Identity
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const tokenExchangeRealm = new keycloak.Realm("token_exchange_realm", {
realm: "token-exchange_destination_realm",
enabled: true,
});
const tokenExchangeMyOidcIdp = new keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp", {
realm: tokenExchangeRealm.id,
alias: "myIdp",
authorizationUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
tokenUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
clientId: "clientId",
clientSecret: "secret",
defaultScopes: "openid",
});
const token_exchangeWebappClient = new keycloak.openid.Client("token-exchange_webapp_client", {
realmId: tokenExchangeRealm.id,
name: "webapp_client",
clientId: "webapp_client",
clientSecret: "secret",
description: "a webapp client on the destination realm",
accessType: "CONFIDENTIAL",
standardFlowEnabled: true,
validRedirectUris: ["http://localhost:8080/*"],
});
//relevant part
const oidcIdpPermission = new keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", {
realmId: tokenExchangeRealm.id,
providerAlias: tokenExchangeMyOidcIdp.alias,
policyType: "client",
clients: [token_exchangeWebappClient.id],
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
token_exchange_realm = keycloak.Realm("token_exchange_realm",
realm="token-exchange_destination_realm",
enabled=True)
token_exchange_my_oidc_idp = keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp",
realm=token_exchange_realm.id,
alias="myIdp",
authorization_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
token_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
client_id="clientId",
client_secret="secret",
default_scopes="openid")
token_exchange_webapp_client = keycloak.openid.Client("token-exchange_webapp_client",
realm_id=token_exchange_realm.id,
name="webapp_client",
client_id="webapp_client",
client_secret="secret",
description="a webapp client on the destination realm",
access_type="CONFIDENTIAL",
standard_flow_enabled=True,
valid_redirect_uris=["http://localhost:8080/*"])
#relevant part
oidc_idp_permission = keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission",
realm_id=token_exchange_realm.id,
provider_alias=token_exchange_my_oidc_idp.alias,
policy_type="client",
clients=[token_exchange_webapp_client.id])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var tokenExchangeRealm = new Keycloak.Realm("token_exchange_realm", new()
{
RealmName = "token-exchange_destination_realm",
Enabled = true,
});
var tokenExchangeMyOidcIdp = new Keycloak.Oidc.IdentityProvider("token_exchange_my_oidc_idp", new()
{
Realm = tokenExchangeRealm.Id,
Alias = "myIdp",
AuthorizationUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
TokenUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
ClientId = "clientId",
ClientSecret = "secret",
DefaultScopes = "openid",
});
var token_exchangeWebappClient = new Keycloak.OpenId.Client("token-exchange_webapp_client", new()
{
RealmId = tokenExchangeRealm.Id,
Name = "webapp_client",
ClientId = "webapp_client",
ClientSecret = "secret",
Description = "a webapp client on the destination realm",
AccessType = "CONFIDENTIAL",
StandardFlowEnabled = true,
ValidRedirectUris = new[]
{
"http://localhost:8080/*",
},
});
//relevant part
var oidcIdpPermission = new Keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", new()
{
RealmId = tokenExchangeRealm.Id,
ProviderAlias = tokenExchangeMyOidcIdp.Alias,
PolicyType = "client",
Clients = new[]
{
token_exchangeWebappClient.Id,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tokenExchangeRealm, err := keycloak.NewRealm(ctx, "token_exchange_realm", &keycloak.RealmArgs{
Realm: pulumi.String("token-exchange_destination_realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
tokenExchangeMyOidcIdp, err := oidc.NewIdentityProvider(ctx, "token_exchange_my_oidc_idp", &oidc.IdentityProviderArgs{
Realm: tokenExchangeRealm.ID(),
Alias: pulumi.String("myIdp"),
AuthorizationUrl: pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth"),
TokenUrl: pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token"),
ClientId: pulumi.String("clientId"),
ClientSecret: pulumi.String("secret"),
DefaultScopes: pulumi.String("openid"),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "token-exchange_webapp_client", &openid.ClientArgs{
