keycloak logo
Keycloak v5.1.0, Mar 14 23

keycloak.openid.Client

Explore with Pulumi AI

Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var openidClient = new Keycloak.OpenId.Client("openidClient", new()
    {
        RealmId = realm.Id,
        ClientId = "test-client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
        LoginTheme = "keycloak",
        ExtraConfig = 
        {
            { "key1", "value1" },
            { "key2", "value2" },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "openidClient", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("test-client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
			LoginTheme: pulumi.String("keycloak"),
			ExtraConfig: pulumi.AnyMap{
				"key1": pulumi.Any("value1"),
				"key2": pulumi.Any("value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var openidClient = new Client("openidClient", ClientArgs.builder()        
            .realmId(realm.id())
            .clientId("test-client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .loginTheme("keycloak")
            .extraConfig(Map.ofEntries(
                Map.entry("key1", "value1"),
                Map.entry("key2", "value2")
            ))
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openidClient",
    realm_id=realm.id,
    client_id="test-client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"],
    login_theme="keycloak",
    extra_config={
        "key1": "value1",
        "key2": "value2",
    })
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openidClient", {
    realmId: realm.id,
    clientId: "test-client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
    loginTheme: "keycloak",
    extraConfig: {
        key1: "value1",
        key2: "value2",
    },
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    properties:
      realmId: ${realm.id}
      clientId: test-client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback
      loginTheme: keycloak
      extraConfig:
        key1: value1
        key2: value2

Create Client Resource

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
@overload
def Client(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           access_token_lifespan: Optional[str] = None,
           access_type: Optional[str] = None,
           admin_url: Optional[str] = None,
           authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
           authorization: Optional[ClientAuthorizationArgs] = None,
           backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
           backchannel_logout_session_required: Optional[bool] = None,
           backchannel_logout_url: Optional[str] = None,
           base_url: Optional[str] = None,
           client_authenticator_type: Optional[str] = None,
           client_id: Optional[str] = None,
           client_offline_session_idle_timeout: Optional[str] = None,
           client_offline_session_max_lifespan: Optional[str] = None,
           client_secret: Optional[str] = None,
           client_session_idle_timeout: Optional[str] = None,
           client_session_max_lifespan: Optional[str] = None,
           consent_required: Optional[bool] = None,
           consent_screen_text: Optional[str] = None,
           description: Optional[str] = None,
           direct_access_grants_enabled: Optional[bool] = None,
           display_on_consent_screen: Optional[bool] = None,
           enabled: Optional[bool] = None,
           exclude_session_state_from_auth_response: Optional[bool] = None,
           extra_config: Optional[Mapping[str, Any]] = None,
           frontchannel_logout_enabled: Optional[bool] = None,
           frontchannel_logout_url: Optional[str] = None,
           full_scope_allowed: Optional[bool] = None,
           implicit_flow_enabled: Optional[bool] = None,
           import_: Optional[bool] = None,
           login_theme: Optional[str] = None,
           name: Optional[str] = None,
           oauth2_device_authorization_grant_enabled: Optional[bool] = None,
           oauth2_device_code_lifespan: Optional[str] = None,
           oauth2_device_polling_interval: Optional[str] = None,
           pkce_code_challenge_method: Optional[str] = None,
           realm_id: Optional[str] = None,
           root_url: Optional[str] = None,
           service_accounts_enabled: Optional[bool] = None,
           standard_flow_enabled: Optional[bool] = None,
           use_refresh_tokens: Optional[bool] = None,
           use_refresh_tokens_client_credentials: Optional[bool] = None,
           valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
           valid_redirect_uris: Optional[Sequence[str]] = None,
           web_origins: Optional[Sequence[str]] = None)
@overload
def Client(resource_name: str,
           args: ClientArgs,
           opts: Optional[ResourceOptions] = None)
func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)
type: keycloak:openid:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Client resource accepts the following input properties:

AccessType string

Specifies the type of client, which can be one of the following:

ClientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

RealmId string

The realm this client is attached to.

AccessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

AdminUrl string

URL to the admin interface of the client.

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

Authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

BackchannelLogoutRevokeOfflineSessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

BackchannelLogoutSessionRequired bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

BackchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

BaseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

ClientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
ClientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

ClientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

ClientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

ClientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

ClientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

ConsentRequired bool

When true, users have to consent to client access. Defaults to false.

ConsentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

Description string

The description of this client in the GUI.

DirectAccessGrantsEnabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

DisplayOnConsentScreen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

ExcludeSessionStateFromAuthResponse bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

ExtraConfig Dictionary<string, object>
FrontchannelLogoutEnabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

FrontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token.

ImplicitFlowEnabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

Import bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

LoginTheme string

The client login theme. This will override the default theme for the realm.

Name string

The display name of this client in the GUI.

Oauth2DeviceAuthorizationGrantEnabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

Oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

Oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

PkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

RootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

ServiceAccountsEnabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

StandardFlowEnabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

UseRefreshTokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

UseRefreshTokensClientCredentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

ValidPostLogoutRedirectUris List<string>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

ValidRedirectUris List<string>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

WebOrigins List<string>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

AccessType string

Specifies the type of client, which can be one of the following:

ClientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

RealmId string

The realm this client is attached to.

AccessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

AdminUrl string

URL to the admin interface of the client.

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

Authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

BackchannelLogoutRevokeOfflineSessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

BackchannelLogoutSessionRequired bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

BackchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

BaseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

ClientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
ClientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

ClientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

ClientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

ClientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

ClientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

ConsentRequired bool

When true, users have to consent to client access. Defaults to false.

ConsentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

Description string

The description of this client in the GUI.

DirectAccessGrantsEnabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

DisplayOnConsentScreen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

ExcludeSessionStateFromAuthResponse bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

ExtraConfig map[string]interface{}
FrontchannelLogoutEnabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

FrontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token.

ImplicitFlowEnabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

Import bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

LoginTheme string

The client login theme. This will override the default theme for the realm.

Name string

The display name of this client in the GUI.

Oauth2DeviceAuthorizationGrantEnabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

Oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

Oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

PkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

RootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

ServiceAccountsEnabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

StandardFlowEnabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

UseRefreshTokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

UseRefreshTokensClientCredentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

ValidPostLogoutRedirectUris []string

A list of valid URIs a browser is permitted to redirect to after a successful logout.

ValidRedirectUris []string

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

WebOrigins []string

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessType String

Specifies the type of client, which can be one of the following:

clientId String

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

realmId String

The realm this client is attached to.

accessTokenLifespan String

The amount of time in seconds before an access token expires. This will override the default for the realm.

adminUrl String

URL to the admin interface of the client.

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions Boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired Boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl String

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl String

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType String

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientOfflineSessionIdleTimeout String

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan String

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret String

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout String

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan String

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired Boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText String

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description String

The description of this client in the GUI.

directAccessGrantsEnabled Boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen Boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse Boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig Map<String,Object>
frontchannelLogoutEnabled Boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl String

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled Boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import_ Boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme String

The client login theme. This will override the default theme for the realm.

name String

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled Boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan String

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval String

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod String

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

rootUrl String

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountsEnabled Boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled Boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens Boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials Boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins List<String>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessType string

Specifies the type of client, which can be one of the following:

clientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

realmId string

The realm this client is attached to.

accessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

adminUrl string

URL to the admin interface of the client.

