pulumi-keycloak-kotlin/com.pulumi.keycloak.openid.kotlin/ClientPolicy

ClientPolicy

class ClientPolicy : KotlinCustomResource

This resource can be used to create client policy.

Example Usage

In this example, we'll create a new OpenID client, then enabled permissions for the client. A client without permissions disabled cannot be assigned by a client policy. We'll use the keycloak.openid.ClientPolicy resource to create a new client policy, which could be applied to many clients, for a realm and a resource_server_id.

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
    clientId: "openid_client",
    name: "openid_client",
    realmId: realm.id,
    accessType: "CONFIDENTIAL",
    serviceAccountsEnabled: true,
});
const myPermission = new keycloak.openid.ClientPermissions("my_permission", {
    realmId: realm.id,
    clientId: openidClient.id,
});
const realmManagement = keycloak.openid.getClient({
    realmId: "my-realm",
    clientId: "realm-management",
});
const tokenExchange = new keycloak.openid.ClientPolicy("token_exchange", {
    resourceServerId: realmManagement.then(realmManagement => realmManagement.id),
    realmId: realm.id,
    name: "my-policy",
    logic: "POSITIVE",
    decisionStrategy: "UNANIMOUS",
    clients: [openidClient.id],
});
Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openid_client",
    client_id="openid_client",
    name="openid_client",
    realm_id=realm.id,
    access_type="CONFIDENTIAL",
    service_accounts_enabled=True)
my_permission = keycloak.openid.ClientPermissions("my_permission",
    realm_id=realm.id,
    client_id=openid_client.id)
realm_management = keycloak.openid.get_client(realm_id="my-realm",
    client_id="realm-management")
token_exchange = keycloak.openid.ClientPolicy("token_exchange",
    resource_server_id=realm_management.id,
    realm_id=realm.id,
    name="my-policy",
    logic="POSITIVE",
    decision_strategy="UNANIMOUS",
    clients=[openid_client.id])
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        ClientId = "openid_client",
        Name = "openid_client",
        RealmId = realm.Id,
        AccessType = "CONFIDENTIAL",
        ServiceAccountsEnabled = true,
    });
    var myPermission = new Keycloak.OpenId.ClientPermissions("my_permission", new()
    {
        RealmId = realm.Id,
        ClientId = openidClient.Id,
    });
    var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()
    {
        RealmId = "my-realm",
        ClientId = "realm-management",
    });
    var tokenExchange = new Keycloak.OpenId.ClientPolicy("token_exchange", new()
    {
        ResourceServerId = realmManagement.Apply(getClientResult => getClientResult.Id),
        RealmId = realm.Id,
        Name = "my-policy",
        Logic = "POSITIVE",
        DecisionStrategy = "UNANIMOUS",
        Clients = new[]
        {
            openidClient.Id,
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			ClientId:               pulumi.String("openid_client"),
			Name:                   pulumi.String("openid_client"),
			RealmId:                realm.ID(),
			AccessType:             pulumi.String("CONFIDENTIAL"),
			ServiceAccountsEnabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClientPermissions(ctx, "my_permission", &openid.ClientPermissionsArgs{
			RealmId:  realm.ID(),
			ClientId: openidClient.ID(),
		})
		if err != nil {
			return err
		}
		realmManagement, err := openid.LookupClient(ctx, &openid.LookupClientArgs{
			RealmId:  "my-realm",
			ClientId: "realm-management",
		}, nil)
		if err != nil {
			return err
		}
		_, err = openid.NewClientPolicy(ctx, "token_exchange", &openid.ClientPolicyArgs{
			ResourceServerId: pulumi.String(realmManagement.Id),
			RealmId:          realm.ID(),
			Name:             pulumi.String("my-policy"),
			Logic:            pulumi.String("POSITIVE"),
			DecisionStrategy: pulumi.String("UNANIMOUS"),
			Clients: pulumi.StringArray{
				openidClient.ID(),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.ClientPermissions;
import com.pulumi.keycloak.openid.ClientPermissionsArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientArgs;
import com.pulumi.keycloak.openid.ClientPolicy;
import com.pulumi.keycloak.openid.ClientPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var openidClient = new Client("openidClient", ClientArgs.builder()
            .clientId("openid_client")
            .name("openid_client")
            .realmId(realm.id())
            .accessType("CONFIDENTIAL")
            .serviceAccountsEnabled(true)
            .build());
        var myPermission = new ClientPermissions("myPermission", ClientPermissionsArgs.builder()
            .realmId(realm.id())
            .clientId(openidClient.id())
            .build());
        final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()
            .realmId("my-realm")
            .clientId("realm-management")
            .build());
        var tokenExchange = new ClientPolicy("tokenExchange", ClientPolicyArgs.builder()
            .resourceServerId(realmManagement.applyValue(getClientResult -> getClientResult.id()))
            .realmId(realm.id())
            .name("my-policy")
            .logic("POSITIVE")
            .decisionStrategy("UNANIMOUS")
            .clients(openidClient.id())
            .build());
    }
}
Content copied to clipboard
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      clientId: openid_client
      name: openid_client
      realmId: ${realm.id}
      accessType: CONFIDENTIAL
      serviceAccountsEnabled: true
  myPermission:
    type: keycloak:openid:ClientPermissions
    name: my_permission
    properties:
      realmId: ${realm.id}
      clientId: ${openidClient.id}
  tokenExchange:
    type: keycloak:openid:ClientPolicy
    name: token_exchange
    properties:
      resourceServerId: ${realmManagement.id}
      realmId: ${realm.id}
      name: my-policy
      logic: POSITIVE
      decisionStrategy: UNANIMOUS
      clients:
        - ${openidClient.id}
variables:
  realmManagement:
    fn::invoke:
      Function: keycloak:openid:getClient
      Arguments:
        realmId: my-realm
        clientId: realm-management
Content copied to clipboard

Properties

Link copied to clipboard
val clients: Output<List<String>>

The clients allowed by this client policy.

Link copied to clipboard
val decisionStrategy: Output<String>?

(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

Link copied to clipboard
val description: Output<String>?

The description of this client policy.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val logic: Output<String>?

(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.

Link copied to clipboard
val name: Output<String>

The name of this client policy.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val realmId: Output<String>

The realm this client policy exists within.

Link copied to clipboard
val resourceServerId: Output<String>

The ID of the resource server this client policy is attached to.

Link copied to clipboard
val urn: Output<String>