User
Allows for creating and managing user client role protocol mappers within Keycloak. User client role protocol mappers allow you to define a claim containing the list of a client roles. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage
Client)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
realmId: realm.id,
clientId: "client",
name: "client",
enabled: true,
accessType: "CONFIDENTIAL",
validRedirectUris: ["http://localhost:8080/openid-callback"],
});
const userClientRoleMapper = new keycloak.openid.UserClientRoleProtocolMapper("user_client_role_mapper", {
realmId: realm.id,
clientId: openidClient.id,
name: "user-client-role-mapper",
claimName: "foo",
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
openid_client = keycloak.openid.Client("openid_client",
realm_id=realm.id,
client_id="client",
name="client",
enabled=True,
access_type="CONFIDENTIAL",
valid_redirect_uris=["http://localhost:8080/openid-callback"])
user_client_role_mapper = keycloak.openid.UserClientRoleProtocolMapper("user_client_role_mapper",
realm_id=realm.id,
client_id=openid_client.id,
name="user-client-role-mapper",
claim_name="foo")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
RealmId = realm.Id,
ClientId = "client",
Name = "client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ValidRedirectUris = new[]
{
"http://localhost:8080/openid-callback",
},
});
var userClientRoleMapper = new Keycloak.OpenId.UserClientRoleProtocolMapper("user_client_role_mapper", new()
{
RealmId = realm.Id,
ClientId = openidClient.Id,
Name = "user-client-role-mapper",
ClaimName = "foo",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("client"),
Name: pulumi.String("client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/openid-callback"),
},
})
if err != nil {
return err
}
_, err = openid.NewUserClientRoleProtocolMapper(ctx, "user_client_role_mapper", &openid.UserClientRoleProtocolMapperArgs{
RealmId: realm.ID(),
ClientId: openidClient.ID(),
Name: pulumi.String("user-client-role-mapper"),
ClaimName: pulumi.String("foo"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.UserClientRoleProtocolMapper;
import com.pulumi.keycloak.openid.UserClientRoleProtocolMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var openidClient = new Client("openidClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("client")
.name("client")
.enabled(true)
.accessType("CONFIDENTIAL")
.validRedirectUris("http://localhost:8080/openid-callback")
.build());
var userClientRoleMapper = new UserClientRoleProtocolMapper("userClientRoleMapper", UserClientRoleProtocolMapperArgs.builder()
.realmId(realm.id())
.clientId(openidClient.id())
.name("user-client-role-mapper")
.claimName("foo")
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
realmId: ${realm.id}
clientId: client
name: client
enabled: true
accessType: CONFIDENTIAL
validRedirectUris:
- http://localhost:8080/openid-callback
userClientRoleMapper:
type: keycloak:openid:UserClientRoleProtocolMapper
name: user_client_role_mapper
properties:
realmId: ${realm.id}
clientId: ${openidClient.id}
name: user-client-role-mapper
claimName: fooContent copied to clipboard
Client Scope)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const clientScope = new keycloak.openid.ClientScope("client_scope", {
realmId: realm.id,
name: "client-scope",
});
const userClientRoleMapper = new keycloak.openid.UserClientRoleProtocolMapper("user_client_role_mapper", {
realmId: realm.id,
clientScopeId: clientScope.id,
name: "user-client-role-mapper",
claimName: "foo",
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client_scope = keycloak.openid.ClientScope("client_scope",
realm_id=realm.id,
name="client-scope")
user_client_role_mapper = keycloak.openid.UserClientRoleProtocolMapper("user_client_role_mapper",
realm_id=realm.id,
client_scope_id=client_scope.id,
name="user-client-role-mapper",
claim_name="foo")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var clientScope = new Keycloak.OpenId.ClientScope("client_scope", new()
{
RealmId = realm.Id,
Name = "client-scope",
});
var userClientRoleMapper = new Keycloak.OpenId.UserClientRoleProtocolMapper("user_client_role_mapper", new()
{
RealmId = realm.Id,
ClientScopeId = clientScope.Id,
Name = "user-client-role-mapper",
ClaimName = "foo",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
clientScope, err := openid.NewClientScope(ctx, "client_scope", &openid.ClientScopeArgs{
RealmId: realm.ID(),
Name: pulumi.String("client-scope"),
})
if err != nil {
return err
}
_, err = openid.NewUserClientRoleProtocolMapper(ctx, "user_client_role_mapper", &openid.UserClientRoleProtocolMapperArgs{
RealmId: realm.ID(),
ClientScopeId: clientScope.ID(),
Name: pulumi.String("user-client-role-mapper"),
ClaimName: pulumi.String("foo"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.ClientScope;
import com.pulumi.keycloak.openid.ClientScopeArgs;
import com.pulumi.keycloak.openid.UserClientRoleProtocolMapper;
import com.pulumi.keycloak.openid.UserClientRoleProtocolMapperArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var clientScope = new ClientScope("clientScope", ClientScopeArgs.builder()
.realmId(realm.id())
.name("client-scope")
.build());
var userClientRoleMapper = new UserClientRoleProtocolMapper("userClientRoleMapper", UserClientRoleProtocolMapperArgs.builder()
.realmId(realm.id())
.clientScopeId(clientScope.id())
.name("user-client-role-mapper")
.claimName("foo")
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
clientScope:
type: keycloak:openid:ClientScope
name: client_scope
properties:
realmId: ${realm.id}
name: client-scope
userClientRoleMapper:
type: keycloak:openid:UserClientRoleProtocolMapper
name: user_client_role_mapper
properties:
realmId: ${realm.id}
clientScopeId: ${clientScope.id}
name: user-client-role-mapper
claimName: fooContent copied to clipboard
Import
Protocol mappers can be imported using one of the following formats:
Client:
{{realm_id}}/client/{{client_keycloak_id}}/{{protocol_mapper_id}}Client Scope:
{{realm_id}}/client-scope/{{client_scope_keycloak_id}}/{{protocol_mapper_id}}Example: bash
$ pulumi import keycloak:openid/userClientRoleProtocolMapper:UserClientRoleProtocolMapper user_client_role_mapper my-realm/client/a7202154-8793-4656-b655-1dd18c181e14/71602afa-f7d1-4788-8c49-ef8fd00af0f4Content copied to clipboard
$ pulumi import keycloak:openid/userClientRoleProtocolMapper:UserClientRoleProtocolMapper user_client_role_mapper my-realm/client-scope/b799ea7e-73ee-4a73-990a-1eafebe8e20a/71602afa-f7d1-4788-8c49-ef8fd00af0f4Content copied to clipboard
Properties
Link copied to clipboard
Indicates if the property should be added as a claim to the access token. Defaults to true.
Link copied to clipboard
Indicates if the property should be added as a claim to the id token. Defaults to true.
Link copied to clipboard
Indicates if the property should be added as a claim to the UserInfo response body. Defaults to true.
Link copied to clipboard
The claim type used when serializing JSON tokens. Can be one of String, JSON, long, int, or boolean. Defaults to String.
Link copied to clipboard
The Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token.
Link copied to clipboard
A prefix for each Client Role.
Link copied to clipboard
The client scope this protocol mapper should be attached to. Conflicts with client_id. One of client_id or client_scope_id must be specified.
Link copied to clipboard
Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults to false.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard