Allows you to manage Identity Provider “Token exchange” Scope Based Permissions.
This is part of a preview keycloak feature. You need to enable this feature to be able to use this resource. More information about enabling the preview feature can be found here: https://www.keycloak.org/securing-apps/token-exchange
When enabling Identity Provider Permissions, Keycloak does several things automatically:
- Enable Authorization on build-in realm-management client
- Create a “token-exchange” scope
- Create a resource representing the identity provider
- Create a scope based permission for the “token-exchange” scope and identity provider resource
The only thing that is missing is a policy set on the permission.
As the policy lives within the context of the realm-management client, you cannot create a policy resource and link to from with your .tf file. This would also cause an implicit cycle dependency.
Thus, the only way to manage this in terraform is to create and manage the policy internally from within this terraform resource itself.
At the moment only a client policy type is supported. The client policy will automatically be created for the clients parameter.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const tokenExchangeRealm = new keycloak.Realm("token_exchange_realm", {
realm: "token-exchange_destination_realm",
enabled: true,
});
const tokenExchangeMyOidcIdp = new keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp", {
realm: tokenExchangeRealm.id,
alias: "myIdp",
authorizationUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
tokenUrl: "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
clientId: "clientId",
clientSecret: "secret",
defaultScopes: "openid",
});
const token_exchangeWebappClient = new keycloak.openid.Client("token-exchange_webapp_client", {
realmId: tokenExchangeRealm.id,
name: "webapp_client",
clientId: "webapp_client",
clientSecret: "secret",
description: "a webapp client on the destination realm",
accessType: "CONFIDENTIAL",
standardFlowEnabled: true,
validRedirectUris: ["http://localhost:8080/*"],
});
//relevant part
const oidcIdpPermission = new keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", {
realmId: tokenExchangeRealm.id,
providerAlias: tokenExchangeMyOidcIdp.alias,
policyType: "client",
clients: [token_exchangeWebappClient.id],
});
import pulumi
import pulumi_keycloak as keycloak
token_exchange_realm = keycloak.Realm("token_exchange_realm",
realm="token-exchange_destination_realm",
enabled=True)
token_exchange_my_oidc_idp = keycloak.oidc.IdentityProvider("token_exchange_my_oidc_idp",
realm=token_exchange_realm.id,
alias="myIdp",
authorization_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
token_url="http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
client_id="clientId",
client_secret="secret",
default_scopes="openid")
token_exchange_webapp_client = keycloak.openid.Client("token-exchange_webapp_client",
realm_id=token_exchange_realm.id,
name="webapp_client",
client_id="webapp_client",
client_secret="secret",
description="a webapp client on the destination realm",
access_type="CONFIDENTIAL",
standard_flow_enabled=True,
valid_redirect_uris=["http://localhost:8080/*"])
#relevant part
oidc_idp_permission = keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission",
realm_id=token_exchange_realm.id,
provider_alias=token_exchange_my_oidc_idp.alias,
policy_type="client",
clients=[token_exchange_webapp_client.id])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tokenExchangeRealm, err := keycloak.NewRealm(ctx, "token_exchange_realm", &keycloak.RealmArgs{
Realm: pulumi.String("token-exchange_destination_realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
tokenExchangeMyOidcIdp, err := oidc.NewIdentityProvider(ctx, "token_exchange_my_oidc_idp", &oidc.IdentityProviderArgs{
Realm: tokenExchangeRealm.ID(),
Alias: pulumi.String("myIdp"),
AuthorizationUrl: pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth"),
TokenUrl: pulumi.String("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token"),
ClientId: pulumi.String("clientId"),
ClientSecret: pulumi.String("secret"),
DefaultScopes: pulumi.String("openid"),
})
if err != nil {
return err
}
token_exchangeWebappClient, err := openid.NewClient(ctx, "token-exchange_webapp_client", &openid.ClientArgs{