RealmId: tokenExchangeRealm.ID(),
Name: pulumi.String("webapp_client"),
ClientId: pulumi.String("webapp_client"),
ClientSecret: pulumi.String("secret"),
Description: pulumi.String("a webapp client on the destination realm"),
AccessType: pulumi.String("CONFIDENTIAL"),
StandardFlowEnabled: pulumi.Bool(true),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/*"),
},
})
if err != nil {
return err
}
// relevant part
_, err = keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, "oidc_idp_permission", &keycloak.IdentityProviderTokenExchangeScopePermissionArgs{
RealmId: tokenExchangeRealm.ID(),
ProviderAlias: tokenExchangeMyOidcIdp.Alias,
PolicyType: pulumi.String("client"),
Clients: pulumi.StringArray{
token_exchangeWebappClient.ID(),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermission;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tokenExchangeRealm = new Realm("tokenExchangeRealm", RealmArgs.builder()
.realm("token-exchange_destination_realm")
.enabled(true)
.build());
var tokenExchangeMyOidcIdp = new IdentityProvider("tokenExchangeMyOidcIdp", IdentityProviderArgs.builder()
.realm(tokenExchangeRealm.id())
.alias("myIdp")
.authorizationUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth")
.tokenUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token")
.clientId("clientId")
.clientSecret("secret")
.defaultScopes("openid")
.build());
var token_exchangeWebappClient = new Client("token-exchangeWebappClient", ClientArgs.builder()
.realmId(tokenExchangeRealm.id())
.name("webapp_client")
.clientId("webapp_client")
.clientSecret("secret")
.description("a webapp client on the destination realm")
.accessType("CONFIDENTIAL")
.standardFlowEnabled(true)
.validRedirectUris("http://localhost:8080/*")
.build());
//relevant part
var oidcIdpPermission = new IdentityProviderTokenExchangeScopePermission("oidcIdpPermission", IdentityProviderTokenExchangeScopePermissionArgs.builder()
.realmId(tokenExchangeRealm.id())
.providerAlias(tokenExchangeMyOidcIdp.alias())
.policyType("client")
.clients(token_exchangeWebappClient.id())
.build());
}
}Content copied to clipboard
resources:
tokenExchangeRealm:
type: keycloak:Realm
name: token_exchange_realm
properties:
realm: token-exchange_destination_realm
enabled: true
tokenExchangeMyOidcIdp:
type: keycloak:oidc:IdentityProvider
name: token_exchange_my_oidc_idp
properties:
realm: ${tokenExchangeRealm.id}
alias: myIdp
authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth
tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token
clientId: clientId
clientSecret: secret
defaultScopes: openid
token-exchangeWebappClient:
type: keycloak:openid:Client
name: token-exchange_webapp_client
properties:
realmId: ${tokenExchangeRealm.id}
name: webapp_client
clientId: webapp_client
clientSecret: secret
description: a webapp client on the destination realm
accessType: CONFIDENTIAL
standardFlowEnabled: true
validRedirectUris:
- http://localhost:8080/*
# relevant part
oidcIdpPermission:
type: keycloak:IdentityProviderTokenExchangeScopePermission
name: oidc_idp_permission
properties:
realmId: ${tokenExchangeRealm.id}
providerAlias: ${tokenExchangeMyOidcIdp.alias}
policyType: client
clients:
- ${["token-exchangeWebappClient"].id}Content copied to clipboard
Import
This resource can be imported using the format {{realm_id}}/{{provider_alias}}, where provider_alias is the alias that you assign to the identity provider upon creation. Example: bash
$ pulumi import keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission oidc_idp_permission my-realm/myIdpContent copied to clipboard
//////
Properties
Link copied to clipboard
(Computed) Resource ID representing the identity provider, this automatically created by keycloak.
Link copied to clipboard
(Computed) Resource server ID representing the realm management client on which this permission is managed.
Link copied to clipboard
(Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
Link copied to clipboard
Defaults to "client" This is also the only value policy type supported by this provider.
Link copied to clipboard
Alias of the identity provider.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard