Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi IDP Pulumi Cloud Packages Tutorials
  1. Packages
  2. Keycloak Provider
  3. API Docs
  4. openid
  5. Client
Keycloak v6.5.0 published on Tuesday, May 13, 2025 by Pulumi
pulumi/pulumi-keycloak

keycloak.openid.Client

Explore with Pulumi AI

keycloak logo
Keycloak v6.5.0 published on Tuesday, May 13, 2025 by Pulumi
pulumi/pulumi-keycloak

    Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.

    Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
    realmId: realm.id,
    clientId: "test-client",
    name: "test client",
    enabled: true,
    accessType: "CONFIDENTIAL",
    validRedirectUris: ["http://localhost:8080/openid-callback"],
    loginTheme: "keycloak",
    extraConfig: {
        key1: "value1",
        key2: "value2",
    },
});

    import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
openid_client = keycloak.openid.Client("openid_client",
    realm_id=realm.id,
    client_id="test-client",
    name="test client",
    enabled=True,
    access_type="CONFIDENTIAL",
    valid_redirect_uris=["http://localhost:8080/openid-callback"],
    login_theme="keycloak",
    extra_config={
        "key1": "value1",
        "key2": "value2",
    })

    package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
			RealmId:    realm.ID(),
			ClientId:   pulumi.String("test-client"),
			Name:       pulumi.String("test client"),
			Enabled:    pulumi.Bool(true),
			AccessType: pulumi.String("CONFIDENTIAL"),
			ValidRedirectUris: pulumi.StringArray{
				pulumi.String("http://localhost:8080/openid-callback"),
			},
			LoginTheme: pulumi.String("keycloak"),
			ExtraConfig: pulumi.StringMap{
				"key1": pulumi.String("value1"),
				"key2": pulumi.String("value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var openidClient = new Keycloak.OpenId.Client("openid_client", new()
    {
        RealmId = realm.Id,
        ClientId = "test-client",
        Name = "test client",
        Enabled = true,
        AccessType = "CONFIDENTIAL",
        ValidRedirectUris = new[]
        {
            "http://localhost:8080/openid-callback",
        },
        LoginTheme = "keycloak",
        ExtraConfig = 
        {
            { "key1", "value1" },
            { "key2", "value2" },
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var openidClient = new Client("openidClient", ClientArgs.builder()
            .realmId(realm.id())
            .clientId("test-client")
            .name("test client")
            .enabled(true)
            .accessType("CONFIDENTIAL")
            .validRedirectUris("http://localhost:8080/openid-callback")
            .loginTheme("keycloak")
            .extraConfig(Map.ofEntries(
                Map.entry("key1", "value1"),
                Map.entry("key2", "value2")
            ))
            .build());

    }
}

    resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  openidClient:
    type: keycloak:openid:Client
    name: openid_client
    properties:
      realmId: ${realm.id}
      clientId: test-client
      name: test client
      enabled: true
      accessType: CONFIDENTIAL
      validRedirectUris:
        - http://localhost:8080/openid-callback
      loginTheme: keycloak
      extraConfig:
        key1: value1
        key2: value2

    Create Client Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
    @overload
def Client(resource_name: str,
           args: ClientArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Client(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           realm_id: Optional[str] = None,
           access_type: Optional[str] = None,
           enabled: Optional[bool] = None,
           always_display_in_console: Optional[bool] = None,
           authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
           authorization: Optional[ClientAuthorizationArgs] = None,
           backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
           backchannel_logout_session_required: Optional[bool] = None,
           backchannel_logout_url: Optional[str] = None,
           base_url: Optional[str] = None,
           client_authenticator_type: Optional[str] = None,
           client_id: Optional[str] = None,
           client_offline_session_idle_timeout: Optional[str] = None,
           client_offline_session_max_lifespan: Optional[str] = None,
           client_secret: Optional[str] = None,
           client_session_idle_timeout: Optional[str] = None,
           client_session_max_lifespan: Optional[str] = None,
           consent_required: Optional[bool] = None,
           consent_screen_text: Optional[str] = None,
           description: Optional[str] = None,
           direct_access_grants_enabled: Optional[bool] = None,
           display_on_consent_screen: Optional[bool] = None,
           exclude_session_state_from_auth_response: Optional[bool] = None,
           access_token_lifespan: Optional[str] = None,
           exclude_issuer_from_auth_response: Optional[bool] = None,
           extra_config: Optional[Mapping[str, str]] = None,
           frontchannel_logout_enabled: Optional[bool] = None,
           frontchannel_logout_url: Optional[str] = None,
           full_scope_allowed: Optional[bool] = None,
           implicit_flow_enabled: Optional[bool] = None,
           import_: Optional[bool] = None,
           login_theme: Optional[str] = None,
           name: Optional[str] = None,
           oauth2_device_authorization_grant_enabled: Optional[bool] = None,
           oauth2_device_code_lifespan: Optional[str] = None,
           oauth2_device_polling_interval: Optional[str] = None,
           pkce_code_challenge_method: Optional[str] = None,
           admin_url: Optional[str] = None,
           root_url: Optional[str] = None,
           service_accounts_enabled: Optional[bool] = None,
           standard_flow_enabled: Optional[bool] = None,
           use_refresh_tokens: Optional[bool] = None,
           use_refresh_tokens_client_credentials: Optional[bool] = None,
           valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
           valid_redirect_uris: Optional[Sequence[str]] = None,
           web_origins: Optional[Sequence[str]] = None)
    func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
    public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
    public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)

    type: keycloak:openid:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var clientResource = new Keycloak.OpenId.Client("clientResource", new()
{
    RealmId = "string",
    AccessType = "string",
    Enabled = false,
    AlwaysDisplayInConsole = false,
    AuthenticationFlowBindingOverrides = new Keycloak.OpenId.Inputs.ClientAuthenticationFlowBindingOverridesArgs
    {
        BrowserId = "string",
        DirectGrantId = "string",
    },
    Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
    {
        PolicyEnforcementMode = "string",
        AllowRemoteResourceManagement = false,
        DecisionStrategy = "string",
        KeepDefaults = false,
    },
    BackchannelLogoutRevokeOfflineSessions = false,
    BackchannelLogoutSessionRequired = false,
    BackchannelLogoutUrl = "string",
    BaseUrl = "string",
    ClientAuthenticatorType = "string",
    ClientId = "string",
    ClientOfflineSessionIdleTimeout = "string",
    ClientOfflineSessionMaxLifespan = "string",
    ClientSecret = "string",
    ClientSessionIdleTimeout = "string",
    ClientSessionMaxLifespan = "string",
    ConsentRequired = false,
    ConsentScreenText = "string",
    Description = "string",
    DirectAccessGrantsEnabled = false,
    DisplayOnConsentScreen = false,
    ExcludeSessionStateFromAuthResponse = false,
    AccessTokenLifespan = "string",
    ExcludeIssuerFromAuthResponse = false,
    ExtraConfig = 
    {
        { "string", "string" },
    },
    FrontchannelLogoutEnabled = false,
    FrontchannelLogoutUrl = "string",
    FullScopeAllowed = false,
    ImplicitFlowEnabled = false,
    Import = false,
    LoginTheme = "string",
    Name = "string",
    Oauth2DeviceAuthorizationGrantEnabled = false,
    Oauth2DeviceCodeLifespan = "string",
    Oauth2DevicePollingInterval = "string",
    PkceCodeChallengeMethod = "string",
    AdminUrl = "string",
    RootUrl = "string",
    ServiceAccountsEnabled = false,
    StandardFlowEnabled = false,
    UseRefreshTokens = false,
    UseRefreshTokensClientCredentials = false,
    ValidPostLogoutRedirectUris = new[]
    {
        "string",
    },
    ValidRedirectUris = new[]
    {
        "string",
    },
    WebOrigins = new[]
    {
        "string",
    },
});

    example, err := openid.NewClient(ctx, "clientResource", &openid.ClientArgs{
	RealmId:                pulumi.String("string"),
	AccessType:             pulumi.String("string"),
	Enabled:                pulumi.Bool(false),
	AlwaysDisplayInConsole: pulumi.Bool(false),
	AuthenticationFlowBindingOverrides: &openid.ClientAuthenticationFlowBindingOverridesArgs{
		BrowserId:     pulumi.String("string"),
		DirectGrantId: pulumi.String("string"),
	},
	Authorization: &openid.ClientAuthorizationArgs{
		PolicyEnforcementMode:         pulumi.String("string"),
		AllowRemoteResourceManagement: pulumi.Bool(false),
		DecisionStrategy:              pulumi.String("string"),
		KeepDefaults:                  pulumi.Bool(false),
	},
	BackchannelLogoutRevokeOfflineSessions: pulumi.Bool(false),
	BackchannelLogoutSessionRequired:       pulumi.Bool(false),
	BackchannelLogoutUrl:                   pulumi.String("string"),
	BaseUrl:                                pulumi.String("string"),
	ClientAuthenticatorType:                pulumi.String("string"),
	ClientId:                               pulumi.String("string"),
	ClientOfflineSessionIdleTimeout:        pulumi.String("string"),
	ClientOfflineSessionMaxLifespan:        pulumi.String("string"),
	ClientSecret:                           pulumi.String("string"),
	ClientSessionIdleTimeout:               pulumi.String("string"),
	ClientSessionMaxLifespan:               pulumi.String("string"),
	ConsentRequired:                        pulumi.Bool(false),
	ConsentScreenText:                      pulumi.String("string"),
	Description:                            pulumi.String("string"),
	DirectAccessGrantsEnabled:              pulumi.Bool(false),
	DisplayOnConsentScreen:                 pulumi.Bool(false),
	ExcludeSessionStateFromAuthResponse:    pulumi.Bool(false),
	AccessTokenLifespan:                    pulumi.String("string"),
	ExcludeIssuerFromAuthResponse:          pulumi.Bool(false),
	ExtraConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	FrontchannelLogoutEnabled:             pulumi.Bool(false),
	FrontchannelLogoutUrl:                 pulumi.String("string"),
	FullScopeAllowed:                      pulumi.Bool(false),
	ImplicitFlowEnabled:                   pulumi.Bool(false),
	Import:                                pulumi.Bool(false),
	LoginTheme:                            pulumi.String("string"),
	Name:                                  pulumi.String("string"),
	Oauth2DeviceAuthorizationGrantEnabled: pulumi.Bool(false),
	Oauth2DeviceCodeLifespan:              pulumi.String("string"),
	Oauth2DevicePollingInterval:           pulumi.String("string"),
	PkceCodeChallengeMethod:               pulumi.String("string"),
	AdminUrl:                              pulumi.String("string"),
	RootUrl:                               pulumi.String("string"),
	ServiceAccountsEnabled:                pulumi.Bool(false),
	StandardFlowEnabled:                   pulumi.Bool(false),
	UseRefreshTokens:                      pulumi.Bool(false),
	UseRefreshTokensClientCredentials:     pulumi.Bool(false),
	ValidPostLogoutRedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	ValidRedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	WebOrigins: pulumi.StringArray{
		pulumi.String("string"),
	},
})

    var clientResource = new com.pulumi.keycloak.openid.Client("clientResource", com.pulumi.keycloak.openid.ClientArgs.builder()
    .realmId("string")
    .accessType("string")
    .enabled(false)
    .alwaysDisplayInConsole(false)
    .authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs.builder()
        .browserId("string")
        .directGrantId("string")
        .build())
    .authorization(ClientAuthorizationArgs.builder()
        .policyEnforcementMode("string")
        .allowRemoteResourceManagement(false)
        .decisionStrategy("string")
        .keepDefaults(false)
        .build())
    .backchannelLogoutRevokeOfflineSessions(false)
    .backchannelLogoutSessionRequired(false)
    .backchannelLogoutUrl("string")
    .baseUrl("string")
    .clientAuthenticatorType("string")
    .clientId("string")
    .clientOfflineSessionIdleTimeout("string")
    .clientOfflineSessionMaxLifespan("string")
    .clientSecret("string")
    .clientSessionIdleTimeout("string")
    .clientSessionMaxLifespan("string")
    .consentRequired(false)
    .consentScreenText("string")
    .description("string")
    .directAccessGrantsEnabled(false)
    .displayOnConsentScreen(false)
    .excludeSessionStateFromAuthResponse(false)
    .accessTokenLifespan("string")
    .excludeIssuerFromAuthResponse(false)
    .extraConfig(Map.of("string", "string"))
    .frontchannelLogoutEnabled(false)
    .frontchannelLogoutUrl("string")
    .fullScopeAllowed(false)
    .implicitFlowEnabled(false)
    .import_(false)
    .loginTheme("string")
    .name("string")
    .oauth2DeviceAuthorizationGrantEnabled(false)
    .oauth2DeviceCodeLifespan("string")
    .oauth2DevicePollingInterval("string")
    .pkceCodeChallengeMethod("string")
    .adminUrl("string")
    .rootUrl("string")
    .serviceAccountsEnabled(false)
    .standardFlowEnabled(false)
    .useRefreshTokens(false)
    .useRefreshTokensClientCredentials(false)
    .validPostLogoutRedirectUris("string")
    .validRedirectUris("string")
    .webOrigins("string")
    .build());

    client_resource = keycloak.openid.Client("clientResource",
    realm_id="string",
    access_type="string",
    enabled=False,
    always_display_in_console=False,
    authentication_flow_binding_overrides={
        "browser_id": "string",
        "direct_grant_id": "string",
    },
    authorization={
        "policy_enforcement_mode": "string",
        "allow_remote_resource_management": False,
        "decision_strategy": "string",
        "keep_defaults": False,
    },
    backchannel_logout_revoke_offline_sessions=False,
    backchannel_logout_session_required=False,
    backchannel_logout_url="string",
    base_url="string",
    client_authenticator_type="string",
    client_id="string",
    client_offline_session_idle_timeout="string",
    client_offline_session_max_lifespan="string",
    client_secret="string",
    client_session_idle_timeout="string",
    client_session_max_lifespan="string",
    consent_required=False,
    consent_screen_text="string",
    description="string",
    direct_access_grants_enabled=False,
    display_on_consent_screen=False,
    exclude_session_state_from_auth_response=False,
    access_token_lifespan="string",
    exclude_issuer_from_auth_response=False,
    extra_config={
        "string": "string",
    },
    frontchannel_logout_enabled=False,
    frontchannel_logout_url="string",
    full_scope_allowed=False,
    implicit_flow_enabled=False,
    import_=False,
    login_theme="string",
    name="string",
    oauth2_device_authorization_grant_enabled=False,
    oauth2_device_code_lifespan="string",
    oauth2_device_polling_interval="string",
    pkce_code_challenge_method="string",
    admin_url="string",
    root_url="string",
    service_accounts_enabled=False,
    standard_flow_enabled=False,
    use_refresh_tokens=False,
    use_refresh_tokens_client_credentials=False,
    valid_post_logout_redirect_uris=["string"],
    valid_redirect_uris=["string"],
    web_origins=["string"])

    const clientResource = new keycloak.openid.Client("clientResource", {
    realmId: "string",
    accessType: "string",
    enabled: false,
    alwaysDisplayInConsole: false,
    authenticationFlowBindingOverrides: {
        browserId: "string",
        directGrantId: "string",
    },
    authorization: {
        policyEnforcementMode: "string",
        allowRemoteResourceManagement: false,
        decisionStrategy: "string",
        keepDefaults: false,
    },
    backchannelLogoutRevokeOfflineSessions: false,
    backchannelLogoutSessionRequired: false,
    backchannelLogoutUrl: "string",
    baseUrl: "string",
    clientAuthenticatorType: "string",
    clientId: "string",
    clientOfflineSessionIdleTimeout: "string",
    clientOfflineSessionMaxLifespan: "string",
    clientSecret: "string",
    clientSessionIdleTimeout: "string",
    clientSessionMaxLifespan: "string",
    consentRequired: false,
    consentScreenText: "string",
    description: "string",
    directAccessGrantsEnabled: false,
    displayOnConsentScreen: false,
    excludeSessionStateFromAuthResponse: false,
    accessTokenLifespan: "string",
    excludeIssuerFromAuthResponse: false,
    extraConfig: {
        string: "string",
    },
    frontchannelLogoutEnabled: false,
    frontchannelLogoutUrl: "string",
    fullScopeAllowed: false,
    implicitFlowEnabled: false,
    "import": false,
    loginTheme: "string",
    name: "string",
    oauth2DeviceAuthorizationGrantEnabled: false,
    oauth2DeviceCodeLifespan: "string",
    oauth2DevicePollingInterval: "string",
    pkceCodeChallengeMethod: "string",
    adminUrl: "string",
    rootUrl: "string",
    serviceAccountsEnabled: false,
    standardFlowEnabled: false,
    useRefreshTokens: false,
    useRefreshTokensClientCredentials: false,
    validPostLogoutRedirectUris: ["string"],
    validRedirectUris: ["string"],
    webOrigins: ["string"],
});

    type: keycloak:openid:Client
properties:
    accessTokenLifespan: string
    accessType: string
    adminUrl: string
    alwaysDisplayInConsole: false
    authenticationFlowBindingOverrides:
        browserId: string
        directGrantId: string
    authorization:
        allowRemoteResourceManagement: false
        decisionStrategy: string
        keepDefaults: false
        policyEnforcementMode: string
    backchannelLogoutRevokeOfflineSessions: false
    backchannelLogoutSessionRequired: false
    backchannelLogoutUrl: string
    baseUrl: string
    clientAuthenticatorType: string
    clientId: string
    clientOfflineSessionIdleTimeout: string
    clientOfflineSessionMaxLifespan: string
    clientSecret: string
    clientSessionIdleTimeout: string
    clientSessionMaxLifespan: string
    consentRequired: false
    consentScreenText: string
    description: string
    directAccessGrantsEnabled: false
    displayOnConsentScreen: false
    enabled: false
    excludeIssuerFromAuthResponse: false
    excludeSessionStateFromAuthResponse: false
    extraConfig:
        string: string
    frontchannelLogoutEnabled: false
    frontchannelLogoutUrl: string
    fullScopeAllowed: false
    implicitFlowEnabled: false
    import: false
    loginTheme: string
    name: string
    oauth2DeviceAuthorizationGrantEnabled: false
    oauth2DeviceCodeLifespan: string
    oauth2DevicePollingInterval: string
    pkceCodeChallengeMethod: string
    realmId: string
    rootUrl: string
    serviceAccountsEnabled: false
    standardFlowEnabled: false
    useRefreshTokens: false
    useRefreshTokensClientCredentials: false
    validPostLogoutRedirectUris:
        - string
    validRedirectUris:
        - string
    webOrigins:
        - string

    Client Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Client resource accepts the following input properties:

    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    RealmId string
    The realm this client is attached to.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AdminUrl string
    URL to the admin interface of the client.
    AlwaysDisplayInConsole bool
    Always list this client in the Account UI, even if the user does not have an active session.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    Authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeIssuerFromAuthResponse bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig Dictionary<string, string>
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins List<string>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    RealmId string
    The realm this client is attached to.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AdminUrl string
    URL to the admin interface of the client.
    AlwaysDisplayInConsole bool
    Always list this client in the Account UI, even if the user does not have an active session.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    Authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeIssuerFromAuthResponse bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig map[string]string
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins []string
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    realmId String
    The realm this client is attached to.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl String
    URL to the admin interface of the client.
    alwaysDisplayInConsole Boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse Boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String,String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    realmId string
    The realm this client is attached to.
    accessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl string
    URL to the admin interface of the client.
    alwaysDisplayInConsole boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description string
    The description of this client in the GUI.
    directAccessGrantsEnabled boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig {[key: string]: string}
    frontchannelLogoutEnabled boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme string
    The client login theme. This will override the default theme for the realm.
    name string
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins string[]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    access_type str
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    realm_id str
    The realm this client is attached to.
    access_token_lifespan str
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    admin_url str
    URL to the admin interface of the client.
    always_display_in_console bool
    Always list this client in the Account UI, even if the user does not have an active session.
    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannel_logout_revoke_offline_sessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannel_logout_session_required bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannel_logout_url str
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    base_url str
    Default URL to use when the auth server needs to redirect or link back to the client.
    client_authenticator_type str
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    client_id str
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    client_offline_session_idle_timeout str
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    client_offline_session_max_lifespan str
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    client_secret str
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    client_session_idle_timeout str
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    client_session_max_lifespan str
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consent_required bool
    When true, users have to consent to client access. Defaults to false.
    consent_screen_text str
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description str
    The description of this client in the GUI.
    direct_access_grants_enabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    display_on_consent_screen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    exclude_issuer_from_auth_response bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    exclude_session_state_from_auth_response bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extra_config Mapping[str, str]
    frontchannel_logout_enabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannel_logout_url str
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    full_scope_allowed bool
    Allow to include all roles mappings in the access token.
    implicit_flow_enabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    login_theme str
    The client login theme. This will override the default theme for the realm.
    name str
    The display name of this client in the GUI.
    oauth2_device_authorization_grant_enabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2_device_code_lifespan str
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2_device_polling_interval str
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkce_code_challenge_method str
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    root_url str
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    service_accounts_enabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standard_flow_enabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    use_refresh_tokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    use_refresh_tokens_client_credentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    valid_post_logout_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    valid_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    web_origins Sequence[str]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    realmId String
    The realm this client is attached to.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl String
    URL to the admin interface of the client.
    alwaysDisplayInConsole Boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides Property Map
    Override realm authentication flow bindings
    authorization Property Map
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse Boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    Id string
    The provider-assigned unique ID for this managed resource.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id String
    The provider-assigned unique ID for this managed resource.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id string
    The provider-assigned unique ID for this managed resource.
    resourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id str
    The provider-assigned unique ID for this managed resource.
    resource_server_id str
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    service_account_user_id str
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id String
    The provider-assigned unique ID for this managed resource.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

