Client
Allows for creating and managing Keycloak clients that use the OpenID Connect protocol. Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
realmId: realm.id,
clientId: "test-client",
name: "test client",
enabled: true,
accessType: "CONFIDENTIAL",
validRedirectUris: ["http://localhost:8080/openid-callback"],
loginTheme: "keycloak",
extraConfig: {
key1: "value1",
key2: "value2",
},
});import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
openid_client = keycloak.openid.Client("openid_client",
realm_id=realm.id,
client_id="test-client",
name="test client",
enabled=True,
access_type="CONFIDENTIAL",
valid_redirect_uris=["http://localhost:8080/openid-callback"],
login_theme="keycloak",
extra_config={
"key1": "value1",
"key2": "value2",
})using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
RealmId = realm.Id,
ClientId = "test-client",
Name = "test client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ValidRedirectUris = new[]
{
"http://localhost:8080/openid-callback",
},
LoginTheme = "keycloak",
ExtraConfig =
{
{ "key1", "value1" },
{ "key2", "value2" },
},
});
});package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("test-client"),
Name: pulumi.String("test client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/openid-callback"),
},
LoginTheme: pulumi.String("keycloak"),
ExtraConfig: pulumi.StringMap{
"key1": pulumi.String("value1"),
"key2": pulumi.String("value2"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var openidClient = new Client("openidClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("test-client")
.name("test client")
.enabled(true)
.accessType("CONFIDENTIAL")
.validRedirectUris("http://localhost:8080/openid-callback")
.loginTheme("keycloak")
.extraConfig(Map.ofEntries(
Map.entry("key1", "value1"),
Map.entry("key2", "value2")
))
.build());
}
}resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
realmId: ${realm.id}
clientId: test-client
name: test client
enabled: true
accessType: CONFIDENTIAL
validRedirectUris:
- http://localhost:8080/openid-callback
loginTheme: keycloak
extraConfig:
key1: value1
key2: value2Import
Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: bash
$ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352Properties
The amount of time in seconds before an access token expires. This will override the default for the realm.
Specifies the type of client, which can be one of the following:
Always list this client in the Account UI, even if the user does not have an active session.
Override realm authentication flow bindings
When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:
Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
When true, users have to consent to client access. Defaults to false.
The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
The description of this client in the GUI.
When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
When true, the parameter iss will not be included in OpenID Connect Authentication Response.
When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
Allow to include all roles mappings in the access token.
When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
The client login theme. This will override the default theme for the realm.
Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
The maximum amount of time a client has to finish the device code flow before it expires.
The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
A list of valid URIs a browser is permitted to redirect to after a successful logout.
A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.