pulumi-keycloak-kotlin/com.pulumi.keycloak.kotlin/IdentityProviderTokenExchangeScopePermissionArgs

IdentityProviderTokenExchangeScopePermissionArgs

data class IdentityProviderTokenExchangeScopePermissionArgs(val clients: Output<List<String>>? = null, val policyType: Output<String>? = null, val providerAlias: Output<String>? = null, val realmId: Output<String>? = null) : ConvertibleToJava<IdentityProviderTokenExchangeScopePermissionArgs>

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const tokenExchangeRealm = new keycloak.Realm("token_exchange_realm", {
    realm: "token-exchange_destination_realm",
    enabled: true,
});
const tokenExchangeMyOidcIdp = new keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp", {
    realm: tokenExchangeRealm.id,
    alias: "myIdp",
    authorizationUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
    tokenUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
    clientId: "clientId",
    clientSecret: "secret",
    defaultScopes: "openid",
});
const token_exchangeWebappClient = new keycloak.openid.Client("token-exchange_webapp_client", {
    realmId: tokenExchangeRealm.id,
    name: "webapp_client",
    clientId: "webapp_client",
    clientSecret: "secret",
    description: "a webapp client on the destination realm",
    accessType: "CONFIDENTIAL",
    standardFlowEnabled: true,
    validRedirectUris: ["http://localhost:8080/*"],
});
//relevant part
const oidcIdpPermission = new keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", {
    realmId: tokenExchangeRealm.id,
    providerAlias: tokenExchangeMyOidcIdp.alias,
    policyType: "client",
    clients: [token_exchangeWebappClient&#46;id],
});

import pulumi
import pulumi_keycloak as keycloak
token_exchange_realm = keycloak.Realm("token_exchange_realm",
    realm="token-exchange_destination_realm",
    enabled=True)
token_exchange_my_oidc_idp = keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp",
    realm=token_exchange_realm.id,
    alias="myIdp",
    authorization_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
    token_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
    client_id="clientId",
    client_secret="secret",
    default_scopes="openid")
token_exchange_webapp_client = keycloak.openid.Client("token-exchange_webapp_client",
    realm_id=token_exchange_realm.id,
    name="webapp_client",
    client_id="webapp_client",
    client_secret="secret",
    description="a webapp client on the destination realm",
    access_type="CONFIDENTIAL",
    standard_flow_enabled=True,
    valid_redirect_uris=["http://localhost:8080/*"])
#relevant part
oidc_idp_permission = keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission",
    realm_id=token_exchange_realm.id,
    provider_alias=token_exchange_my_oidc_idp.alias,
    policy_type="client",
    clients=[token_exchange_webapp_client&#46;id])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var tokenExchangeRealm = new Keycloak.Realm("token_exchange_realm", new()
    {
        RealmName = "token-exchange_destination_realm",
        Enabled = true,
    });
    var tokenExchangeMyOidcIdp = new Keycloak.Oidc.IdentityProvider("token_exchange_my_oidc_idp", new()
    {
        Realm = tokenExchangeRealm.Id,
        Alias = "myIdp",
        AuthorizationUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
        TokenUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
        ClientId = "clientId",
        ClientSecret = "secret",
        DefaultScopes = "openid",
    });
    var token_exchangeWebappClient = new Keycloak.OpenId.Client("token-exchange_webapp_client", new()
    {
        RealmId = tokenExchangeRealm.Id,
        Name = "webapp_client",
        ClientId = "webapp_client",
        ClientSecret = "secret",
        Description = "a webapp client on the destination realm",
        AccessType = "CONFIDENTIAL",
        StandardFlowEnabled = true,
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/*",
        },
    });
    //relevant part
    var oidcIdpPermission = new Keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", new()
    {
        RealmId = tokenExchangeRealm.Id,
        ProviderAlias = tokenExchangeMyOidcIdp.Alias,
        PolicyType = "client",
        Clients = new[]
        {
            token_exchangeWebappClient.Id,
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tokenExchangeRealm, err := keycloak.NewRealm(ctx, "token_exchange_realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("token-exchange_destination_realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		tokenExchangeMyOidcIdp, err := oidc.NewIdentityProvider(ctx, "token_exchange_my_oidc_idp", &oidc.IdentityProviderArgs{
			Realm:            tokenExchangeRealm.ID(),
			Alias:            pulumi.String("myIdp"),
			AuthorizationUrl: pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth"),
			TokenUrl:         pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token"),
			ClientId:         pulumi.String("clientId"),
			ClientSecret:     pulumi.String("secret"),
			DefaultScopes:    pulumi.String("openid"),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "token-exchange_webapp_client", &openid.ClientArgs{
			RealmId:             tokenExchangeRealm.ID(),
			Name:                pulumi.String("webapp_client"),
			ClientId:            pulumi.String("webapp_client"),
			ClientSecret:        pulumi.String("secret"),
			Description:         pulumi.String("a webapp client on the destination realm"),
			AccessType:          pulumi.String("CONFIDENTIAL"),
			StandardFlowEnabled: pulumi.Bool(true),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/*"),
			},
		})
		if err != nil {
			return err
		}
		// relevant part
		_, err = keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, "oidc_idp_permission", &keycloak.IdentityProviderTokenExchangeScopePermissionArgs{
			RealmId:       tokenExchangeRealm.ID(),
			ProviderAlias: tokenExchangeMyOidcIdp.Alias,
			PolicyType:    pulumi.String("client"),
			Clients: pulumi.StringArray{
				token_exchangeWebappClient.ID(),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermission;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var tokenExchangeRealm = new Realm("tokenExchangeRealm", RealmArgs.builder()
            .realm("token-exchange_destination_realm")
            .enabled(true)
            .build());
        var tokenExchangeMyOidcIdp = new IdentityProvider("tokenExchangeMyOidcIdp", IdentityProviderArgs.builder()
            .realm(tokenExchangeRealm.id())
            .alias("myIdp")
            .authorizationUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth")
            .tokenUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token")
            .clientId("clientId")
            .clientSecret("secret")
            .defaultScopes("openid")
            .build());
        var token_exchangeWebappClient = new Client("token-exchangeWebappClient", ClientArgs.builder()
            .realmId(tokenExchangeRealm.id())
            .name("webapp_client")
            .clientId("webapp_client")
            .clientSecret("secret")
            .description("a webapp client on the destination realm")
            .accessType("CONFIDENTIAL")
            .standardFlowEnabled(true)
            .validRedirectUris("http://localhost:8080/*")
            .build());
        //relevant part
        var oidcIdpPermission = new IdentityProviderTokenExchangeScopePermission("oidcIdpPermission", IdentityProviderTokenExchangeScopePermissionArgs.builder()
            .realmId(tokenExchangeRealm.id())
            .providerAlias(tokenExchangeMyOidcIdp.alias())
            .policyType("client")
            .clients(token_exchangeWebappClient.id())
            .build());
    }
}

