Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

Realm

Allows for creating and managing Realms within Keycloak.

A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.

Default Client Scopes

  • default_default_client_scopes - (Optional) A list of default default client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default default client-scopes.
  • default_optional_client_scopes - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default optional client-scopes.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            AccessCodeLifespan = "1h",
            Attributes = 
            {
                { "mycustomAttribute", "myCustomValue" },
            },
            DisplayName = "my realm",
            DisplayNameHtml = "<b>my realm</b>",
            Enabled = true,
            Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
            {
                DefaultLocale = "en",
                SupportedLocales = 
                {
                    "en",
                    "de",
                    "es",
                },
            },
            LoginTheme = "base",
            PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
            Realm = "my-realm",
            SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
            {
                BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
                {
                    FailureResetTimeSeconds = 43200,
                    MaxFailureWaitSeconds = 900,
                    MaxLoginFailures = 30,
                    MinimumQuickLoginWaitSeconds = 60,
                    PermanentLockout = false,
                    QuickLoginCheckMilliSeconds = 1000,
                    WaitIncrementSeconds = 60,
                },
                Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
                {
                    ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                    ContentSecurityPolicyReportOnly = "",
                    StrictTransportSecurity = "max-age=31536000; includeSubDomains",
                    XContentTypeOptions = "nosniff",
                    XFrameOptions = "DENY",
                    XRobotsTag = "none",
                    XXssProtection = "1; mode=block",
                },
            },
            SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
            {
                Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
                {
                    Password = "password",
                    Username = "tom",
                },
                From = "example@example.com",
                Host = "smtp.example.com",
            },
            SslRequired = "external",
            WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
            {
                RelyingPartyEntityName = "Example",
                RelyingPartyId = "keycloak.example.com",
                SignatureAlgorithms = 
                {
                    "ES256",
                    "RS256",
                },
            },
        });
    }

}
package main

import (
    "github.com/pulumi/pulumi-keycloak/sdk/v3/go/keycloak"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
            AccessCodeLifespan: pulumi.String("1h"),
            Attributes: pulumi.StringMap{
                "mycustomAttribute": pulumi.String("myCustomValue"),
            },
            DisplayName:     pulumi.String("my realm"),
            DisplayNameHtml: pulumi.String("<b>my realm</b>"),
            Enabled:         pulumi.Bool(true),
            Internationalization: &keycloak.RealmInternationalizationArgs{
                DefaultLocale: pulumi.String("en"),
                SupportedLocales: pulumi.StringArray{
                    pulumi.String("en"),
                    pulumi.String("de"),
                    pulumi.String("es"),
                },
            },
            LoginTheme:     pulumi.String("base"),
            PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
            Realm:          pulumi.String("my-realm"),
            SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{
                BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{
                    FailureResetTimeSeconds:      pulumi.Int(43200),
                    MaxFailureWaitSeconds:        pulumi.Int(900),
                    MaxLoginFailures:             pulumi.Int(30),
                    MinimumQuickLoginWaitSeconds: pulumi.Int(60),
                    PermanentLockout:             pulumi.Bool(false),
                    QuickLoginCheckMilliSeconds:  pulumi.Int(1000),
                    WaitIncrementSeconds:         pulumi.Int(60),
                },
                Headers: &keycloak.RealmSecurityDefensesHeadersArgs{
                    ContentSecurityPolicy:           pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
                    ContentSecurityPolicyReportOnly: pulumi.String(""),
                    StrictTransportSecurity:         pulumi.String("max-age=31536000; includeSubDomains"),
                    XContentTypeOptions:             pulumi.String("nosniff"),
                    XFrameOptions:                   pulumi.String("DENY"),
                    XRobotsTag:                      pulumi.String("none"),
                    XXssProtection:                  pulumi.String("1; mode=block"),
                },
            },
            SmtpServer: &keycloak.RealmSmtpServerArgs{
                Auth: &keycloak.RealmSmtpServerAuthArgs{
                    Password: pulumi.String("password"),
                    Username: pulumi.String("tom"),
                },
                From: pulumi.String("example@example.com"),
                Host: pulumi.String("smtp.example.com"),
            },
            SslRequired: pulumi.String("external"),
            WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{
                RelyingPartyEntityName: pulumi.String("Example"),
                RelyingPartyId:         pulumi.String("keycloak.example.com"),
                SignatureAlgorithms: pulumi.StringArray{
                    pulumi.String("ES256"),
                    pulumi.String("RS256"),
                },
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    access_code_lifespan="1h",
    attributes={
        "mycustomAttribute": "myCustomValue",
    },
    display_name="my realm",
    display_name_html="<b>my realm</b>",
    enabled=True,
    internationalization=keycloak.RealmInternationalizationArgs(
        default_locale="en",
        supported_locales=[
            "en",
            "de",
            "es",
        ],
    ),
    login_theme="base",
    password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm="my-realm",
    security_defenses=keycloak.RealmSecurityDefensesArgs(
        brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
            failure_reset_time_seconds=43200,
            max_failure_wait_seconds=900,
            max_login_failures=30,
            minimum_quick_login_wait_seconds=60,
            permanent_lockout=False,
            quick_login_check_milli_seconds=1000,
            wait_increment_seconds=60,
        ),
        headers=keycloak.RealmSecurityDefensesHeadersArgs(
            content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            content_security_policy_report_only="",
            strict_transport_security="max-age=31536000; includeSubDomains",
            x_content_type_options="nosniff",
            x_frame_options="DENY",
            x_robots_tag="none",
            x_xss_protection="1; mode=block",
        ),
    ),
    smtp_server=keycloak.RealmSmtpServerArgs(
        auth=keycloak.RealmSmtpServerAuthArgs(
            password="password",
            username="tom",
        ),
        from_="example@example.com",
        host="smtp.example.com",
    ),
    ssl_required="external",
    web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
        relying_party_entity_name="Example",
        relying_party_id="keycloak.example.com",
        signature_algorithms=[
            "ES256",
            "RS256",
        ],
    ))
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    accessCodeLifespan: "1h",
    attributes: {
        mycustomAttribute: "myCustomValue",
    },
    displayName: "my realm",
    displayNameHtml: "<b>my realm</b>",
    enabled: true,
    internationalization: {
        defaultLocale: "en",
        supportedLocales: [
            "en",
            "de",
            "es",
        ],
    },
    loginTheme: "base",
    passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm: "my-realm",
    securityDefenses: {
        bruteForceDetection: {
            failureResetTimeSeconds: 43200,
            maxFailureWaitSeconds: 900,
            maxLoginFailures: 30,
            minimumQuickLoginWaitSeconds: 60,
            permanentLockout: false,
            quickLoginCheckMilliSeconds: 1000,
            waitIncrementSeconds: 60,
        },
        headers: {
            contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            contentSecurityPolicyReportOnly: "",
            strictTransportSecurity: "max-age=31536000; includeSubDomains",
            xContentTypeOptions: "nosniff",
            xFrameOptions: "DENY",
            xRobotsTag: "none",
            xXssProtection: "1; mode=block",
        },
    },
    smtpServer: {
        auth: {
            password: "password",
            username: "tom",
        },
        from: "example@example.com",
        host: "smtp.example.com",
    },
    sslRequired: "external",
    webAuthnPolicy: {
        relyingPartyEntityName: "Example",
        relyingPartyId: "keycloak.example.com",
        signatureAlgorithms: [
            "ES256",
            "RS256",
        ],
    },
});

