get
suspend fun getClientAuthorizationPolicy(argument: GetClientAuthorizationPolicyPlainArgs): GetClientAuthorizationPolicyResult
This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.
Example Usage
In this example, we'll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default permission for this client called "Default Permission". We'll use the keycloak.openid.getClientAuthorizationPolicy data source to fetch information about this permission, so we can use it to create a new resource-based authorization permission.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("client_with_authz", {
clientId: "client-with-authz",
name: "client-with-authz",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
authorization: {
policyEnforcementMode: "ENFORCING",
},
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
realmId: realm.id,
resourceServerId: clientWithAuthz.resourceServerId,
name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
resourceServerId: clientWithAuthz.resourceServerId,
name: "authorization-resource",
realmId: realm.id,
uris: ["/endpoint/*"],
attributes: {
foo: "bar",
},
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
resourceServerId: clientWithAuthz.resourceServerId,
realmId: realm.id,
name: "authorization-permission",
policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
resources: [resource.id],
});Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client_with_authz = keycloak.openid.Client("client_with_authz",
client_id="client-with-authz",
name="client-with-authz",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
authorization={
"policy_enforcement_mode": "ENFORCING",
})
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
resource_server_id=client_with_authz.resource_server_id,
name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
resource_server_id=client_with_authz.resource_server_id,
name="authorization-resource",
realm_id=realm.id,
uris=["/endpoint/*"],
attributes={
"foo": "bar",
})
permission = keycloak.openid.ClientAuthorizationPermission("permission",
resource_server_id=client_with_authz.resource_server_id,
realm_id=realm.id,
name="authorization-permission",
policies=[default_permission.id],
resources=[resource.id])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var clientWithAuthz = new Keycloak.OpenId.Client("client_with_authz", new()
{
ClientId = "client-with-authz",
Name = "client-with-authz",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "ENFORCING",
},
});
var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()
{
RealmId = realm.Id,
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "Default Permission",
});
var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "authorization-resource",
RealmId = realm.Id,
Uris = new[]
{
"/endpoint/*",
},
Attributes =
{
{ "foo", "bar" },
},
});
var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
RealmId = realm.Id,
Name = "authorization-permission",
Policies = new[]
{
defaultPermission.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id),
},
Resources = new[]
{
resource.Id,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
clientWithAuthz, err := openid.NewClient(ctx, "client_with_authz", &openid.ClientArgs{
ClientId: pulumi.String("client-with-authz"),
Name: pulumi.String("client-with-authz"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("ENFORCING"),
},
})
if err != nil {
return err
}
defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
RealmId: realm.ID(),
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("Default Permission"),
}, nil)
resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("authorization-resource"),
RealmId: realm.ID(),
Uris: pulumi.StringArray{
pulumi.String("/endpoint/*"),
},
Attributes: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
RealmId: realm.ID(),
Name: pulumi.String("authorization-permission"),
Policies: pulumi.StringArray{
pulumi.String(defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (*string, error) {
return &defaultPermission.Id, nil
}).(pulumi.StringPtrOutput)),
},
Resources: pulumi.StringArray{
resource.ID(),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()
.clientId("client-with-authz")
.name("client-with-authz")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("ENFORCING")
.build())
.build());
final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
.realmId(realm.id())
.resourceServerId(clientWithAuthz.resourceServerId())
.name("Default Permission")
.build());
var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.name("authorization-resource")
.realmId(realm.id())
.uris("/endpoint/*")
.attributes(Map.of("foo", "bar"))
.build());
var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.realmId(realm.id())
.name("authorization-permission")
.policies(defaultPermission.applyValue(_defaultPermission -> _defaultPermission.id()))
.resources(resource.id())
.build());
}
}Content copied to clipboard
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
clientWithAuthz:
type: keycloak:openid:Client
name: client_with_authz
properties:
clientId: client-with-authz
name: client-with-authz
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
authorization:
policyEnforcementMode: ENFORCING
resource:
type: keycloak:openid:ClientAuthorizationResource
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
name: authorization-resource
realmId: ${realm.id}
uris:
- /endpoint/*
attributes:
foo: bar
permission:
type: keycloak:openid:ClientAuthorizationPermission
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
realmId: ${realm.id}
name: authorization-permission
policies:
- ${defaultPermission.id}
resources:
- ${resource.id}
variables:
defaultPermission:
fn::invoke:
function: keycloak:openid:getClientAuthorizationPolicy
arguments:
realmId: ${realm.id}
resourceServerId: ${clientWithAuthz.resourceServerId}
name: Default PermissionContent copied to clipboard
Return
A collection of values returned by getClientAuthorizationPolicy. //////
Parameters
argument
A collection of arguments for invoking getClientAuthorizationPolicy.
suspend fun getClientAuthorizationPolicy(name: String, realmId: String, resourceServerId: String): GetClientAuthorizationPolicyResult
Return
A collection of values returned by getClientAuthorizationPolicy.
Parameters
name
The name of the authorization policy.
realm
The realm this authorization policy exists within.
resource
The ID of the resource server this authorization policy is attached to.
See also
suspend fun getClientAuthorizationPolicy(argument: suspend GetClientAuthorizationPolicyPlainArgsBuilder.() -> Unit): GetClientAuthorizationPolicyResult
Return
A collection of values returned by getClientAuthorizationPolicy.
Parameters
argument
Builder for com.pulumi.keycloak.openid.kotlin.inputs.GetClientAuthorizationPolicyPlainArgs.