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description string

The description of this client in the GUI.

directAccessGrantsEnabled boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig {[key: string]: any}
frontchannelLogoutEnabled boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme string

The client login theme. This will override the default theme for the realm.

name string

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

rootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountsEnabled boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris string[]

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris string[]

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins string[]

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

access_type str

Specifies the type of client, which can be one of the following:

client_id str

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

realm_id str

The realm this client is attached to.

access_token_lifespan str

The amount of time in seconds before an access token expires. This will override the default for the realm.

admin_url str

URL to the admin interface of the client.

authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannel_logout_revoke_offline_sessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannel_logout_session_required bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannel_logout_url str

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

base_url str

Default URL to use when the auth server needs to redirect or link back to the client.

client_authenticator_type str

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
client_offline_session_idle_timeout str

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

client_offline_session_max_lifespan str

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

client_secret str

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

client_session_idle_timeout str

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

client_session_max_lifespan str

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consent_required bool

When true, users have to consent to client access. Defaults to false.

consent_screen_text str

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description str

The description of this client in the GUI.

direct_access_grants_enabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

display_on_consent_screen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

exclude_session_state_from_auth_response bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extra_config Mapping[str, Any]
frontchannel_logout_enabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannel_logout_url str

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

full_scope_allowed bool

Allow to include all roles mappings in the access token.

implicit_flow_enabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import_ bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

login_theme str

The client login theme. This will override the default theme for the realm.

name str

The display name of this client in the GUI.

oauth2_device_authorization_grant_enabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2_device_code_lifespan str

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2_device_polling_interval str

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkce_code_challenge_method str

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

root_url str

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

service_accounts_enabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standard_flow_enabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

use_refresh_tokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

use_refresh_tokens_client_credentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

valid_post_logout_redirect_uris Sequence[str]

A list of valid URIs a browser is permitted to redirect to after a successful logout.

valid_redirect_uris Sequence[str]

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

web_origins Sequence[str]

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessType String

Specifies the type of client, which can be one of the following:

clientId String

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

realmId String

The realm this client is attached to.

accessTokenLifespan String

The amount of time in seconds before an access token expires. This will override the default for the realm.

adminUrl String

URL to the admin interface of the client.

authenticationFlowBindingOverrides Property Map

Override realm authentication flow bindings

authorization Property Map

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions Boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired Boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl String

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl String

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType String

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientOfflineSessionIdleTimeout String

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan String

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret String

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout String

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan String

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired Boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText String

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description String

The description of this client in the GUI.

directAccessGrantsEnabled Boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen Boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse Boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig Map<Any>
frontchannelLogoutEnabled Boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl String

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled Boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import Boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme String

The client login theme. This will override the default theme for the realm.

name String

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled Boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan String

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval String

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod String

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

rootUrl String

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountsEnabled Boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled Boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens Boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials Boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins List<String>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

ResourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

ServiceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

Id string

The provider-assigned unique ID for this managed resource.

ResourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

ServiceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

id String

The provider-assigned unique ID for this managed resource.

resourceServerId String

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

serviceAccountUserId String

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

id string

The provider-assigned unique ID for this managed resource.

resourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

serviceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

id str

The provider-assigned unique ID for this managed resource.

resource_server_id str

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

service_account_user_id str

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

id String

The provider-assigned unique ID for this managed resource.

resourceServerId String

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

serviceAccountUserId String

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

Look up Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_token_lifespan: Optional[str] = None,
        access_type: Optional[str] = None,
        admin_url: Optional[str] = None,
        authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
        authorization: Optional[ClientAuthorizationArgs] = None,
        backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
        backchannel_logout_session_required: Optional[bool] = None,
        backchannel_logout_url: Optional[str] = None,
        base_url: Optional[str] = None,
        client_authenticator_type: Optional[str] = None,
        client_id: Optional[str] = None,
        client_offline_session_idle_timeout: Optional[str] = None,
        client_offline_session_max_lifespan: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_session_idle_timeout: Optional[str] = None,
        client_session_max_lifespan: Optional[str] = None,
        consent_required: Optional[bool] = None,
        consent_screen_text: Optional[str] = None,
        description: Optional[str] = None,
        direct_access_grants_enabled: Optional[bool] = None,
        display_on_consent_screen: Optional[bool] = None,
        enabled: Optional[bool] = None,
        exclude_session_state_from_auth_response: Optional[bool] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        frontchannel_logout_enabled: Optional[bool] = None,
        frontchannel_logout_url: Optional[str] = None,
        full_scope_allowed: Optional[bool] = None,
        implicit_flow_enabled: Optional[bool] = None,
        import_: Optional[bool] = None,
        login_theme: Optional[str] = None,
        name: Optional[str] = None,
        oauth2_device_authorization_grant_enabled: Optional[bool] = None,
        oauth2_device_code_lifespan: Optional[str] = None,
        oauth2_device_polling_interval: Optional[str] = None,
        pkce_code_challenge_method: Optional[str] = None,
        realm_id: Optional[str] = None,
        resource_server_id: Optional[str] = None,
        root_url: Optional[str] = None,
        service_account_user_id: Optional[str] = None,
        service_accounts_enabled: Optional[bool] = None,
        standard_flow_enabled: Optional[bool] = None,
        use_refresh_tokens: Optional[bool] = None,
        use_refresh_tokens_client_credentials: Optional[bool] = None,
        valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
        valid_redirect_uris: Optional[Sequence[str]] = None,
        web_origins: Optional[Sequence[str]] = None) -> Client
func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

AccessType string

Specifies the type of client, which can be one of the following:

AdminUrl string

URL to the admin interface of the client.

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

Authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

BackchannelLogoutRevokeOfflineSessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

BackchannelLogoutSessionRequired bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

BackchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

BaseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

ClientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
ClientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

ClientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

ClientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

ClientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

ClientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

ClientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

ConsentRequired bool

When true, users have to consent to client access. Defaults to false.

ConsentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

Description string

The description of this client in the GUI.

DirectAccessGrantsEnabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

DisplayOnConsentScreen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

ExcludeSessionStateFromAuthResponse bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

ExtraConfig Dictionary<string, object>
FrontchannelLogoutEnabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

FrontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token.

ImplicitFlowEnabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

Import bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

LoginTheme string

The client login theme. This will override the default theme for the realm.

Name string

The display name of this client in the GUI.

Oauth2DeviceAuthorizationGrantEnabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

Oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

Oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

PkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

RealmId string

The realm this client is attached to.

ResourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

RootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

ServiceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

ServiceAccountsEnabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

StandardFlowEnabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

UseRefreshTokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

UseRefreshTokensClientCredentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

ValidPostLogoutRedirectUris List<string>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

ValidRedirectUris List<string>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

WebOrigins List<string>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

AccessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

AccessType string

Specifies the type of client, which can be one of the following:

AdminUrl string

URL to the admin interface of the client.

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

Authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

BackchannelLogoutRevokeOfflineSessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

BackchannelLogoutSessionRequired bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

BackchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

BaseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

ClientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
ClientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

ClientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

ClientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

ClientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

ClientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

ClientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

ConsentRequired bool

When true, users have to consent to client access. Defaults to false.

ConsentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

Description string

The description of this client in the GUI.

DirectAccessGrantsEnabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

DisplayOnConsentScreen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

ExcludeSessionStateFromAuthResponse bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

ExtraConfig map[string]interface{}
FrontchannelLogoutEnabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

FrontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token.

ImplicitFlowEnabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

Import bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

LoginTheme string

The client login theme. This will override the default theme for the realm.

Name string

The display name of this client in the GUI.

Oauth2DeviceAuthorizationGrantEnabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

Oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

Oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

PkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

RealmId string

The realm this client is attached to.

ResourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

RootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

ServiceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

ServiceAccountsEnabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

StandardFlowEnabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

UseRefreshTokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

UseRefreshTokensClientCredentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

ValidPostLogoutRedirectUris []string

A list of valid URIs a browser is permitted to redirect to after a successful logout.

ValidRedirectUris []string

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

WebOrigins []string

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessTokenLifespan String

The amount of time in seconds before an access token expires. This will override the default for the realm.

accessType String

Specifies the type of client, which can be one of the following:

adminUrl String

URL to the admin interface of the client.

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions Boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired Boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl String

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl String

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType String

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientId String

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

clientOfflineSessionIdleTimeout String

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan String

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret String

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout String

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan String

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired Boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText String

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description String

The description of this client in the GUI.

directAccessGrantsEnabled Boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen Boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse Boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig Map<String,Object>
frontchannelLogoutEnabled Boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl String

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled Boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import_ Boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme String

The client login theme. This will override the default theme for the realm.

name String

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled Boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan String

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval String

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod String

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

realmId String

The realm this client is attached to.

resourceServerId String

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

rootUrl String

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountUserId String

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

serviceAccountsEnabled Boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled Boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens Boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials Boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins List<String>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessTokenLifespan string

The amount of time in seconds before an access token expires. This will override the default for the realm.

accessType string

Specifies the type of client, which can be one of the following:

adminUrl string

URL to the admin interface of the client.

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl string

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl string

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType string

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientId string

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

clientOfflineSessionIdleTimeout string

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan string

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret string

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout string

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan string

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText string

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description string

The description of this client in the GUI.

directAccessGrantsEnabled boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig {[key: string]: any}
frontchannelLogoutEnabled boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl string

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme string

The client login theme. This will override the default theme for the realm.

name string

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan string

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval string

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod string

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

realmId string

The realm this client is attached to.

resourceServerId string

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

rootUrl string

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountUserId string

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

serviceAccountsEnabled boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris string[]

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris string[]

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins string[]

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

access_token_lifespan str

The amount of time in seconds before an access token expires. This will override the default for the realm.

access_type str

Specifies the type of client, which can be one of the following:

admin_url str

URL to the admin interface of the client.

authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

authorization ClientAuthorizationArgs

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannel_logout_revoke_offline_sessions bool

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannel_logout_session_required bool

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannel_logout_url str

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

base_url str

Default URL to use when the auth server needs to redirect or link back to the client.

client_authenticator_type str

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
client_id str

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

client_offline_session_idle_timeout str

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

client_offline_session_max_lifespan str

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

client_secret str

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

client_session_idle_timeout str

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

client_session_max_lifespan str

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consent_required bool

When true, users have to consent to client access. Defaults to false.

consent_screen_text str

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description str

The description of this client in the GUI.

direct_access_grants_enabled bool

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

display_on_consent_screen bool

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

exclude_session_state_from_auth_response bool

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extra_config Mapping[str, Any]
frontchannel_logout_enabled bool

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannel_logout_url str

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

full_scope_allowed bool

Allow to include all roles mappings in the access token.

implicit_flow_enabled bool

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import_ bool

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

login_theme str

The client login theme. This will override the default theme for the realm.

name str

The display name of this client in the GUI.

oauth2_device_authorization_grant_enabled bool

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2_device_code_lifespan str

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2_device_polling_interval str

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkce_code_challenge_method str

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

realm_id str

The realm this client is attached to.

resource_server_id str

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

root_url str

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

service_account_user_id str

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

service_accounts_enabled bool

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standard_flow_enabled bool

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

use_refresh_tokens bool

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

use_refresh_tokens_client_credentials bool

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

valid_post_logout_redirect_uris Sequence[str]

A list of valid URIs a browser is permitted to redirect to after a successful logout.

valid_redirect_uris Sequence[str]

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

web_origins Sequence[str]

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

accessTokenLifespan String

The amount of time in seconds before an access token expires. This will override the default for the realm.

accessType String

Specifies the type of client, which can be one of the following:

adminUrl String

URL to the admin interface of the client.

authenticationFlowBindingOverrides Property Map

Override realm authentication flow bindings

authorization Property Map

When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:

backchannelLogoutRevokeOfflineSessions Boolean

Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

backchannelLogoutSessionRequired Boolean

When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.

backchannelLogoutUrl String

The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.

baseUrl String

Default URL to use when the auth server needs to redirect or link back to the client.

clientAuthenticatorType String

Defaults to client-secret The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. Can be one of the following:

  • client-secret (Default) Use client id and client secret to authenticate client.
  • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
  • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
  • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
clientId String

The Client ID for this client, referenced in the URI during authentication and in issued tokens.

clientOfflineSessionIdleTimeout String

Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.