Create a Realm Resource

new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);
def Realm(resource_name: str, opts: Optional[ResourceOptions] = None, access_code_lifespan: Optional[str] = None, access_code_lifespan_login: Optional[str] = None, access_code_lifespan_user_action: Optional[str] = None, access_token_lifespan: Optional[str] = None, access_token_lifespan_for_implicit_flow: Optional[str] = None, account_theme: Optional[str] = None, action_token_generated_by_admin_lifespan: Optional[str] = None, action_token_generated_by_user_lifespan: Optional[str] = None, admin_theme: Optional[str] = None, attributes: Optional[Mapping[str, Any]] = None, browser_flow: Optional[str] = None, client_authentication_flow: Optional[str] = None, default_default_client_scopes: Optional[Sequence[str]] = None, default_optional_client_scopes: Optional[Sequence[str]] = None, default_signature_algorithm: Optional[str] = None, direct_grant_flow: Optional[str] = None, display_name: Optional[str] = None, display_name_html: Optional[str] = None, docker_authentication_flow: Optional[str] = None, duplicate_emails_allowed: Optional[bool] = None, edit_username_allowed: Optional[bool] = None, email_theme: Optional[str] = None, enabled: Optional[bool] = None, internationalization: Optional[RealmInternationalizationArgs] = None, login_theme: Optional[str] = None, login_with_email_allowed: Optional[bool] = None, offline_session_idle_timeout: Optional[str] = None, offline_session_max_lifespan: Optional[str] = None, offline_session_max_lifespan_enabled: Optional[bool] = None, password_policy: Optional[str] = None, realm: Optional[str] = None, refresh_token_max_reuse: Optional[int] = None, registration_allowed: Optional[bool] = None, registration_email_as_username: Optional[bool] = None, registration_flow: Optional[str] = None, remember_me: Optional[bool] = None, reset_credentials_flow: Optional[str] = None, reset_password_allowed: Optional[bool] = None, revoke_refresh_token: Optional[bool] = None, security_defenses: Optional[RealmSecurityDefensesArgs] = None, smtp_server: Optional[RealmSmtpServerArgs] = None, ssl_required: Optional[str] = None, sso_session_idle_timeout: Optional[str] = None, sso_session_idle_timeout_remember_me: Optional[str] = None, sso_session_max_lifespan: Optional[str] = None, sso_session_max_lifespan_remember_me: Optional[str] = None, user_managed_access: Optional[bool] = None, verify_email: Optional[bool] = None, web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None, web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)
func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)
public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RealmArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Realm Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Realm resource accepts the following input properties:

RealmName string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

AccessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

AccessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

AccessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

AccessTokenLifespan string

The amount of time an access token can be used before it expires.

AccessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

AccountTheme string

Used for account management pages.

ActionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

ActionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

AdminTheme string

Used for the admin console.

Attributes Dictionary<string, object>

A map of custom attributes to add to the realm.

BrowserFlow string

The desired flow for browser authentication. Defaults to browser.

ClientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

DirectGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

DisplayName string

The display name for the realm that is shown when logging in to the admin console.

DisplayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

DockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

DuplicateEmailsAllowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

EditUsernameAllowed bool

When true, the username field is editable.

EmailTheme string

Used for emails that are sent by Keycloak.

Enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

Internationalization RealmInternationalizationArgs
LoginTheme string

Used for the login, forgot password, and registration pages.

LoginWithEmailAllowed bool

When true, users may log in with their email address.

OfflineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

OfflineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

OfflineSessionMaxLifespanEnabled bool

Enable offline_session_max_lifespan.

PasswordPolicy string

The password policy for users within the realm.

RefreshTokenMaxReuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

RegistrationAllowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

RegistrationEmailAsUsername bool

When true, the user’s email will be used as their username during registration.

RegistrationFlow string

The desired flow for user registration. Defaults to registration.

RememberMe bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

ResetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

ResetPasswordAllowed bool

When true, a “forgot password” link will be displayed on the login page.

RevokeRefreshToken bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

SsoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool

When true, users are allowed to manage their own resources. Defaults to false.

VerifyEmail bool

When true, users are required to verify their email address after registration and after email address changes.

WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs

Configuration for WebAuthn Passwordless Policy authentication.

WebAuthnPolicy RealmWebAuthnPolicyArgs

Configuration for WebAuthn Policy authentication.

Realm string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

AccessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

AccessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

AccessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

AccessTokenLifespan string

The amount of time an access token can be used before it expires.

AccessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

AccountTheme string

Used for account management pages.

ActionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

ActionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

AdminTheme string

Used for the admin console.

Attributes map[string]interface{}

A map of custom attributes to add to the realm.

BrowserFlow string

The desired flow for browser authentication. Defaults to browser.

ClientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

DirectGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

DisplayName string

The display name for the realm that is shown when logging in to the admin console.

DisplayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

DockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

DuplicateEmailsAllowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

EditUsernameAllowed bool

When true, the username field is editable.

EmailTheme string

Used for emails that are sent by Keycloak.

Enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

Internationalization RealmInternationalization
LoginTheme string

Used for the login, forgot password, and registration pages.

LoginWithEmailAllowed bool

When true, users may log in with their email address.

OfflineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

OfflineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

OfflineSessionMaxLifespanEnabled bool

Enable offline_session_max_lifespan.

PasswordPolicy string

The password policy for users within the realm.

RefreshTokenMaxReuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

RegistrationAllowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

RegistrationEmailAsUsername bool

When true, the user’s email will be used as their username during registration.

RegistrationFlow string

The desired flow for user registration. Defaults to registration.

RememberMe bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

ResetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

ResetPasswordAllowed bool

When true, a “forgot password” link will be displayed on the login page.

RevokeRefreshToken bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

SecurityDefenses RealmSecurityDefenses
SmtpServer RealmSmtpServer
SslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

SsoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool

When true, users are allowed to manage their own resources. Defaults to false.

VerifyEmail bool

When true, users are required to verify their email address after registration and after email address changes.

WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

Configuration for WebAuthn Passwordless Policy authentication.

WebAuthnPolicy RealmWebAuthnPolicy

Configuration for WebAuthn Policy authentication.

realm string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

accessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

accessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

accessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

accessTokenLifespan string

The amount of time an access token can be used before it expires.

accessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

accountTheme string

Used for account management pages.

actionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

actionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

adminTheme string

Used for the admin console.

attributes {[key: string]: any}

A map of custom attributes to add to the realm.

browserFlow string

The desired flow for browser authentication. Defaults to browser.

clientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

directGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

displayName string

The display name for the realm that is shown when logging in to the admin console.

displayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

dockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

duplicateEmailsAllowed boolean

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

editUsernameAllowed boolean

When true, the username field is editable.

emailTheme string

Used for emails that are sent by Keycloak.

enabled boolean

When false, users and clients will not be able to access this realm. Defaults to true.

internationalization RealmInternationalization
loginTheme string

Used for the login, forgot password, and registration pages.

loginWithEmailAllowed boolean

When true, users may log in with their email address.

offlineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

offlineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

offlineSessionMaxLifespanEnabled boolean

Enable offline_session_max_lifespan.

passwordPolicy string

The password policy for users within the realm.

refreshTokenMaxReuse number

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

registrationAllowed boolean

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

registrationEmailAsUsername boolean

When true, the user’s email will be used as their username during registration.

registrationFlow string

The desired flow for user registration. Defaults to registration.

rememberMe boolean

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

resetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

resetPasswordAllowed boolean

When true, a “forgot password” link will be displayed on the login page.

revokeRefreshToken boolean

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

securityDefenses RealmSecurityDefenses
smtpServer RealmSmtpServer
sslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

ssoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

ssoSessionIdleTimeoutRememberMe string
ssoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

ssoSessionMaxLifespanRememberMe string
userManagedAccess boolean

When true, users are allowed to manage their own resources. Defaults to false.

verifyEmail boolean

When true, users are required to verify their email address after registration and after email address changes.

webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

Configuration for WebAuthn Passwordless Policy authentication.

webAuthnPolicy RealmWebAuthnPolicy

Configuration for WebAuthn Policy authentication.

realm str

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

access_code_lifespan str

The maximum amount of time a client has to finish the authorization code flow.

access_code_lifespan_login str

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

access_code_lifespan_user_action str

The maximum amount of time a user has to complete login related actions, such as updating a password.

access_token_lifespan str

The amount of time an access token can be used before it expires.

access_token_lifespan_for_implicit_flow str

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

account_theme str

Used for account management pages.

action_token_generated_by_admin_lifespan str

The maximum time a user has to use an admin-generated permit before it expires.

action_token_generated_by_user_lifespan str

The maximum time a user has to use a user-generated permit before it expires.

admin_theme str

Used for the admin console.

attributes Mapping[str, Any]

A map of custom attributes to add to the realm.

browser_flow str

The desired flow for browser authentication. Defaults to browser.

client_authentication_flow str

The desired flow for client authentication. Defaults to clients.

default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str

Default algorithm used to sign tokens for the realm.

direct_grant_flow str

The desired flow for direct access authentication. Defaults to direct grant.

display_name str

The display name for the realm that is shown when logging in to the admin console.

display_name_html str

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

docker_authentication_flow str

The desired flow for Docker authentication. Defaults to docker auth.

duplicate_emails_allowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

edit_username_allowed bool

When true, the username field is editable.

email_theme str

Used for emails that are sent by Keycloak.

enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

internationalization RealmInternationalizationArgs
login_theme str

Used for the login, forgot password, and registration pages.

login_with_email_allowed bool

When true, users may log in with their email address.

offline_session_idle_timeout str

The amount of time an offline session can be idle before it expires.

offline_session_max_lifespan str

The maximum amount of time before an offline session expires regardless of activity.

offline_session_max_lifespan_enabled bool

Enable offline_session_max_lifespan.

password_policy str

The password policy for users within the realm.

refresh_token_max_reuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

registration_allowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

registration_email_as_username bool

When true, the user’s email will be used as their username during registration.

registration_flow str

The desired flow for user registration. Defaults to registration.

remember_me bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

reset_credentials_flow str

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

reset_password_allowed bool

When true, a “forgot password” link will be displayed on the login page.

revoke_refresh_token bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str

Can be one of following values: ‘none, ‘external’ or ‘all’

sso_session_idle_timeout str

The amount of time a session can be idle before it expires.

sso_session_idle_timeout_remember_me str
sso_session_max_lifespan str

The maximum amount of time before a session expires regardless of activity.

sso_session_max_lifespan_remember_me str
user_managed_access bool

When true, users are allowed to manage their own resources. Defaults to false.

verify_email bool

When true, users are required to verify their email address after registration and after email address changes.

web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs

Configuration for WebAuthn Passwordless Policy authentication.

web_authn_policy RealmWebAuthnPolicyArgs

Configuration for WebAuthn Policy authentication.

Outputs

All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
InternalId string
Id string
The provider-assigned unique ID for this managed resource.
InternalId string
id string
The provider-assigned unique ID for this managed resource.
internalId string
id str
The provider-assigned unique ID for this managed resource.
internal_id str

Look up an Existing Realm Resource

Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, access_code_lifespan: Optional[str] = None, access_code_lifespan_login: Optional[str] = None, access_code_lifespan_user_action: Optional[str] = None, access_token_lifespan: Optional[str] = None, access_token_lifespan_for_implicit_flow: Optional[str] = None, account_theme: Optional[str] = None, action_token_generated_by_admin_lifespan: Optional[str] = None, action_token_generated_by_user_lifespan: Optional[str] = None, admin_theme: Optional[str] = None, attributes: Optional[Mapping[str, Any]] = None, browser_flow: Optional[str] = None, client_authentication_flow: Optional[str] = None, default_default_client_scopes: Optional[Sequence[str]] = None, default_optional_client_scopes: Optional[Sequence[str]] = None, default_signature_algorithm: Optional[str] = None, direct_grant_flow: Optional[str] = None, display_name: Optional[str] = None, display_name_html: Optional[str] = None, docker_authentication_flow: Optional[str] = None, duplicate_emails_allowed: Optional[bool] = None, edit_username_allowed: Optional[bool] = None, email_theme: Optional[str] = None, enabled: Optional[bool] = None, internal_id: Optional[str] = None, internationalization: Optional[RealmInternationalizationArgs] = None, login_theme: Optional[str] = None, login_with_email_allowed: Optional[bool] = None, offline_session_idle_timeout: Optional[str] = None, offline_session_max_lifespan: Optional[str] = None, offline_session_max_lifespan_enabled: Optional[bool] = None, password_policy: Optional[str] = None, realm: Optional[str] = None, refresh_token_max_reuse: Optional[int] = None, registration_allowed: Optional[bool] = None, registration_email_as_username: Optional[bool] = None, registration_flow: Optional[str] = None, remember_me: Optional[bool] = None, reset_credentials_flow: Optional[str] = None, reset_password_allowed: Optional[bool] = None, revoke_refresh_token: Optional[bool] = None, security_defenses: Optional[RealmSecurityDefensesArgs] = None, smtp_server: Optional[RealmSmtpServerArgs] = None, ssl_required: Optional[str] = None, sso_session_idle_timeout: Optional[str] = None, sso_session_idle_timeout_remember_me: Optional[str] = None, sso_session_max_lifespan: Optional[str] = None, sso_session_max_lifespan_remember_me: Optional[str] = None, user_managed_access: Optional[bool] = None, verify_email: Optional[bool] = None, web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None, web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realm
func GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)
public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

AccessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

AccessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

AccessTokenLifespan string

The amount of time an access token can be used before it expires.

AccessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

AccountTheme string

Used for account management pages.

ActionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

ActionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

AdminTheme string

Used for the admin console.

Attributes Dictionary<string, object>

A map of custom attributes to add to the realm.

BrowserFlow string

The desired flow for browser authentication. Defaults to browser.

ClientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

DirectGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

DisplayName string

The display name for the realm that is shown when logging in to the admin console.

DisplayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

DockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

DuplicateEmailsAllowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

EditUsernameAllowed bool

When true, the username field is editable.

EmailTheme string

Used for emails that are sent by Keycloak.

Enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

InternalId string
Internationalization RealmInternationalizationArgs
LoginTheme string

Used for the login, forgot password, and registration pages.

LoginWithEmailAllowed bool

When true, users may log in with their email address.

OfflineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

OfflineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

OfflineSessionMaxLifespanEnabled bool

Enable offline_session_max_lifespan.

PasswordPolicy string

The password policy for users within the realm.

RealmName string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

RefreshTokenMaxReuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

RegistrationAllowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

RegistrationEmailAsUsername bool

When true, the user’s email will be used as their username during registration.

RegistrationFlow string

The desired flow for user registration. Defaults to registration.

RememberMe bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

ResetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

ResetPasswordAllowed bool

When true, a “forgot password” link will be displayed on the login page.

RevokeRefreshToken bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

SsoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool

When true, users are allowed to manage their own resources. Defaults to false.

VerifyEmail bool

When true, users are required to verify their email address after registration and after email address changes.

WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs

Configuration for WebAuthn Passwordless Policy authentication.

WebAuthnPolicy RealmWebAuthnPolicyArgs

Configuration for WebAuthn Policy authentication.

AccessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

AccessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

AccessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

AccessTokenLifespan string

The amount of time an access token can be used before it expires.

AccessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

AccountTheme string

Used for account management pages.

ActionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

ActionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

AdminTheme string

Used for the admin console.

Attributes map[string]interface{}

A map of custom attributes to add to the realm.

BrowserFlow string

The desired flow for browser authentication. Defaults to browser.

ClientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

DirectGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

DisplayName string

The display name for the realm that is shown when logging in to the admin console.

DisplayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

DockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

DuplicateEmailsAllowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

EditUsernameAllowed bool

When true, the username field is editable.

EmailTheme string

Used for emails that are sent by Keycloak.

Enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

InternalId string
Internationalization RealmInternationalization
LoginTheme string

Used for the login, forgot password, and registration pages.

LoginWithEmailAllowed bool

When true, users may log in with their email address.

OfflineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

OfflineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

OfflineSessionMaxLifespanEnabled bool

Enable offline_session_max_lifespan.

PasswordPolicy string

The password policy for users within the realm.

Realm string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

RefreshTokenMaxReuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

RegistrationAllowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

RegistrationEmailAsUsername bool

When true, the user’s email will be used as their username during registration.

RegistrationFlow string

The desired flow for user registration. Defaults to registration.

RememberMe bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

ResetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

ResetPasswordAllowed bool

When true, a “forgot password” link will be displayed on the login page.

RevokeRefreshToken bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

SecurityDefenses RealmSecurityDefenses
SmtpServer RealmSmtpServer
SslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

SsoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

SsoSessionIdleTimeoutRememberMe string
SsoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

SsoSessionMaxLifespanRememberMe string
UserManagedAccess bool

When true, users are allowed to manage their own resources. Defaults to false.

VerifyEmail bool

When true, users are required to verify their email address after registration and after email address changes.

WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

Configuration for WebAuthn Passwordless Policy authentication.

