1. Packages
  2. Keycloak Provider
  3. API Docs
  4. openid
  5. Client
Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi

keycloak.openid.Client

Explore with Pulumi AI

keycloak logo
Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi

    Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.

    Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const openidClient = new keycloak.openid.Client("openid_client", {
        realmId: realm.id,
        clientId: "test-client",
        name: "test client",
        enabled: true,
        accessType: "CONFIDENTIAL",
        validRedirectUris: ["http://localhost:8080/openid-callback"],
        loginTheme: "keycloak",
        extraConfig: {
            key1: "value1",
            key2: "value2",
        },
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    openid_client = keycloak.openid.Client("openid_client",
        realm_id=realm.id,
        client_id="test-client",
        name="test client",
        enabled=True,
        access_type="CONFIDENTIAL",
        valid_redirect_uris=["http://localhost:8080/openid-callback"],
        login_theme="keycloak",
        extra_config={
            "key1": "value1",
            "key2": "value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = openid.NewClient(ctx, "openid_client", &openid.ClientArgs{
    			RealmId:    realm.ID(),
    			ClientId:   pulumi.String("test-client"),
    			Name:       pulumi.String("test client"),
    			Enabled:    pulumi.Bool(true),
    			AccessType: pulumi.String("CONFIDENTIAL"),
    			ValidRedirectUris: pulumi.StringArray{
    				pulumi.String("http://localhost:8080/openid-callback"),
    			},
    			LoginTheme: pulumi.String("keycloak"),
    			ExtraConfig: pulumi.StringMap{
    				"key1": pulumi.String("value1"),
    				"key2": pulumi.String("value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var openidClient = new Keycloak.OpenId.Client("openid_client", new()
        {
            RealmId = realm.Id,
            ClientId = "test-client",
            Name = "test client",
            Enabled = true,
            AccessType = "CONFIDENTIAL",
            ValidRedirectUris = new[]
            {
                "http://localhost:8080/openid-callback",
            },
            LoginTheme = "keycloak",
            ExtraConfig = 
            {
                { "key1", "value1" },
                { "key2", "value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.openid.Client;
    import com.pulumi.keycloak.openid.ClientArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var openidClient = new Client("openidClient", ClientArgs.builder()
                .realmId(realm.id())
                .clientId("test-client")
                .name("test client")
                .enabled(true)
                .accessType("CONFIDENTIAL")
                .validRedirectUris("http://localhost:8080/openid-callback")
                .loginTheme("keycloak")
                .extraConfig(Map.ofEntries(
                    Map.entry("key1", "value1"),
                    Map.entry("key2", "value2")
                ))
                .build());
    
        }
    }
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      openidClient:
        type: keycloak:openid:Client
        name: openid_client
        properties:
          realmId: ${realm.id}
          clientId: test-client
          name: test client
          enabled: true
          accessType: CONFIDENTIAL
          validRedirectUris:
            - http://localhost:8080/openid-callback
          loginTheme: keycloak
          extraConfig:
            key1: value1
            key2: value2
    