RealmId: tokenExchangeRealm.ID(),
Name: pulumi.String("webapp_client"),
ClientId: pulumi.String("webapp_client"),
ClientSecret: pulumi.String("secret"),
Description: pulumi.String("a webapp client on the destination realm"),
AccessType: pulumi.String("CONFIDENTIAL"),
StandardFlowEnabled: pulumi.Bool(true),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/*"),
},
})
if err != nil {
return err
}
// relevant part
_, err = keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, "oidc_idp_permission", &keycloak.IdentityProviderTokenExchangeScopePermissionArgs{
RealmId: tokenExchangeRealm.ID(),
ProviderAlias: tokenExchangeMyOidcIdp.Alias,
PolicyType: pulumi.String("client"),
Clients: pulumi.StringArray{
token_exchangeWebappClient.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var tokenExchangeRealm = new Keycloak.Realm("token_exchange_realm", new()
{
RealmName = "token-exchange_destination_realm",
Enabled = true,
});
var tokenExchangeMyOidcIdp = new Keycloak.Oidc.IdentityProvider("token_exchange_my_oidc_idp", new()
{
Realm = tokenExchangeRealm.Id,
Alias = "myIdp",
AuthorizationUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth",
TokenUrl = "http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token",
ClientId = "clientId",
ClientSecret = "secret",
DefaultScopes = "openid",
});
var token_exchangeWebappClient = new Keycloak.OpenId.Client("token-exchange_webapp_client", new()
{
RealmId = tokenExchangeRealm.Id,
Name = "webapp_client",
ClientId = "webapp_client",
ClientSecret = "secret",
Description = "a webapp client on the destination realm",
AccessType = "CONFIDENTIAL",
StandardFlowEnabled = true,
ValidRedirectUris = new[]
{
"http://localhost:8080/*",
},
});
//relevant part
var oidcIdpPermission = new Keycloak.IdentityProviderTokenExchangeScopePermission("oidc_idp_permission", new()
{
RealmId = tokenExchangeRealm.Id,
ProviderAlias = tokenExchangeMyOidcIdp.Alias,
PolicyType = "client",
Clients = new[]
{
token_exchangeWebappClient.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermission;
import com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tokenExchangeRealm = new Realm("tokenExchangeRealm", RealmArgs.builder()
.realm("token-exchange_destination_realm")
.enabled(true)
.build());
var tokenExchangeMyOidcIdp = new IdentityProvider("tokenExchangeMyOidcIdp", IdentityProviderArgs.builder()
.realm(tokenExchangeRealm.id())
.alias("myIdp")
.authorizationUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth")
.tokenUrl("http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token")
.clientId("clientId")
.clientSecret("secret")
.defaultScopes("openid")
.build());
var token_exchangeWebappClient = new Client("token-exchangeWebappClient", ClientArgs.builder()
.realmId(tokenExchangeRealm.id())
.name("webapp_client")
.clientId("webapp_client")
.clientSecret("secret")
.description("a webapp client on the destination realm")
.accessType("CONFIDENTIAL")
.standardFlowEnabled(true)
.validRedirectUris("http://localhost:8080/*")
.build());
//relevant part
var oidcIdpPermission = new IdentityProviderTokenExchangeScopePermission("oidcIdpPermission", IdentityProviderTokenExchangeScopePermissionArgs.builder()
.realmId(tokenExchangeRealm.id())
.providerAlias(tokenExchangeMyOidcIdp.alias())
.policyType("client")
.clients(token_exchangeWebappClient.id())
.build());
}
}
resources:
tokenExchangeRealm:
type: keycloak:Realm
name: token_exchange_realm
properties:
realm: token-exchange_destination_realm
enabled: true
tokenExchangeMyOidcIdp:
type: keycloak:oidc:IdentityProvider
name: token_exchange_my_oidc_idp
properties:
realm: ${tokenExchangeRealm.id}
alias: myIdp
authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth
tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token
clientId: clientId
clientSecret: secret
defaultScopes: openid
token-exchangeWebappClient:
type: keycloak:openid:Client
name: token-exchange_webapp_client
properties:
realmId: ${tokenExchangeRealm.id}
name: webapp_client
clientId: webapp_client
clientSecret: secret
description: a webapp client on the destination realm
accessType: CONFIDENTIAL
standardFlowEnabled: true
validRedirectUris:
- http://localhost:8080/*
# relevant part
oidcIdpPermission:
type: keycloak:IdentityProviderTokenExchangeScopePermission
name: oidc_idp_permission
properties:
realmId: ${tokenExchangeRealm.id}