    Look up Existing Client Resource

    Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_token_lifespan: Optional[str] = None,
        access_type: Optional[str] = None,
        admin_url: Optional[str] = None,
        always_display_in_console: Optional[bool] = None,
        authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
        authorization: Optional[ClientAuthorizationArgs] = None,
        backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
        backchannel_logout_session_required: Optional[bool] = None,
        backchannel_logout_url: Optional[str] = None,
        base_url: Optional[str] = None,
        client_authenticator_type: Optional[str] = None,
        client_id: Optional[str] = None,
        client_offline_session_idle_timeout: Optional[str] = None,
        client_offline_session_max_lifespan: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_session_idle_timeout: Optional[str] = None,
        client_session_max_lifespan: Optional[str] = None,
        consent_required: Optional[bool] = None,
        consent_screen_text: Optional[str] = None,
        description: Optional[str] = None,
        direct_access_grants_enabled: Optional[bool] = None,
        display_on_consent_screen: Optional[bool] = None,
        enabled: Optional[bool] = None,
        exclude_issuer_from_auth_response: Optional[bool] = None,
        exclude_session_state_from_auth_response: Optional[bool] = None,
        extra_config: Optional[Mapping[str, str]] = None,
        frontchannel_logout_enabled: Optional[bool] = None,
        frontchannel_logout_url: Optional[str] = None,
        full_scope_allowed: Optional[bool] = None,
        implicit_flow_enabled: Optional[bool] = None,
        import_: Optional[bool] = None,
        login_theme: Optional[str] = None,
        name: Optional[str] = None,
        oauth2_device_authorization_grant_enabled: Optional[bool] = None,
        oauth2_device_code_lifespan: Optional[str] = None,
        oauth2_device_polling_interval: Optional[str] = None,
        pkce_code_challenge_method: Optional[str] = None,
        realm_id: Optional[str] = None,
        resource_server_id: Optional[str] = None,
        root_url: Optional[str] = None,
        service_account_user_id: Optional[str] = None,
        service_accounts_enabled: Optional[bool] = None,
        standard_flow_enabled: Optional[bool] = None,
        use_refresh_tokens: Optional[bool] = None,
        use_refresh_tokens_client_credentials: Optional[bool] = None,
        valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
        valid_redirect_uris: Optional[Sequence[str]] = None,
        web_origins: Optional[Sequence[str]] = None) -> Client
    func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
    public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
    public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
    resources:  _:    type: keycloak:openid:Client    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    AdminUrl string
    URL to the admin interface of the client.
    AlwaysDisplayInConsole bool
    Always list this client in the Account UI, even if the user does not have an active session.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    Authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeIssuerFromAuthResponse bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig Dictionary<string, string>
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RealmId string
    The realm this client is attached to.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins List<string>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    AdminUrl string
    URL to the admin interface of the client.
    AlwaysDisplayInConsole bool
    Always list this client in the Account UI, even if the user does not have an active session.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    Authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeIssuerFromAuthResponse bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig map[string]string
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RealmId string
    The realm this client is attached to.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins []string
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl String
    URL to the admin interface of the client.
    alwaysDisplayInConsole Boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse Boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String,String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId String
    The realm this client is attached to.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl string
    URL to the admin interface of the client.
    alwaysDisplayInConsole boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description string
    The description of this client in the GUI.
    directAccessGrantsEnabled boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig {[key: string]: string}
    frontchannelLogoutEnabled boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme string
    The client login theme. This will override the default theme for the realm.
    name string
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId string
    The realm this client is attached to.
    resourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins string[]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    access_token_lifespan str
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    access_type str
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    admin_url str
    URL to the admin interface of the client.
    always_display_in_console bool
    Always list this client in the Account UI, even if the user does not have an active session.
    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannel_logout_revoke_offline_sessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannel_logout_session_required bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannel_logout_url str
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    base_url str
    Default URL to use when the auth server needs to redirect or link back to the client.
    client_authenticator_type str
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    client_id str
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    client_offline_session_idle_timeout str
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    client_offline_session_max_lifespan str
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    client_secret str
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    client_session_idle_timeout str
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    client_session_max_lifespan str
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consent_required bool
    When true, users have to consent to client access. Defaults to false.
    consent_screen_text str
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description str
    The description of this client in the GUI.
    direct_access_grants_enabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    display_on_consent_screen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    exclude_issuer_from_auth_response bool
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    exclude_session_state_from_auth_response bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extra_config Mapping[str, str]
    frontchannel_logout_enabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannel_logout_url str
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    full_scope_allowed bool
    Allow to include all roles mappings in the access token.
    implicit_flow_enabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    login_theme str
    The client login theme. This will override the default theme for the realm.
    name str
    The display name of this client in the GUI.
    oauth2_device_authorization_grant_enabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2_device_code_lifespan str
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2_device_polling_interval str
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkce_code_challenge_method str
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realm_id str
    The realm this client is attached to.
    resource_server_id str
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    root_url str
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    service_account_user_id str
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    service_accounts_enabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standard_flow_enabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    use_refresh_tokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    use_refresh_tokens_client_credentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    valid_post_logout_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    valid_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    web_origins Sequence[str]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl String
    URL to the admin interface of the client.
    alwaysDisplayInConsole Boolean
    Always list this client in the Account UI, even if the user does not have an active session.
    authenticationFlowBindingOverrides Property Map
    Override realm authentication flow bindings
    authorization Property Map
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeIssuerFromAuthResponse Boolean
    When true, the parameter iss will not be included in OpenID Connect Authentication Response.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId String
    The realm this client is attached to.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.

    Supporting Types

    ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs

    BrowserId string
    Browser flow id, (flow needs to exist)
    DirectGrantId string
    Direct grant flow id (flow needs to exist)
    BrowserId string
    Browser flow id, (flow needs to exist)
    DirectGrantId string
    Direct grant flow id (flow needs to exist)
    browserId String
    Browser flow id, (flow needs to exist)
    directGrantId String
    Direct grant flow id (flow needs to exist)
    browserId string
    Browser flow id, (flow needs to exist)
    directGrantId string
    Direct grant flow id (flow needs to exist)
    browser_id str
    Browser flow id, (flow needs to exist)
    direct_grant_id str
    Direct grant flow id (flow needs to exist)
    browserId String
    Browser flow id, (flow needs to exist)
    directGrantId String
    Direct grant flow id (flow needs to exist)

    ClientAuthorization, ClientAuthorizationArgs

    PolicyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    AllowRemoteResourceManagement bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    DecisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    KeepDefaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    PolicyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    AllowRemoteResourceManagement bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    DecisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    KeepDefaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode String
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement Boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy String
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults Boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policy_enforcement_mode str
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allow_remote_resource_management bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decision_strategy str
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keep_defaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode String
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement Boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy String
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults Boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.

    Import

    Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak

    assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.

    Example:

    bash

    $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v6.5.0 published on Tuesday, May 13, 2025 by Pulumi
    pulumi/pulumi-keycloak