WebAuthnPolicy RealmWebAuthnPolicy

Configuration for WebAuthn Policy authentication.

accessCodeLifespan string

The maximum amount of time a client has to finish the authorization code flow.

accessCodeLifespanLogin string

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

accessCodeLifespanUserAction string

The maximum amount of time a user has to complete login related actions, such as updating a password.

accessTokenLifespan string

The amount of time an access token can be used before it expires.

accessTokenLifespanForImplicitFlow string

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

accountTheme string

Used for account management pages.

actionTokenGeneratedByAdminLifespan string

The maximum time a user has to use an admin-generated permit before it expires.

actionTokenGeneratedByUserLifespan string

The maximum time a user has to use a user-generated permit before it expires.

adminTheme string

Used for the admin console.

attributes {[key: string]: any}

A map of custom attributes to add to the realm.

browserFlow string

The desired flow for browser authentication. Defaults to browser.

clientAuthenticationFlow string

The desired flow for client authentication. Defaults to clients.

defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string

Default algorithm used to sign tokens for the realm.

directGrantFlow string

The desired flow for direct access authentication. Defaults to direct grant.

displayName string

The display name for the realm that is shown when logging in to the admin console.

displayNameHtml string

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

dockerAuthenticationFlow string

The desired flow for Docker authentication. Defaults to docker auth.

duplicateEmailsAllowed boolean

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

editUsernameAllowed boolean

When true, the username field is editable.

emailTheme string

Used for emails that are sent by Keycloak.

enabled boolean

When false, users and clients will not be able to access this realm. Defaults to true.

internalId string
internationalization RealmInternationalization
loginTheme string

Used for the login, forgot password, and registration pages.

loginWithEmailAllowed boolean

When true, users may log in with their email address.

offlineSessionIdleTimeout string

The amount of time an offline session can be idle before it expires.

offlineSessionMaxLifespan string

The maximum amount of time before an offline session expires regardless of activity.

offlineSessionMaxLifespanEnabled boolean

Enable offline_session_max_lifespan.

passwordPolicy string

The password policy for users within the realm.

realm string

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

refreshTokenMaxReuse number

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

registrationAllowed boolean

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

registrationEmailAsUsername boolean

When true, the user’s email will be used as their username during registration.

registrationFlow string

The desired flow for user registration. Defaults to registration.

rememberMe boolean

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

resetCredentialsFlow string

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

resetPasswordAllowed boolean

When true, a “forgot password” link will be displayed on the login page.

revokeRefreshToken boolean

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

securityDefenses RealmSecurityDefenses
smtpServer RealmSmtpServer
sslRequired string

Can be one of following values: ‘none, ‘external’ or ‘all’

ssoSessionIdleTimeout string

The amount of time a session can be idle before it expires.

ssoSessionIdleTimeoutRememberMe string
ssoSessionMaxLifespan string

The maximum amount of time before a session expires regardless of activity.

ssoSessionMaxLifespanRememberMe string
userManagedAccess boolean

When true, users are allowed to manage their own resources. Defaults to false.

verifyEmail boolean

When true, users are required to verify their email address after registration and after email address changes.

webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

Configuration for WebAuthn Passwordless Policy authentication.

webAuthnPolicy RealmWebAuthnPolicy

Configuration for WebAuthn Policy authentication.

access_code_lifespan str

The maximum amount of time a client has to finish the authorization code flow.

access_code_lifespan_login str

The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

access_code_lifespan_user_action str

The maximum amount of time a user has to complete login related actions, such as updating a password.

access_token_lifespan str

The amount of time an access token can be used before it expires.

access_token_lifespan_for_implicit_flow str

The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

account_theme str

Used for account management pages.

action_token_generated_by_admin_lifespan str

The maximum time a user has to use an admin-generated permit before it expires.

action_token_generated_by_user_lifespan str

The maximum time a user has to use a user-generated permit before it expires.

admin_theme str

Used for the admin console.

attributes Mapping[str, Any]

A map of custom attributes to add to the realm.

browser_flow str

The desired flow for browser authentication. Defaults to browser.

client_authentication_flow str

The desired flow for client authentication. Defaults to clients.

default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str

Default algorithm used to sign tokens for the realm.

direct_grant_flow str

The desired flow for direct access authentication. Defaults to direct grant.

display_name str

The display name for the realm that is shown when logging in to the admin console.

display_name_html str

The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

docker_authentication_flow str

The desired flow for Docker authentication. Defaults to docker auth.

duplicate_emails_allowed bool

When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

edit_username_allowed bool

When true, the username field is editable.

email_theme str

Used for emails that are sent by Keycloak.

enabled bool

When false, users and clients will not be able to access this realm. Defaults to true.

internal_id str
internationalization RealmInternationalizationArgs
login_theme str

Used for the login, forgot password, and registration pages.

login_with_email_allowed bool

When true, users may log in with their email address.

offline_session_idle_timeout str

The amount of time an offline session can be idle before it expires.

offline_session_max_lifespan str

The maximum amount of time before an offline session expires regardless of activity.

offline_session_max_lifespan_enabled bool

Enable offline_session_max_lifespan.

password_policy str

The password policy for users within the realm.

realm str

The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak.

refresh_token_max_reuse int

Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused.

registration_allowed bool

When true, user registration will be enabled, and a link for registration will be displayed on the login page.

registration_email_as_username bool

When true, the user’s email will be used as their username during registration.

