Client
data class ClientPolicyArgs(val clients: Output<List<String>>? = null, val decisionStrategy: Output<String>? = null, val description: Output<String>? = null, val logic: Output<String>? = null, val name: Output<String>? = null, val realmId: Output<String>? = null, val resourceServerId: Output<String>? = null) : ConvertibleToJava<ClientPolicyArgs>
This resource can be used to create client policy.
Example Usage
In this example, we'll create a new OpenID client, then enabled permissions for the client. A client without permissions disabled cannot be assigned by a client policy. We'll use the keycloak.openid.ClientPolicy resource to create a new client policy, which could be applied to many clients, for a realm and a resource_server_id.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
clientId: "openid_client",
name: "openid_client",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
});
const myPermission = new keycloak.openid.ClientPermissions("my_permission", {
realmId: realm.id,
clientId: openidClient.id,
});
const realmManagement = keycloak.openid.getClient({
realmId: "my-realm",
clientId: "realm-management",
});
const tokenExchange = new keycloak.openid.ClientPolicy("token_exchange", {
resourceServerId: realmManagement.then(realmManagement => realmManagement.id),
realmId: realm.id,
name: "my-policy",
logic: "POSITIVE",
decisionStrategy: "UNANIMOUS",
clients: [openidClient.id],
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
openid_client = keycloak.openid.Client("openid_client",
client_id="openid_client",
name="openid_client",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True)
my_permission = keycloak.openid.ClientPermissions("my_permission",
realm_id=realm.id,
client_id=openid_client.id)
realm_management = keycloak.openid.get_client(realm_id="my-realm",
client_id="realm-management")
token_exchange = keycloak.openid.ClientPolicy("token_exchange",
resource_server_id=realm_management.id,
realm_id=realm.id,
name="my-policy",
logic="POSITIVE",
decision_strategy="UNANIMOUS",
clients=[openid_client.id])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
ClientId = "openid_client",
Name = "openid_client",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
});
var myPermission = new Keycloak.OpenId.ClientPermissions("my_permission", new()
{
RealmId = realm.Id,
ClientId = openidClient.Id,
});
var realmManagement = Keycloak.OpenId.GetClient.Invoke(new()
{
RealmId = "my-realm",
ClientId = "realm-management",
});
var tokenExchange = new Keycloak.OpenId.ClientPolicy("token_exchange", new()
{
ResourceServerId = realmManagement.Apply(getClientResult => getClientResult.Id),
RealmId = realm.Id,
Name = "my-policy",
Logic = "POSITIVE",
DecisionStrategy = "UNANIMOUS",
Clients = new[]
{
openidClient.Id,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
openidClient, err := openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
ClientId: pulumi.String("openid_client"),
Name: pulumi.String("openid_client"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = openid.NewClientPermissions(ctx, "my_permission", &openid.ClientPermissionsArgs{
RealmId: realm.ID(),
ClientId: openidClient.ID(),
})
if err != nil {
return err
}
realmManagement, err := openid.LookupClient(ctx, &openid.LookupClientArgs{
RealmId: "my-realm",
ClientId: "realm-management",
}, nil)
if err != nil {
return err
}
_, err = openid.NewClientPolicy(ctx, "token_exchange", &openid.ClientPolicyArgs{
ResourceServerId: pulumi.String(realmManagement.Id),
RealmId: realm.ID(),
Name: pulumi.String("my-policy"),
Logic: pulumi.String("POSITIVE"),
DecisionStrategy: pulumi.String("UNANIMOUS"),
Clients: pulumi.StringArray{
openidClient.ID(),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.ClientPermissions;
import com.pulumi.keycloak.openid.ClientPermissionsArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientArgs;
import com.pulumi.keycloak.openid.ClientPolicy;
import com.pulumi.keycloak.openid.ClientPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var openidClient = new Client("openidClient", ClientArgs.builder()
.clientId("openid_client")
.name("openid_client")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.build());
var myPermission = new ClientPermissions("myPermission", ClientPermissionsArgs.builder()
.realmId(realm.id())
.clientId(openidClient.id())
.build());
final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()
.realmId("my-realm")
.clientId("realm-management")
.build());
var tokenExchange = new ClientPolicy("tokenExchange", ClientPolicyArgs.builder()
.resourceServerId(realmManagement.id())
.realmId(realm.id())
.name("my-policy")
.logic("POSITIVE")
.decisionStrategy("UNANIMOUS")
.clients(openidClient.id())
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
clientId: openid_client
name: openid_client
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
myPermission:
type: keycloak:openid:ClientPermissions
name: my_permission
properties:
realmId: ${realm.id}
clientId: ${openidClient.id}
tokenExchange:
type: keycloak:openid:ClientPolicy
name: token_exchange
properties:
resourceServerId: ${realmManagement.id}
realmId: ${realm.id}
name: my-policy
logic: POSITIVE
decisionStrategy: UNANIMOUS
clients:
- ${openidClient.id}
variables:
realmManagement:
fn::invoke:
function: keycloak:openid:getClient
arguments:
realmId: my-realm
clientId: realm-managementContent copied to clipboard
Properties
Link copied to clipboard
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
Link copied to clipboard
The description of this client policy.
Link copied to clipboard
The ID of the resource server this client policy is attached to.