keycloak.openid.Client
Explore with Pulumi AI
Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.
Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const openidClient = new keycloak.openid.Client("openid_client", {
realmId: realm.id,
clientId: "test-client",
name: "test client",
enabled: true,
accessType: "CONFIDENTIAL",
validRedirectUris: ["http://localhost:8080/openid-callback"],
loginTheme: "keycloak",
extraConfig: {
key1: "value1",
key2: "value2",
},
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
openid_client = keycloak.openid.Client("openid_client",
realm_id=realm.id,
client_id="test-client",
name="test client",
enabled=True,
access_type="CONFIDENTIAL",
valid_redirect_uris=["http://localhost:8080/openid-callback"],
login_theme="keycloak",
extra_config={
"key1": "value1",
"key2": "value2",
})
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
RealmId: realm.ID(),
ClientId: pulumi.String("test-client"),
Name: pulumi.String("test client"),
Enabled: pulumi.Bool(true),
AccessType: pulumi.String("CONFIDENTIAL"),
ValidRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8080/openid-callback"),
},
LoginTheme: pulumi.String("keycloak"),
ExtraConfig: pulumi.StringMap{
"key1": pulumi.String("value1"),
"key2": pulumi.String("value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var openidClient = new Keycloak.OpenId.Client("openid_client", new()
{
RealmId = realm.Id,
ClientId = "test-client",
Name = "test client",
Enabled = true,
AccessType = "CONFIDENTIAL",
ValidRedirectUris = new[]
{
"http://localhost:8080/openid-callback",
},
LoginTheme = "keycloak",
ExtraConfig =
{
{ "key1", "value1" },
{ "key2", "value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var openidClient = new Client("openidClient", ClientArgs.builder()
.realmId(realm.id())
.clientId("test-client")
.name("test client")
.enabled(true)
.accessType("CONFIDENTIAL")
.validRedirectUris("http://localhost:8080/openid-callback")
.loginTheme("keycloak")
.extraConfig(Map.ofEntries(
Map.entry("key1", "value1"),
Map.entry("key2", "value2")
))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
openidClient:
type: keycloak:openid:Client
name: openid_client
properties:
realmId: ${realm.id}
clientId: test-client
name: test client
enabled: true
accessType: CONFIDENTIAL
validRedirectUris:
- http://localhost:8080/openid-callback
loginTheme: keycloak
extraConfig:
key1: value1
key2: value2
Create Client Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
@overload
def Client(resource_name: str,
args: ClientArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Client(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
access_type: Optional[str] = None,
realm_id: Optional[str] = None,
exclude_session_state_from_auth_response: Optional[bool] = None,
authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
backchannel_logout_url: Optional[str] = None,
frontchannel_logout_url: Optional[str] = None,
client_authenticator_type: Optional[str] = None,
frontchannel_logout_enabled: Optional[bool] = None,
client_offline_session_idle_timeout: Optional[str] = None,
client_offline_session_max_lifespan: Optional[str] = None,
client_secret: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
consent_required: Optional[bool] = None,
consent_screen_text: Optional[str] = None,
description: Optional[str] = None,
direct_access_grants_enabled: Optional[bool] = None,
display_on_consent_screen: Optional[bool] = None,
enabled: Optional[bool] = None,
access_token_lifespan: Optional[str] = None,
backchannel_logout_session_required: Optional[bool] = None,
authorization: Optional[ClientAuthorizationArgs] = None,
base_url: Optional[str] = None,
full_scope_allowed: Optional[bool] = None,
implicit_flow_enabled: Optional[bool] = None,
import_: Optional[bool] = None,
login_theme: Optional[str] = None,
name: Optional[str] = None,
oauth2_device_authorization_grant_enabled: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[str] = None,
pkce_code_challenge_method: Optional[str] = None,
admin_url: Optional[str] = None,
root_url: Optional[str] = None,
service_accounts_enabled: Optional[bool] = None,
standard_flow_enabled: Optional[bool] = None,
use_refresh_tokens: Optional[bool] = None,
use_refresh_tokens_client_credentials: Optional[bool] = None,
valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
valid_redirect_uris: Optional[Sequence[str]] = None,
web_origins: Optional[Sequence[str]] = None)
func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)
type: keycloak:openid:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ClientArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ClientArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ClientArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ClientArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var clientResource = new Keycloak.OpenId.Client("clientResource", new()
{
ClientId = "string",
AccessType = "string",
RealmId = "string",
ExcludeSessionStateFromAuthResponse = false,
AuthenticationFlowBindingOverrides = new Keycloak.OpenId.Inputs.ClientAuthenticationFlowBindingOverridesArgs
{
BrowserId = "string",
DirectGrantId = "string",
},
BackchannelLogoutRevokeOfflineSessions = false,
ExtraConfig =
{
{ "string", "string" },
},
BackchannelLogoutUrl = "string",
FrontchannelLogoutUrl = "string",
ClientAuthenticatorType = "string",
FrontchannelLogoutEnabled = false,
ClientOfflineSessionIdleTimeout = "string",
ClientOfflineSessionMaxLifespan = "string",
ClientSecret = "string",
ClientSessionIdleTimeout = "string",
ClientSessionMaxLifespan = "string",
ConsentRequired = false,
ConsentScreenText = "string",
Description = "string",
DirectAccessGrantsEnabled = false,
DisplayOnConsentScreen = false,
Enabled = false,
AccessTokenLifespan = "string",
BackchannelLogoutSessionRequired = false,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "string",
AllowRemoteResourceManagement = false,
DecisionStrategy = "string",
KeepDefaults = false,
},
BaseUrl = "string",
FullScopeAllowed = false,
ImplicitFlowEnabled = false,
Import = false,
LoginTheme = "string",
Name = "string",
Oauth2DeviceAuthorizationGrantEnabled = false,
Oauth2DeviceCodeLifespan = "string",
Oauth2DevicePollingInterval = "string",
PkceCodeChallengeMethod = "string",
AdminUrl = "string",
RootUrl = "string",
ServiceAccountsEnabled = false,
StandardFlowEnabled = false,
UseRefreshTokens = false,
UseRefreshTokensClientCredentials = false,
ValidPostLogoutRedirectUris = new[]
{
"string",
},
ValidRedirectUris = new[]
{
"string",
},
WebOrigins = new[]
{
"string",
},
});
example, err := openid.NewClient(ctx, "clientResource", &openid.ClientArgs{
ClientId: pulumi.String("string"),
AccessType: pulumi.String("string"),
RealmId: pulumi.String("string"),
ExcludeSessionStateFromAuthResponse: pulumi.Bool(false),
AuthenticationFlowBindingOverrides: &openid.ClientAuthenticationFlowBindingOverridesArgs{
BrowserId: pulumi.String("string"),
DirectGrantId: pulumi.String("string"),
},
BackchannelLogoutRevokeOfflineSessions: pulumi.Bool(false),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
BackchannelLogoutUrl: pulumi.String("string"),
FrontchannelLogoutUrl: pulumi.String("string"),
ClientAuthenticatorType: pulumi.String("string"),
FrontchannelLogoutEnabled: pulumi.Bool(false),
ClientOfflineSessionIdleTimeout: pulumi.String("string"),
ClientOfflineSessionMaxLifespan: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
ClientSessionIdleTimeout: pulumi.String("string"),
ClientSessionMaxLifespan: pulumi.String("string"),
ConsentRequired: pulumi.Bool(false),
ConsentScreenText: pulumi.String("string"),
Description: pulumi.String("string"),
DirectAccessGrantsEnabled: pulumi.Bool(false),
DisplayOnConsentScreen: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
AccessTokenLifespan: pulumi.String("string"),
BackchannelLogoutSessionRequired: pulumi.Bool(false),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("string"),
AllowRemoteResourceManagement: pulumi.Bool(false),
DecisionStrategy: pulumi.String("string"),
KeepDefaults: pulumi.Bool(false),
},
BaseUrl: pulumi.String("string"),
FullScopeAllowed: pulumi.Bool(false),
ImplicitFlowEnabled: pulumi.Bool(false),
Import: pulumi.Bool(false),
LoginTheme: pulumi.String("string"),
Name: pulumi.String("string"),
Oauth2DeviceAuthorizationGrantEnabled: pulumi.Bool(false),
Oauth2DeviceCodeLifespan: pulumi.String("string"),
Oauth2DevicePollingInterval: pulumi.String("string"),
PkceCodeChallengeMethod: pulumi.String("string"),
AdminUrl: pulumi.String("string"),
RootUrl: pulumi.String("string"),
ServiceAccountsEnabled: pulumi.Bool(false),
StandardFlowEnabled: pulumi.Bool(false),
UseRefreshTokens: pulumi.Bool(false),
UseRefreshTokensClientCredentials: pulumi.Bool(false),
ValidPostLogoutRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
ValidRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
WebOrigins: pulumi.StringArray{
pulumi.String("string"),
},
})
var clientResource = new Client("clientResource", ClientArgs.builder()
.clientId("string")
.accessType("string")
.realmId("string")
.excludeSessionStateFromAuthResponse(false)
.authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs.builder()
.browserId("string")
.directGrantId("string")
.build())
.backchannelLogoutRevokeOfflineSessions(false)
.extraConfig(Map.of("string", "string"))
.backchannelLogoutUrl("string")
.frontchannelLogoutUrl("string")
.clientAuthenticatorType("string")
.frontchannelLogoutEnabled(false)
.clientOfflineSessionIdleTimeout("string")
.clientOfflineSessionMaxLifespan("string")
.clientSecret("string")
.clientSessionIdleTimeout("string")
.clientSessionMaxLifespan("string")
.consentRequired(false)
.consentScreenText("string")
.description("string")
.directAccessGrantsEnabled(false)
.displayOnConsentScreen(false)
.enabled(false)
.accessTokenLifespan("string")
.backchannelLogoutSessionRequired(false)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("string")
.allowRemoteResourceManagement(false)
.decisionStrategy("string")
.keepDefaults(false)
.build())
.baseUrl("string")
.fullScopeAllowed(false)
.implicitFlowEnabled(false)
.import_(false)
.loginTheme("string")
.name("string")
.oauth2DeviceAuthorizationGrantEnabled(false)
.oauth2DeviceCodeLifespan("string")
.oauth2DevicePollingInterval("string")
.pkceCodeChallengeMethod("string")
.adminUrl("string")
.rootUrl("string")
.serviceAccountsEnabled(false)
.standardFlowEnabled(false)
.useRefreshTokens(false)
.useRefreshTokensClientCredentials(false)
.validPostLogoutRedirectUris("string")
.validRedirectUris("string")
.webOrigins("string")
.build());
client_resource = keycloak.openid.Client("clientResource",
client_id="string",
access_type="string",
realm_id="string",
exclude_session_state_from_auth_response=False,
authentication_flow_binding_overrides={
"browser_id": "string",
"direct_grant_id": "string",
},
backchannel_logout_revoke_offline_sessions=False,
extra_config={
"string": "string",
},
backchannel_logout_url="string",
frontchannel_logout_url="string",
client_authenticator_type="string",
frontchannel_logout_enabled=False,
client_offline_session_idle_timeout="string",
client_offline_session_max_lifespan="string",
client_secret="string",
client_session_idle_timeout="string",
client_session_max_lifespan="string",
consent_required=False,
consent_screen_text="string",
description="string",
direct_access_grants_enabled=False,