registration_flow str

The desired flow for user registration. Defaults to registration.

remember_me bool

When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts.

reset_credentials_flow str

The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

reset_password_allowed bool

When true, a “forgot password” link will be displayed on the login page.

revoke_refresh_token bool

If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused.

security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str

Can be one of following values: ‘none, ‘external’ or ‘all’

sso_session_idle_timeout str

The amount of time a session can be idle before it expires.

sso_session_idle_timeout_remember_me str
sso_session_max_lifespan str

The maximum amount of time before a session expires regardless of activity.

sso_session_max_lifespan_remember_me str
user_managed_access bool

When true, users are allowed to manage their own resources. Defaults to false.

verify_email bool

When true, users are required to verify their email address after registration and after email address changes.

web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs

Configuration for WebAuthn Passwordless Policy authentication.

web_authn_policy RealmWebAuthnPolicyArgs

Configuration for WebAuthn Policy authentication.

Supporting Types

RealmInternationalization

DefaultLocale string

The locale to use by default. This locale code must be present within the supported_locales list.

SupportedLocales List<string>

A list of ISO 639-1 locale codes that the realm should support.

DefaultLocale string

The locale to use by default. This locale code must be present within the supported_locales list.

SupportedLocales []string

A list of ISO 639-1 locale codes that the realm should support.

defaultLocale string

The locale to use by default. This locale code must be present within the supported_locales list.

supportedLocales string[]

A list of ISO 639-1 locale codes that the realm should support.

default_locale str

The locale to use by default. This locale code must be present within the supported_locales list.

supported_locales Sequence[str]

A list of ISO 639-1 locale codes that the realm should support.

RealmSecurityDefenses

RealmSecurityDefensesBruteForceDetection

FailureResetTimeSeconds int

When will failure count be reset?

MaxFailureWaitSeconds int
MaxLoginFailures int

How many failures before wait is triggered.

MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure. - max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

PermanentLockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

QuickLoginCheckMilliSeconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

WaitIncrementSeconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

FailureResetTimeSeconds int

When will failure count be reset?

MaxFailureWaitSeconds int
MaxLoginFailures int

How many failures before wait is triggered.

MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure. - max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

PermanentLockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

QuickLoginCheckMilliSeconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

WaitIncrementSeconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failureResetTimeSeconds number

When will failure count be reset?

maxFailureWaitSeconds number
maxLoginFailures number

How many failures before wait is triggered.

minimumQuickLoginWaitSeconds number

How long to wait after a quick login failure. - max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanentLockout boolean

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quickLoginCheckMilliSeconds number

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

waitIncrementSeconds number

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failure_reset_time_seconds int

When will failure count be reset?

max_failure_wait_seconds int
max_login_failures int

How many failures before wait is triggered.

minimum_quick_login_wait_seconds int

How long to wait after a quick login failure. - max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanent_lockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quick_login_check_milli_seconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

wait_increment_seconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

RealmSecurityDefensesHeaders

ContentSecurityPolicy string

Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

ContentSecurityPolicyReportOnly string

Used for testing Content Security Policies.

StrictTransportSecurity string

The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

XContentTypeOptions string

Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

XFrameOptions string

Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

XRobotsTag string

Prevent pages from appearing in search engines.

XXssProtection string

This header configures the Cross-site scripting (XSS) filter in your browser.

ContentSecurityPolicy string

Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

ContentSecurityPolicyReportOnly string

Used for testing Content Security Policies.

StrictTransportSecurity string

The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

XContentTypeOptions string

Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

XFrameOptions string

Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

XRobotsTag string

Prevent pages from appearing in search engines.

XXssProtection string

This header configures the Cross-site scripting (XSS) filter in your browser.

contentSecurityPolicy string

Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

contentSecurityPolicyReportOnly string

Used for testing Content Security Policies.

strictTransportSecurity string

The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

xContentTypeOptions string

Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

xFrameOptions string

Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

xRobotsTag string

Prevent pages from appearing in search engines.

xXssProtection string

This header configures the Cross-site scripting (XSS) filter in your browser.

content_security_policy str

Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

content_security_policy_report_only str

Used for testing Content Security Policies.

strict_transport_security str

The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

x_content_type_options str

Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

x_frame_options str

Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

x_robots_tag str

Prevent pages from appearing in search engines.

x_xss_protection str

This header configures the Cross-site scripting (XSS) filter in your browser.

RealmSmtpServer

From string

The email address for the sender.

Host string

The host of the SMTP server.

Auth RealmSmtpServerAuthArgs

Enables authentication to the SMTP server. This block supports the following arguments:

EnvelopeFrom string

The email address uses for bounces.

FromDisplayName string

The display name of the sender email address.

Port string

The port of the SMTP server (defaults to 25).

ReplyTo string

The “reply to” email address.

ReplyToDisplayName string

The display name of the “reply to” email address.

Ssl bool

When true, enables SSL. Defaults to false.

Starttls bool

When true, enables StartTLS. Defaults to false.

From string

The email address for the sender.

Host string

The host of the SMTP server.