clientOfflineSessionMaxLifespan String

Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.

clientSecret String

The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.

clientSessionIdleTimeout String

Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.

clientSessionMaxLifespan String

Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.

consentRequired Boolean

When true, users have to consent to client access. Defaults to false.

consentScreenText String

The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.

description String

The description of this client in the GUI.

directAccessGrantsEnabled Boolean

When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.

displayOnConsentScreen Boolean

When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

excludeSessionStateFromAuthResponse Boolean

When true, the parameter session_state will not be included in OpenID Connect Authentication Response.

extraConfig Map<Any>
frontchannelLogoutEnabled Boolean

When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.

frontchannelLogoutUrl String

The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token.

implicitFlowEnabled Boolean

When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.

import Boolean

When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.

loginTheme String

The client login theme. This will override the default theme for the realm.

name String

The display name of this client in the GUI.

oauth2DeviceAuthorizationGrantEnabled Boolean

Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.

oauth2DeviceCodeLifespan String

The maximum amount of time a client has to finish the device code flow before it expires.

oauth2DevicePollingInterval String

The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

pkceCodeChallengeMethod String

The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.

realmId String

The realm this client is attached to.

resourceServerId String

(Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).

rootUrl String

When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.

serviceAccountUserId String

(Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

serviceAccountsEnabled Boolean

When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.

standardFlowEnabled Boolean

When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.

useRefreshTokens Boolean

If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.

useRefreshTokensClientCredentials Boolean

If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.

validPostLogoutRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful logout.

validRedirectUris List<String>

A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.

webOrigins List<String>

A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *."

Supporting Types

ClientAuthenticationFlowBindingOverrides

BrowserId string

Browser flow id, (flow needs to exist)

DirectGrantId string

Direct grant flow id (flow needs to exist)

BrowserId string

Browser flow id, (flow needs to exist)

DirectGrantId string

Direct grant flow id (flow needs to exist)

browserId String

Browser flow id, (flow needs to exist)

directGrantId String

Direct grant flow id (flow needs to exist)

browserId string

Browser flow id, (flow needs to exist)

directGrantId string

Direct grant flow id (flow needs to exist)

browser_id str

Browser flow id, (flow needs to exist)

direct_grant_id str

Direct grant flow id (flow needs to exist)

browserId String

Browser flow id, (flow needs to exist)

directGrantId String

Direct grant flow id (flow needs to exist)

ClientAuthorization

PolicyEnforcementMode string

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

AllowRemoteResourceManagement bool

When true, resources can be managed remotely by the resource server. Defaults to false.

DecisionStrategy string

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

KeepDefaults bool

When true, defaults set by Keycloak will be respected. Defaults to false.

PolicyEnforcementMode string

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

AllowRemoteResourceManagement bool

When true, resources can be managed remotely by the resource server. Defaults to false.

DecisionStrategy string

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

KeepDefaults bool

When true, defaults set by Keycloak will be respected. Defaults to false.

policyEnforcementMode String

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

allowRemoteResourceManagement Boolean

When true, resources can be managed remotely by the resource server. Defaults to false.

decisionStrategy String

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

keepDefaults Boolean

When true, defaults set by Keycloak will be respected. Defaults to false.

policyEnforcementMode string

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

allowRemoteResourceManagement boolean

When true, resources can be managed remotely by the resource server. Defaults to false.

decisionStrategy string

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

keepDefaults boolean

When true, defaults set by Keycloak will be respected. Defaults to false.

policy_enforcement_mode str

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

allow_remote_resource_management bool

When true, resources can be managed remotely by the resource server. Defaults to false.

decision_strategy str

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

keep_defaults bool

When true, defaults set by Keycloak will be respected. Defaults to false.

policyEnforcementMode String

Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.

allowRemoteResourceManagement Boolean

When true, resources can be managed remotely by the resource server. Defaults to false.

decisionStrategy String

Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.

keepDefaults Boolean

When true, defaults set by Keycloak will be respected. Defaults to false.

Import

Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash

 $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.