display_on_consent_screen=False,
enabled=False,
access_token_lifespan="string",
backchannel_logout_session_required=False,
authorization={
"policy_enforcement_mode": "string",
"allow_remote_resource_management": False,
"decision_strategy": "string",
"keep_defaults": False,
},
base_url="string",
full_scope_allowed=False,
implicit_flow_enabled=False,
import_=False,
login_theme="string",
name="string",
oauth2_device_authorization_grant_enabled=False,
oauth2_device_code_lifespan="string",
oauth2_device_polling_interval="string",
pkce_code_challenge_method="string",
admin_url="string",
root_url="string",
service_accounts_enabled=False,
standard_flow_enabled=False,
use_refresh_tokens=False,
use_refresh_tokens_client_credentials=False,
valid_post_logout_redirect_uris=["string"],
valid_redirect_uris=["string"],
web_origins=["string"])
const clientResource = new keycloak.openid.Client("clientResource", {
clientId: "string",
accessType: "string",
realmId: "string",
excludeSessionStateFromAuthResponse: false,
authenticationFlowBindingOverrides: {
browserId: "string",
directGrantId: "string",
},
backchannelLogoutRevokeOfflineSessions: false,
extraConfig: {
string: "string",
},
backchannelLogoutUrl: "string",
frontchannelLogoutUrl: "string",
clientAuthenticatorType: "string",
frontchannelLogoutEnabled: false,
clientOfflineSessionIdleTimeout: "string",
clientOfflineSessionMaxLifespan: "string",
clientSecret: "string",
clientSessionIdleTimeout: "string",
clientSessionMaxLifespan: "string",
consentRequired: false,
consentScreenText: "string",
description: "string",
directAccessGrantsEnabled: false,
displayOnConsentScreen: false,
enabled: false,
accessTokenLifespan: "string",
backchannelLogoutSessionRequired: false,
authorization: {
policyEnforcementMode: "string",
allowRemoteResourceManagement: false,
decisionStrategy: "string",
keepDefaults: false,
},
baseUrl: "string",
fullScopeAllowed: false,
implicitFlowEnabled: false,
"import": false,
loginTheme: "string",
name: "string",
oauth2DeviceAuthorizationGrantEnabled: false,
oauth2DeviceCodeLifespan: "string",
oauth2DevicePollingInterval: "string",
pkceCodeChallengeMethod: "string",
adminUrl: "string",
rootUrl: "string",
serviceAccountsEnabled: false,
standardFlowEnabled: false,
useRefreshTokens: false,
useRefreshTokensClientCredentials: false,
validPostLogoutRedirectUris: ["string"],
validRedirectUris: ["string"],
webOrigins: ["string"],
});
type: keycloak:openid:Client
properties:
accessTokenLifespan: string
accessType: string
adminUrl: string
authenticationFlowBindingOverrides:
browserId: string
directGrantId: string
authorization:
allowRemoteResourceManagement: false
decisionStrategy: string
keepDefaults: false
policyEnforcementMode: string
backchannelLogoutRevokeOfflineSessions: false
backchannelLogoutSessionRequired: false
backchannelLogoutUrl: string
baseUrl: string
clientAuthenticatorType: string
clientId: string
clientOfflineSessionIdleTimeout: string
clientOfflineSessionMaxLifespan: string
clientSecret: string
clientSessionIdleTimeout: string
clientSessionMaxLifespan: string
consentRequired: false
consentScreenText: string
description: string
directAccessGrantsEnabled: false
displayOnConsentScreen: false
enabled: false
excludeSessionStateFromAuthResponse: false
extraConfig:
string: string
frontchannelLogoutEnabled: false
frontchannelLogoutUrl: string
fullScopeAllowed: false
implicitFlowEnabled: false
import: false
loginTheme: string
name: string
oauth2DeviceAuthorizationGrantEnabled: false
oauth2DeviceCodeLifespan: string
oauth2DevicePollingInterval: string
pkceCodeChallengeMethod: string
realmId: string
rootUrl: string
serviceAccountsEnabled: false
standardFlowEnabled: false
useRefreshTokens: false
useRefreshTokensClientCredentials: false
validPostLogoutRedirectUris:
- string
validRedirectUris:
- string
webOrigins:
- string
Client Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Client resource accepts the following input properties:
- Access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- Client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- Realm
Id string - The realm this client is attached to.
- Access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- Admin
Url string - URL to the admin interface of the client.
- Authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - Backchannel
Logout boolRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- Backchannel
Logout boolSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - Backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- Base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- Client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- Client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- Client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- Client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - Client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- Client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- Consent
Required bool - When
true
, users have to consent to client access. Defaults tofalse
. - Consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - Description string
- The description of this client in the GUI.
- Direct
Access boolGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - Display
On boolConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - Enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - Exclude
Session boolState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - Extra
Config Dictionary<string, string> - Frontchannel
Logout boolEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - Frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - Full
Scope boolAllowed - Allow to include all roles mappings in the access token.
- Implicit
Flow boolEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - Import bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - Login
Theme string - The client login theme. This will override the default theme for the realm.
- Name string
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - Root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - Service
Accounts boolEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - Standard
Flow boolEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - Use
Refresh boolTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - Use
Refresh boolTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - Valid
Post List<string>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- Valid
Redirect List<string>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - Web
Origins List<string> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- Access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- Client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- Realm
Id string - The realm this client is attached to.
- Access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- Admin
Url string - URL to the admin interface of the client.
- Authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides Args - Override realm authentication flow bindings
- Client
Authorization Args - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - Backchannel
Logout boolRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- Backchannel
Logout boolSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - Backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- Base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- Client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- Client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- Client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- Client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - Client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- Client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- Consent
Required bool - When
true
, users have to consent to client access. Defaults tofalse
. - Consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - Description string
- The description of this client in the GUI.
- Direct
Access boolGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - Display
On boolConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - Enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - Exclude
Session boolState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - Extra
Config map[string]string - Frontchannel
Logout boolEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - Frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - Full
Scope boolAllowed - Allow to include all roles mappings in the access token.
- Implicit
Flow boolEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - Import bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - Login
Theme string - The client login theme. This will override the default theme for the realm.
- Name string
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - Root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - Service
Accounts boolEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - Standard
Flow boolEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - Use
Refresh boolTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - Use
Refresh boolTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - Valid
Post []stringLogout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- Valid
Redirect []stringUris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - Web
Origins []string - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Type String - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- client
Id String - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- realm
Id String - The realm this client is attached to.
- access
Token StringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- admin
Url String - URL to the admin interface of the client.
- authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout BooleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout BooleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout StringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url String - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator StringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Offline StringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline StringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret String - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session StringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session StringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required Boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen StringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description String
- The description of this client in the GUI.
- direct
Access BooleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On BooleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled Boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session BooleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config Map<String,String> - frontchannel
Logout BooleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout StringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope BooleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow BooleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import_ Boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme String - The client login theme. This will override the default theme for the realm.
- name String
- The display name of this client in the GUI.
- Boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling StringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code StringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - root
Url String - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Accounts BooleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow BooleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh BooleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh BooleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post List<String>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect List<String>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins List<String> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- realm
Id string - The realm this client is attached to.
- access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- admin
Url string - URL to the admin interface of the client.
- authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout booleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout booleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description string
- The description of this client in the GUI.
- direct
Access booleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On booleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session booleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config {[key: string]: string} - frontchannel
Logout booleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope booleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow booleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme string - The client login theme. This will override the default theme for the realm.
- name string
- The display name of this client in the GUI.
- boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Accounts booleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow booleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh booleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh booleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post string[]Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect string[]Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins string[] - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access_
type str - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- client_
id str - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- realm_
id str - The realm this client is attached to.
- access_
token_ strlifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- admin_
url str - URL to the admin interface of the client.
- authentication_
flow_ Clientbinding_ overrides Authentication Flow Binding Overrides Args - Override realm authentication flow bindings
- Client
Authorization Args - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel_
logout_ boolrevoke_ offline_ sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel_
logout_ boolsession_ required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel_
logout_ strurl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base_
url str - Default URL to use when the auth server needs to redirect or link back to the client.
- client_
authenticator_ strtype - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client_
offline_ strsession_ idle_ timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client_
offline_ strsession_ max_ lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client_
secret str - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client_
session_ stridle_ timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client_
session_ strmax_ lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent_
required bool - When
true
, users have to consent to client access. Defaults tofalse
. - consent_
screen_ strtext - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description str
- The description of this client in the GUI.
- direct_
access_ boolgrants_ enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display_
on_ boolconsent_ screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude_
session_ boolstate_ from_ auth_ response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra_
config Mapping[str, str] - frontchannel_
logout_ boolenabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel_
logout_ strurl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full_
scope_ boolallowed - Allow to include all roles mappings in the access token.
- implicit_
flow_ boolenabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import_ bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login_
theme str - The client login theme. This will override the default theme for the realm.
- name str
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2_
device_ strcode_ lifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2_
device_ strpolling_ interval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce_
code_ strchallenge_ method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - root_
url str - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service_
accounts_ boolenabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard_
flow_ boolenabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use_
refresh_ booltokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use_
refresh_ booltokens_ client_ credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid_
post_ Sequence[str]logout_ redirect_ uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid_
redirect_ Sequence[str]uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web_
origins Sequence[str] - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Type String - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- client
Id String - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- realm
Id String - The realm this client is attached to.
- access
Token StringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- admin
Url String - URL to the admin interface of the client.
- authentication
Flow Property MapBinding Overrides - Override realm authentication flow bindings
- Property Map
- When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout BooleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout BooleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout StringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url String - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator StringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Offline StringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline StringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret String - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session StringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session StringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required Boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen StringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description String
- The description of this client in the GUI.
- direct
Access BooleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On BooleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled Boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session BooleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config Map<String> - frontchannel
Logout BooleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout StringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope BooleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow BooleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import Boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme String - The client login theme. This will override the default theme for the realm.
- name String
- The display name of this client in the GUI.
- Boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling StringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code StringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - root
Url String - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Accounts BooleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow BooleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh BooleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh BooleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post List<String>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect List<String>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins List<String> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
Outputs
All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - Service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- Id string
- The provider-assigned unique ID for this managed resource.
- Resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - Service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- id String
- The provider-assigned unique ID for this managed resource.
- resource
Server StringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - service
Account StringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- id string
- The provider-assigned unique ID for this managed resource.
- resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- id str
- The provider-assigned unique ID for this managed resource.
- resource_
server_ strid - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - service_
account_ struser_ id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- id String
- The provider-assigned unique ID for this managed resource.
- resource
Server StringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - service
Account StringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
Look up Existing Client Resource
Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_token_lifespan: Optional[str] = None,
access_type: Optional[str] = None,
admin_url: Optional[str] = None,
authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
authorization: Optional[ClientAuthorizationArgs] = None,
backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
backchannel_logout_session_required: Optional[bool] = None,
backchannel_logout_url: Optional[str] = None,
base_url: Optional[str] = None,
client_authenticator_type: Optional[str] = None,
client_id: Optional[str] = None,
client_offline_session_idle_timeout: Optional[str] = None,
client_offline_session_max_lifespan: Optional[str] = None,
client_secret: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
consent_required: Optional[bool] = None,
consent_screen_text: Optional[str] = None,
description: Optional[str] = None,
direct_access_grants_enabled: Optional[bool] = None,
display_on_consent_screen: Optional[bool] = None,
enabled: Optional[bool] = None,
exclude_session_state_from_auth_response: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
frontchannel_logout_enabled: Optional[bool] = None,
frontchannel_logout_url: Optional[str] = None,
full_scope_allowed: Optional[bool] = None,
implicit_flow_enabled: Optional[bool] = None,
import_: Optional[bool] = None,
login_theme: Optional[str] = None,
name: Optional[str] = None,
oauth2_device_authorization_grant_enabled: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[str] = None,
pkce_code_challenge_method: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
root_url: Optional[str] = None,
service_account_user_id: Optional[str] = None,
service_accounts_enabled: Optional[bool] = None,
standard_flow_enabled: Optional[bool] = None,
use_refresh_tokens: Optional[bool] = None,
use_refresh_tokens_client_credentials: Optional[bool] = None,
valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
valid_redirect_uris: Optional[Sequence[str]] = None,
web_origins: Optional[Sequence[str]] = None) -> Client
func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
resources: _: type: keycloak:openid:Client get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- Access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- Admin
Url string - URL to the admin interface of the client.
- Authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - Backchannel
Logout boolRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- Backchannel
Logout boolSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - Backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- Base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- Client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- Client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- Client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- Client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- Client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - Client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- Client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- Consent
Required bool - When
true
, users have to consent to client access. Defaults tofalse
. - Consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - Description string
- The description of this client in the GUI.
- Direct
Access boolGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - Display
On boolConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - Enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - Exclude
Session boolState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - Extra
Config Dictionary<string, string> - Frontchannel
Logout boolEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - Frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - Full
Scope boolAllowed - Allow to include all roles mappings in the access token.
- Implicit
Flow boolEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - Import bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - Login
Theme string - The client login theme. This will override the default theme for the realm.
- Name string
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - Realm
Id string - The realm this client is attached to.
- Resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - Root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - Service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- Service
Accounts boolEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - Standard
Flow boolEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - Use
Refresh boolTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - Use
Refresh boolTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - Valid
Post List<string>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- Valid
Redirect List<string>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - Web
Origins List<string> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- Access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- Access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- Admin
Url string - URL to the admin interface of the client.
- Authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides Args - Override realm authentication flow bindings
- Client
Authorization Args - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - Backchannel
Logout boolRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- Backchannel
Logout boolSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - Backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- Base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- Client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- Client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- Client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- Client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- Client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - Client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- Client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- Consent
Required bool - When
true
, users have to consent to client access. Defaults tofalse
. - Consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - Description string
- The description of this client in the GUI.
- Direct
Access boolGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - Display
On boolConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - Enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - Exclude
Session boolState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - Extra
Config map[string]string - Frontchannel
Logout boolEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - Frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - Full
Scope boolAllowed - Allow to include all roles mappings in the access token.
- Implicit
Flow boolEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - Import bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - Login
Theme string - The client login theme. This will override the default theme for the realm.
- Name string
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - Realm
Id string - The realm this client is attached to.
- Resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - Root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - Service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- Service
Accounts boolEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - Standard
Flow boolEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - Use
Refresh boolTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - Use
Refresh boolTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - Valid
Post []stringLogout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- Valid
Redirect []stringUris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - Web
Origins []string - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Token StringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- access
Type String - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- admin
Url String - URL to the admin interface of the client.
- authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout BooleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout BooleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout StringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url String - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator StringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Id String - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- client
Offline StringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline StringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret String - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session StringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session StringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required Boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen StringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description String
- The description of this client in the GUI.
- direct
Access BooleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On BooleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled Boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session BooleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config Map<String,String> - frontchannel
Logout BooleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout StringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope BooleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow BooleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import_ Boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme String - The client login theme. This will override the default theme for the realm.
- name String
- The display name of this client in the GUI.
- Boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling StringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code StringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - realm
Id String - The realm this client is attached to.
- resource
Server StringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - root
Url String - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Account StringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- service
Accounts BooleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow BooleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh BooleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh BooleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post List<String>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect List<String>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins List<String> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Token stringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- access
Type string - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- admin
Url string - URL to the admin interface of the client.
- authentication
Flow ClientBinding Overrides Authentication Flow Binding Overrides - Override realm authentication flow bindings
- Client
Authorization - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout booleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout booleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout stringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url string - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator stringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Id string - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- client
Offline stringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline stringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret string - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session stringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session stringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen stringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description string
- The description of this client in the GUI.
- direct
Access booleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On booleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session booleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config {[key: string]: string} - frontchannel
Logout booleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout stringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope booleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow booleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme string - The client login theme. This will override the default theme for the realm.
- name string
- The display name of this client in the GUI.
- boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling stringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code stringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - realm
Id string - The realm this client is attached to.
- resource
Server stringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - root
Url string - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Account stringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- service
Accounts booleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow booleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh booleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh booleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post string[]Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect string[]Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins string[] - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access_
token_ strlifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- access_
type str - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- admin_
url str - URL to the admin interface of the client.
- authentication_
flow_ Clientbinding_ overrides Authentication Flow Binding Overrides Args - Override realm authentication flow bindings
- Client
Authorization Args - When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel_
logout_ boolrevoke_ offline_ sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel_
logout_ boolsession_ required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel_
logout_ strurl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base_
url str - Default URL to use when the auth server needs to redirect or link back to the client.
- client_
authenticator_ strtype - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client_
id str - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- client_
offline_ strsession_ idle_ timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client_
offline_ strsession_ max_ lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client_
secret str - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client_
session_ stridle_ timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client_
session_ strmax_ lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent_
required bool - When
true
, users have to consent to client access. Defaults tofalse
. - consent_
screen_ strtext - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description str
- The description of this client in the GUI.
- direct_
access_ boolgrants_ enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display_
on_ boolconsent_ screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled bool
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude_
session_ boolstate_ from_ auth_ response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra_
config Mapping[str, str] - frontchannel_
logout_ boolenabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel_
logout_ strurl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full_
scope_ boolallowed - Allow to include all roles mappings in the access token.
- implicit_
flow_ boolenabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import_ bool
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login_
theme str - The client login theme. This will override the default theme for the realm.
- name str
- The display name of this client in the GUI.
- bool
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2_
device_ strcode_ lifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2_
device_ strpolling_ interval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce_
code_ strchallenge_ method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - realm_
id str - The realm this client is attached to.
- resource_
server_ strid - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - root_
url str - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service_
account_ struser_ id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- service_
accounts_ boolenabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard_
flow_ boolenabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use_
refresh_ booltokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use_
refresh_ booltokens_ client_ credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid_
post_ Sequence[str]logout_ redirect_ uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid_
redirect_ Sequence[str]uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web_
origins Sequence[str] - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
- access
Token StringLifespan - The amount of time in seconds before an access token expires. This will override the default for the realm.
- access
Type String - Specifies the type of client, which can be one of the following:
CONFIDENTIAL
- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC
- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY
- Used for services that never initiate a login. This client will only allow bearer token requests.
- admin
Url String - URL to the admin interface of the client.
- authentication
Flow Property MapBinding Overrides - Override realm authentication flow bindings
- Property Map
- When this block is present, fine-grained authorization will be enabled for this client. The client's
access_type
must beCONFIDENTIAL
, andservice_accounts_enabled
must betrue
. This block has the following arguments: - backchannel
Logout BooleanRevoke Offline Sessions - Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
- backchannel
Logout BooleanSession Required - When
true
, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults totrue
. - backchannel
Logout StringUrl - The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
- base
Url String - Default URL to use when the auth server needs to redirect or link back to the client.
- client
Authenticator StringType - Defaults to
client-secret
. The authenticator type for clients with anaccess_type
ofCONFIDENTIAL
orBEARER-ONLY
. A default Keycloak installation will have the following available types:client-secret
(Default) Use client id and client secret to authenticate client.client-jwt
Use signed JWT to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
client-x509
Use x509 certificate to authenticate client. Set Subject DN inextra_config
withattributes.x509.subjectdn = <subjectDn>
client-secret-jwt
Use signed JWT with client secret to authenticate client. Set signing algorithm inextra_config
withattributes.token.endpoint.auth.signing.alg = <alg>
- client
Id String - The Client ID for this client, referenced in the URI during authentication and in issued tokens.
- client
Offline StringSession Idle Timeout - Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
- client
Offline StringSession Max Lifespan - Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
- client
Secret String - The secret for clients with an
access_type
ofCONFIDENTIAL
orBEARER-ONLY
. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. - client
Session StringIdle Timeout - Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
- client
Session StringMax Lifespan - Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
- consent
Required Boolean - When
true
, users have to consent to client access. Defaults tofalse
. - consent
Screen StringText - The text to display on the consent screen about permissions specific to this client. This is applicable only when
display_on_consent_screen
istrue
. - description String
- The description of this client in the GUI.
- direct
Access BooleanGrants Enabled - When
true
, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse
. - display
On BooleanConsent Screen - When
true
, the consent screen will display information about the client itself. Defaults tofalse
. This is applicable only whenconsent_required
istrue
. - enabled Boolean
- When
false
, this client will not be able to initiate a login or obtain access tokens. Defaults totrue
. - exclude
Session BooleanState From Auth Response - When
true
, the parametersession_state
will not be included in OpenID Connect Authentication Response. - extra
Config Map<String> - frontchannel
Logout BooleanEnabled - When
true
, frontchannel logout will be enabled for this client. Specify the url withfrontchannel_logout_url
. Defaults tofalse
. - frontchannel
Logout StringUrl - The frontchannel logout url. This is applicable only when
frontchannel_logout_enabled
istrue
. - full
Scope BooleanAllowed - Allow to include all roles mappings in the access token.
- implicit
Flow BooleanEnabled - When
true
, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse
. - import Boolean
- When
true
, the client with the specifiedclient_id
is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such asaccount
andadmin-cli
. Note, that the client will not be removed during destruction ifimport
istrue
. - login
Theme String - The client login theme. This will override the default theme for the realm.
- name String
- The display name of this client in the GUI.
- Boolean
- Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling StringInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- pkce
Code StringChallenge Method - The challenge method to use for Proof Key for Code Exchange. Can be either
plain
orS256
or set to empty value ``. - realm
Id String - The realm this client is attached to.
- resource
Server StringId - (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the
.id
attribute). - root
Url String - When specified, this URL is prepended to any relative URLs found within
valid_redirect_uris
,web_origins
, andadmin_url
. NOTE: Due to limitations in the Keycloak API, when theroot_url
attribute is used, thevalid_redirect_uris
,web_origins
, andadmin_url
attributes will be required. - service
Account StringUser Id - (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
- service
Accounts BooleanEnabled - When
true
, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse
. - standard
Flow BooleanEnabled - When
true
, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse
. - use
Refresh BooleanTokens - If this is
true
, a refresh_token will be created and added to the token response. If this isfalse
then no refresh_token will be generated. Defaults totrue
. - use
Refresh BooleanTokens Client Credentials - If this is
true
, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this isfalse
then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults tofalse
. - valid
Post List<String>Logout Redirect Uris - A list of valid URIs a browser is permitted to redirect to after a successful logout.
- valid
Redirect List<String>Uris - A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either
standard_flow_enabled
orimplicit_flow_enabled
is set totrue
. - web
Origins List<String> - A list of allowed CORS origins. To permit all valid redirect URIs, add
+
. Note that this will not include the*
wildcard. To permit all origins, explicitly add*
.
Supporting Types
ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs
- Browser
Id string - Browser flow id, (flow needs to exist)
- Direct
Grant stringId - Direct grant flow id (flow needs to exist)
- Browser
Id string - Browser flow id, (flow needs to exist)
- Direct
Grant stringId - Direct grant flow id (flow needs to exist)
- browser
Id String - Browser flow id, (flow needs to exist)
- direct
Grant StringId - Direct grant flow id (flow needs to exist)
- browser
Id string - Browser flow id, (flow needs to exist)
- direct
Grant stringId - Direct grant flow id (flow needs to exist)
- browser_
id str - Browser flow id, (flow needs to exist)
- direct_
grant_ strid - Direct grant flow id (flow needs to exist)
- browser
Id String - Browser flow id, (flow needs to exist)
- direct
Grant StringId - Direct grant flow id (flow needs to exist)
ClientAuthorization, ClientAuthorizationArgs
- Policy
Enforcement stringMode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - Allow
Remote boolResource Management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - Decision
Strategy string - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - Keep
Defaults bool - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
- Policy
Enforcement stringMode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - Allow
Remote boolResource Management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - Decision
Strategy string - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - Keep
Defaults bool - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
- policy
Enforcement StringMode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - allow
Remote BooleanResource Management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - decision
Strategy String - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - keep
Defaults Boolean - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
- policy
Enforcement stringMode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - allow
Remote booleanResource Management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - decision
Strategy string - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - keep
Defaults boolean - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
- policy_
enforcement_ strmode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - allow_
remote_ boolresource_ management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - decision_
strategy str - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - keep_
defaults bool - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
- policy
Enforcement StringMode - Dictates how policies are enforced when evaluating authorization requests. Can be one of
ENFORCING
,PERMISSIVE
, orDISABLED
. - allow
Remote BooleanResource Management - When
true
, resources can be managed remotely by the resource server. Defaults tofalse
. - decision
Strategy String - Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions. - keep
Defaults Boolean - When
true
, defaults set by Keycloak will be respected. Defaults tofalse
.
Import
Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}
, where client_keycloak_id
is the unique ID that Keycloak
assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.
Example:
bash
$ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.