providerAlias: ${tokenExchangeMyOidcIdp.alias}
policyType: client
clients:
- ${["token-exchangeWebappClient"].id}
Create IdentityProviderTokenExchangeScopePermission Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IdentityProviderTokenExchangeScopePermission(name: string, args: IdentityProviderTokenExchangeScopePermissionArgs, opts?: CustomResourceOptions);@overload
def IdentityProviderTokenExchangeScopePermission(resource_name: str,
args: IdentityProviderTokenExchangeScopePermissionArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IdentityProviderTokenExchangeScopePermission(resource_name: str,
opts: Optional[ResourceOptions] = None,
clients: Optional[Sequence[str]] = None,
provider_alias: Optional[str] = None,
realm_id: Optional[str] = None,
policy_type: Optional[str] = None)func NewIdentityProviderTokenExchangeScopePermission(ctx *Context, name string, args IdentityProviderTokenExchangeScopePermissionArgs, opts ...ResourceOption) (*IdentityProviderTokenExchangeScopePermission, error)public IdentityProviderTokenExchangeScopePermission(string name, IdentityProviderTokenExchangeScopePermissionArgs args, CustomResourceOptions? opts = null)
public IdentityProviderTokenExchangeScopePermission(String name, IdentityProviderTokenExchangeScopePermissionArgs args)
public IdentityProviderTokenExchangeScopePermission(String name, IdentityProviderTokenExchangeScopePermissionArgs args, CustomResourceOptions options)
type: keycloak:IdentityProviderTokenExchangeScopePermission
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IdentityProviderTokenExchangeScopePermissionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IdentityProviderTokenExchangeScopePermissionArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderTokenExchangeScopePermissionArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderTokenExchangeScopePermissionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IdentityProviderTokenExchangeScopePermissionArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var identityProviderTokenExchangeScopePermissionResource = new Keycloak.IdentityProviderTokenExchangeScopePermission("identityProviderTokenExchangeScopePermissionResource", new()
{
Clients = new[]
{
"string",
},
ProviderAlias = "string",
RealmId = "string",
PolicyType = "string",
});
example, err := keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, "identityProviderTokenExchangeScopePermissionResource", &keycloak.IdentityProviderTokenExchangeScopePermissionArgs{
Clients: pulumi.StringArray{
pulumi.String("string"),
},
ProviderAlias: pulumi.String("string"),
RealmId: pulumi.String("string"),
PolicyType: pulumi.String("string"),
})
var identityProviderTokenExchangeScopePermissionResource = new IdentityProviderTokenExchangeScopePermission("identityProviderTokenExchangeScopePermissionResource", IdentityProviderTokenExchangeScopePermissionArgs.builder()
.clients("string")
.providerAlias("string")
.realmId("string")
.policyType("string")
.build());
identity_provider_token_exchange_scope_permission_resource = keycloak.IdentityProviderTokenExchangeScopePermission("identityProviderTokenExchangeScopePermissionResource",
clients=["string"],
provider_alias="string",
realm_id="string",
policy_type="string")
const identityProviderTokenExchangeScopePermissionResource = new keycloak.IdentityProviderTokenExchangeScopePermission("identityProviderTokenExchangeScopePermissionResource", {
clients: ["string"],
providerAlias: "string",
realmId: "string",
policyType: "string",
});
type: keycloak:IdentityProviderTokenExchangeScopePermission
properties:
clients:
- string
policyType: string
providerAlias: string
realmId: string
IdentityProviderTokenExchangeScopePermission Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IdentityProviderTokenExchangeScopePermission resource accepts the following input properties:
- Clients List<string>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- Provider
Alias string - Alias of the identity provider.
- Realm
Id string - The realm that the identity provider exists in.
- Policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- Clients []string
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- Provider
Alias string - Alias of the identity provider.
- Realm
Id string - The realm that the identity provider exists in.
- Policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- clients List<String>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- provider
Alias String - Alias of the identity provider.
- realm
Id String - The realm that the identity provider exists in.
- policy
Type String - Defaults to "client" This is also the only value policy type supported by this provider.
- clients string[]
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- provider
Alias string - Alias of the identity provider.
- realm
Id string - The realm that the identity provider exists in.
- policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- clients Sequence[str]
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- provider_
alias str - Alias of the identity provider.
- realm_
id str - The realm that the identity provider exists in.
- policy_
type str - Defaults to "client" This is also the only value policy type supported by this provider.
- clients List<String>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- provider
Alias String - Alias of the identity provider.
- realm
Id String - The realm that the identity provider exists in.
- policy
Type String - Defaults to "client" This is also the only value policy type supported by this provider.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProviderTokenExchangeScopePermission resource produces the following output properties:
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- String
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- String
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- String
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Id String - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- str
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- str
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- str
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
id str - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- String
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- String
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- String
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Id String - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
Look up Existing IdentityProviderTokenExchangeScopePermission Resource
Get an existing IdentityProviderTokenExchangeScopePermission resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderTokenExchangeScopePermissionState, opts?: CustomResourceOptions): IdentityProviderTokenExchangeScopePermission@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
authorization_idp_resource_id: Optional[str] = None,
authorization_resource_server_id: Optional[str] = None,
authorization_token_exchange_scope_permission_id: Optional[str] = None,
clients: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
policy_type: Optional[str] = None,
provider_alias: Optional[str] = None,
realm_id: Optional[str] = None) -> IdentityProviderTokenExchangeScopePermissionfunc GetIdentityProviderTokenExchangeScopePermission(ctx *Context, name string, id IDInput, state *IdentityProviderTokenExchangeScopePermissionState, opts ...ResourceOption) (*IdentityProviderTokenExchangeScopePermission, error)public static IdentityProviderTokenExchangeScopePermission Get(string name, Input<string> id, IdentityProviderTokenExchangeScopePermissionState? state, CustomResourceOptions? opts = null)public static IdentityProviderTokenExchangeScopePermission get(String name, Output<String> id, IdentityProviderTokenExchangeScopePermissionState state, CustomResourceOptions options)resources: _: type: keycloak:IdentityProviderTokenExchangeScopePermission get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- Clients List<string>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- Policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- Policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- Provider
Alias string - Alias of the identity provider.
- Realm
Id string - The realm that the identity provider exists in.
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- Clients []string
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- Policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- Policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- Provider
Alias string - Alias of the identity provider.
- Realm
Id string - The realm that the identity provider exists in.
- String
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- String
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- String
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- clients List<String>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- policy
Id String - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- policy
Type String - Defaults to "client" This is also the only value policy type supported by this provider.
- provider
Alias String - Alias of the identity provider.
- realm
Id String - The realm that the identity provider exists in.
- string
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- string
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- string
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- clients string[]
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- policy
Id string - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- policy
Type string - Defaults to "client" This is also the only value policy type supported by this provider.
- provider
Alias string - Alias of the identity provider.
- realm
Id string - The realm that the identity provider exists in.
- str
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- str
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- str
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- clients Sequence[str]
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- policy_
id str - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- policy_
type str - Defaults to "client" This is also the only value policy type supported by this provider.
- provider_
alias str - Alias of the identity provider.
- realm_
id str - The realm that the identity provider exists in.
- String
- (Computed) Resource ID representing the identity provider, this automatically created by keycloak.
- String
- (Computed) Resource server ID representing the realm management client on which this permission is managed.
- String
- (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission.
- clients List<String>
- A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission.
- policy
Id String - (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider.
- policy
Type String - Defaults to "client" This is also the only value policy type supported by this provider.
- provider
Alias String - Alias of the identity provider.
- realm
Id String - The realm that the identity provider exists in.
Import
This resource can be imported using the format {{realm_id}}/{{provider_alias}}, where provider_alias is the alias that
you assign to the identity provider upon creation.
Example:
$ terraform import keycloak_identity_provider_token_exchange_scope_permission.oidc_idp_permission my-realm/myIdp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
