),
			Name:       pulumi.String("test client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
		})
		if err != nil {
			return err
		}
		_, err = openid.NewUserRealmRoleProtocolMapper(ctx, "user_realm_role_mapper", &openid.UserRealmRoleProtocolMapperArgs{
			RealmId:   realm.ID(),
			ClientId:  openidClient.ID(),
			Name:      pulumi.String("user-realm-role-mapper"),
			ClaimName: pulumi.String("foo"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;
import com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var openidClient = new Client("openidClient", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("test-client")
            .name("test client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .build());
        var userRealmRoleMapper = new UserRealmRoleProtocolMapper("userRealmRoleMapper", UserRealmRoleProtocolMapperArgs.builder()
            .realmId(realm.id())
            .clientId(openidClient.id())
            .name("user-realm-role-mapper")
            .claimName("foo")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      realmId: ${realm.id}
      clientId: test-client
      name: test client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback
  userRealmRoleMapper:
    type: keycloak:openid:UserRealmRoleProtocolMapper
    name: user_realm_role_mapper
    properties:
      realmId: ${realm.id}
      clientId: ${openidClient.id}
      name: user-realm-role-mapper
      claimName: foo

Example Usage (Client Scope)

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const clientScope = new keycloak.openid.ClientScope("client_scope", {
    realmId: realm.id,
    name: "test-client-scope",
});
const userRealmRoleMapper = new keycloak.openid.UserRealmRoleProtocolMapper("user_realm_role_mapper", {
    realmId: realm.id,
    clientScopeId: clientScope.id,
    name: "user-realm-role-mapper",
    claimName: "foo",
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
client_scope = keycloak.openid.ClientScope("client_scope",
    realm_id=realm.id,
    name="test-client-scope")
user_realm_role_mapper = keycloak.openid.UserRealmRoleProtocolMapper("user_realm_role_mapper",
    realm_id=realm.id,
    client_scope_id=client_scope.id,
    name="user-realm-role-mapper",
    claim_name="foo")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new()
    {
        RealmId = realm.Id,
        Name = "test-client-scope",
    });
    var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper("user_realm_role_mapper", new()
    {
        RealmId = realm.Id,
        ClientScopeId = clientScope.Id,
        Name = "user-realm-role-mapper",
        ClaimName = "foo",
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{
			RealmId: realm.ID(),
			Name:    pulumi.String("test-client-scope"),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewUserRealmRoleProtocolMapper(ctx, "user_realm_role_mapper", &openid.UserRealmRoleProtocolMapperArgs{
			RealmId:       realm.ID(),
			ClientScopeId: clientScope.ID(),
			Name:          pulumi.String("user-realm-role-mapper"),
			ClaimName:     pulumi.String("foo"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.ClientScope;
import com.pulumi.keycloak.openid.ClientScopeArgs;
import com.pulumi.keycloak.openid.UserRealmRoleProtocolMapper;
import com.pulumi.keycloak.openid.UserRealmRoleProtocolMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
            .realmId(realm.id())
            .name("test-client-scope")
            .build());
        var userRealmRoleMapper = new UserRealmRoleProtocolMapper("userRealmRoleMapper", UserRealmRoleProtocolMapperArgs.builder()
            .realmId(realm.id())
            .clientScopeId(clientScope.id())
            .name("user-realm-role-mapper")
            .claimName("foo")
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  clientScope:
    type: keycloak:openid:ClientScope
    name: client_scope
    properties:
      realmId: ${realm.id}
      name: test-client-scope
  userRealmRoleMapper:
    type: keycloak:openid:UserRealmRoleProtocolMapper
    name: user_realm_role_mapper
    properties:
      realmId: ${realm.id}
      clientScopeId: ${clientScope.id}
      name: user-realm-role-mapper
      claimName: foo

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm this protocol mapper exists within.
client_id - (Required if client_scope_id is not specified) The client this protocol mapper is attached to.
client_scope_id - (Required if client_id is not specified) The client scope this protocol mapper is attached to.
name - (Required) The display name of this protocol mapper in the GUI.
claim_name - (Required) The name of the claim to insert into a token.
claim_value_type - (Optional) The claim type used when serializing JSON tokens. Can be one of String, long, int, or boolean. Defaults to String.
multivalued - (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to true.
realm_role_prefix - (Optional) A prefix for each Realm Role.
add_to_id_token - (Optional) Indicates if the property should be added as a claim to the id token. Defaults to true.
add_to_access_token - (Optional) Indicates if the property should be added as a claim to the access token. Defaults to true.
add_to_userinfo - (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults to true.

Import

Protocol mappers can be imported using one of the following formats:

Client: {{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}
Client Scope: {{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}} Example:

$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4
$ terraform import keycloak_openid_user_realm_role_protocol_mapper.user_realm_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4

Constructors

UserRealmRoleProtocolMapperArgs

constructor(addToAccessToken: Output<Boolean>? = null, addToIdToken: Output<Boolean>? = null, addToUserinfo: Output<Boolean>? = null, claimName: Output<String>? = null, claimValueType: Output<String>? = null, clientId: Output<String>? = null, clientScopeId: Output<String>? = null, multivalued: Output<Boolean>? = null, name: Output<String>? = null, realmId: Output<String>? = null, realmRolePrefix: Output<String>? = null)