resources:
  tokenExchangeRealm:
    type: keycloak:Realm
    name: token_exchange_realm
    properties:
      realm: token-exchange_destination_realm
      enabled: true
  tokenExchangeMyOidcIdp:
    type: keycloak:oidc:IdentityProvider
    name: token_exchange_my_oidc_idp
    properties:
      realm: ${tokenExchangeRealm.id}
      alias: myIdp
      authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth
      tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token
      clientId: clientId
      clientSecret: secret
      defaultScopes: openid
  token-exchangeWebappClient:
    type: keycloak:openid:Client
    name: token-exchange_webapp_client
    properties:
      realmId: ${tokenExchangeRealm.id}
      name: webapp_client
      clientId: webapp_client
      clientSecret: secret
      description: a webapp client on the destination realm
      accessType: CONFIDENTIAL
      standardFlowEnabled: true
      validRedirectUris:
        - http://localhost:8080/*
  # relevant part
  oidcIdpPermission:
    type: keycloak:IdentityProviderTokenExchangeScopePermission
    name: oidc_idp_permission
    properties:
      realmId: ${tokenExchangeRealm.id}
      providerAlias: ${tokenExchangeMyOidcIdp.alias}
      policyType: client
      clients:
        - ${["token-exchangeWebappClient"].id}

Import

This resource can be imported using the format {{realm_id}}/{{provider_alias}}, where provider_alias is the alias that you assign to the identity provider upon creation. Example: bash

$ pulumi import keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission oidc_idp_permission my-realm/myIdp

Constructors

IdentityProviderTokenExchangeScopePermissionArgs

constructor(clients: Output<List<String>>? = null, policyType: Output<String>? = null, providerAlias: Output<String>? = null, realmId: Output<String>? = null)

Properties

clients

val clients: Output<List<String>>? = null

A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.

policyType

val policyType: Output<String>? = null

Defaults to "client" This is also the only value policy type supported by this provider.

providerAlias

val providerAlias: Output<String>? = null

Alias of the identity provider.

realmId

val realmId: Output<String>? = null

The realm that the identity provider exists in. //////

Functions

toJava

open override fun toJava(): IdentityProviderTokenExchangeScopePermissionArgs