Auth RealmSmtpServerAuth

Enables authentication to the SMTP server. This block supports the following arguments:

EnvelopeFrom string

The email address uses for bounces.

FromDisplayName string

The display name of the sender email address.

Port string

The port of the SMTP server (defaults to 25).

ReplyTo string

The “reply to” email address.

ReplyToDisplayName string

The display name of the “reply to” email address.

Ssl bool

When true, enables SSL. Defaults to false.

Starttls bool

When true, enables StartTLS. Defaults to false.

from string

The email address for the sender.

host string

The host of the SMTP server.

auth RealmSmtpServerAuth

Enables authentication to the SMTP server. This block supports the following arguments:

envelopeFrom string

The email address uses for bounces.

fromDisplayName string

The display name of the sender email address.

port string

The port of the SMTP server (defaults to 25).

replyTo string

The “reply to” email address.

replyToDisplayName string

The display name of the “reply to” email address.

ssl boolean

When true, enables SSL. Defaults to false.

starttls boolean

When true, enables StartTLS. Defaults to false.

from_ str

The email address for the sender.

host str

The host of the SMTP server.

auth RealmSmtpServerAuthArgs

Enables authentication to the SMTP server. This block supports the following arguments:

envelope_from str

The email address uses for bounces.

from_display_name str

The display name of the sender email address.

port str

The port of the SMTP server (defaults to 25).

reply_to str

The “reply to” email address.

reply_to_display_name str

The display name of the “reply to” email address.

ssl bool

When true, enables SSL. Defaults to false.

starttls bool

When true, enables StartTLS. Defaults to false.

RealmSmtpServerAuth

Password string

The SMTP server password.

Username string

The SMTP server username.

Password string

The SMTP server password.

Username string

The SMTP server username.

password string

The SMTP server password.

username string

The SMTP server username.

password str

The SMTP server password.

username str

The SMTP server username.

RealmWebAuthnPasswordlessPolicy

AcceptableAaguids List<string>

A set of AAGUIDs for which an authenticator can be registered.

AttestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

AuthenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

AvoidSameAuthenticatorRegister bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

CreateTimeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

RelyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

RelyingPartyId string

The WebAuthn relying party ID.

RequireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

SignatureAlgorithms List<string>

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

UserVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

AcceptableAaguids []string

A set of AAGUIDs for which an authenticator can be registered.

AttestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

AuthenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

AvoidSameAuthenticatorRegister bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

CreateTimeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

RelyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

RelyingPartyId string

The WebAuthn relying party ID.

RequireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

SignatureAlgorithms []string

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

UserVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids string[]

A set of AAGUIDs for which an authenticator can be registered.

attestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

authenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

avoidSameAuthenticatorRegister boolean

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

createTimeout number

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

relyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

relyingPartyId string

The WebAuthn relying party ID.

requireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

signatureAlgorithms string[]

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

userVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptable_aaguids Sequence[str]

A set of AAGUIDs for which an authenticator can be registered.

attestation_conveyance_preference str

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

authenticator_attachment str

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

avoid_same_authenticator_register bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

create_timeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

relying_party_entity_name str

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

relying_party_id str

The WebAuthn relying party ID.

require_resident_key str

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

signature_algorithms Sequence[str]

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

user_verification_requirement str

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

RealmWebAuthnPolicy

AcceptableAaguids List<string>

A set of AAGUIDs for which an authenticator can be registered.

AttestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

AuthenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

AvoidSameAuthenticatorRegister bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

CreateTimeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

RelyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

RelyingPartyId string

The WebAuthn relying party ID.

RequireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

SignatureAlgorithms List<string>

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

UserVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

AcceptableAaguids []string

A set of AAGUIDs for which an authenticator can be registered.

AttestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

AuthenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

AvoidSameAuthenticatorRegister bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

CreateTimeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

RelyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

RelyingPartyId string

The WebAuthn relying party ID.

RequireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

SignatureAlgorithms []string

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

UserVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids string[]

A set of AAGUIDs for which an authenticator can be registered.

attestationConveyancePreference string

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

authenticatorAttachment string

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

avoidSameAuthenticatorRegister boolean

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

createTimeout number

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

relyingPartyEntityName string

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

relyingPartyId string

The WebAuthn relying party ID.

requireResidentKey string

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

signatureAlgorithms string[]

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

userVerificationRequirement string

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptable_aaguids Sequence[str]

A set of AAGUIDs for which an authenticator can be registered.

attestation_conveyance_preference str

The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

authenticator_attachment str

The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

avoid_same_authenticator_register bool

When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

create_timeout int

The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

relying_party_entity_name str

A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

relying_party_id str

The WebAuthn relying party ID.

require_resident_key str

Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

signature_algorithms Sequence[str]

A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

user_verification_requirement str

Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

Import

Realms can be imported using their name. Examplebash

 $ pulumi import keycloak:index/realm:Realm realm my-realm

Package Details

Repository
https://github.com/pulumi/pulumi-keycloak
License
Apache-2.0
Notes
This Pulumi package is based on the keycloak Terraform Provider.