    Create Client Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
    @overload
    def Client(resource_name: str,
               args: ClientArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Client(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               client_id: Optional[str] = None,
               access_type: Optional[str] = None,
               realm_id: Optional[str] = None,
               exclude_session_state_from_auth_response: Optional[bool] = None,
               authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
               backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
               extra_config: Optional[Mapping[str, str]] = None,
               backchannel_logout_url: Optional[str] = None,
               frontchannel_logout_url: Optional[str] = None,
               client_authenticator_type: Optional[str] = None,
               frontchannel_logout_enabled: Optional[bool] = None,
               client_offline_session_idle_timeout: Optional[str] = None,
               client_offline_session_max_lifespan: Optional[str] = None,
               client_secret: Optional[str] = None,
               client_session_idle_timeout: Optional[str] = None,
               client_session_max_lifespan: Optional[str] = None,
               consent_required: Optional[bool] = None,
               consent_screen_text: Optional[str] = None,
               description: Optional[str] = None,
               direct_access_grants_enabled: Optional[bool] = None,
               display_on_consent_screen: Optional[bool] = None,
               enabled: Optional[bool] = None,
               access_token_lifespan: Optional[str] = None,
               backchannel_logout_session_required: Optional[bool] = None,
               authorization: Optional[ClientAuthorizationArgs] = None,
               base_url: Optional[str] = None,
               full_scope_allowed: Optional[bool] = None,
               implicit_flow_enabled: Optional[bool] = None,
               import_: Optional[bool] = None,
               login_theme: Optional[str] = None,
               name: Optional[str] = None,
               oauth2_device_authorization_grant_enabled: Optional[bool] = None,
               oauth2_device_code_lifespan: Optional[str] = None,
               oauth2_device_polling_interval: Optional[str] = None,
               pkce_code_challenge_method: Optional[str] = None,
               admin_url: Optional[str] = None,
               root_url: Optional[str] = None,
               service_accounts_enabled: Optional[bool] = None,
               standard_flow_enabled: Optional[bool] = None,
               use_refresh_tokens: Optional[bool] = None,
               use_refresh_tokens_client_credentials: Optional[bool] = None,
               valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
               valid_redirect_uris: Optional[Sequence[str]] = None,
               web_origins: Optional[Sequence[str]] = None)
    func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
    public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
    public Client(String name, ClientArgs args)
    public Client(String name, ClientArgs args, CustomResourceOptions options)
    
    type: keycloak:openid:Client
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var clientResource = new Keycloak.OpenId.Client("clientResource", new()
    {
        ClientId = "string",
        AccessType = "string",
        RealmId = "string",
        ExcludeSessionStateFromAuthResponse = false,
        AuthenticationFlowBindingOverrides = new Keycloak.OpenId.Inputs.ClientAuthenticationFlowBindingOverridesArgs
        {
            BrowserId = "string",
            DirectGrantId = "string",
        },
        BackchannelLogoutRevokeOfflineSessions = false,
        ExtraConfig = 
        {
            { "string", "string" },
        },
        BackchannelLogoutUrl = "string",
        FrontchannelLogoutUrl = "string",
        ClientAuthenticatorType = "string",
        FrontchannelLogoutEnabled = false,
        ClientOfflineSessionIdleTimeout = "string",
        ClientOfflineSessionMaxLifespan = "string",
        ClientSecret = "string",
        ClientSessionIdleTimeout = "string",
        ClientSessionMaxLifespan = "string",
        ConsentRequired = false,
        ConsentScreenText = "string",
        Description = "string",
        DirectAccessGrantsEnabled = false,
        DisplayOnConsentScreen = false,
        Enabled = false,
        AccessTokenLifespan = "string",
        BackchannelLogoutSessionRequired = false,
        Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
        {
            PolicyEnforcementMode = "string",
            AllowRemoteResourceManagement = false,
            DecisionStrategy = "string",
            KeepDefaults = false,
        },
        BaseUrl = "string",
        FullScopeAllowed = false,
        ImplicitFlowEnabled = false,
        Import = false,
        LoginTheme = "string",
        Name = "string",
        Oauth2DeviceAuthorizationGrantEnabled = false,
        Oauth2DeviceCodeLifespan = "string",
        Oauth2DevicePollingInterval = "string",
        PkceCodeChallengeMethod = "string",
        AdminUrl = "string",
        RootUrl = "string",
        ServiceAccountsEnabled = false,
        StandardFlowEnabled = false,
        UseRefreshTokens = false,
        UseRefreshTokensClientCredentials = false,
        ValidPostLogoutRedirectUris = new[]
        {
            "string",
        },
        ValidRedirectUris = new[]
        {
            "string",
        },
        WebOrigins = new[]
        {
            "string",
        },
    });
    
    example, err := openid.NewClient(ctx, "clientResource", &openid.ClientArgs{
    	ClientId:                            pulumi.String("string"),
    	AccessType:                          pulumi.String("string"),
    	RealmId:                             pulumi.String("string"),
    	ExcludeSessionStateFromAuthResponse: pulumi.Bool(false),
    	AuthenticationFlowBindingOverrides: &openid.ClientAuthenticationFlowBindingOverridesArgs{
    		BrowserId:     pulumi.String("string"),
    		DirectGrantId: pulumi.String("string"),
    	},
    	BackchannelLogoutRevokeOfflineSessions: pulumi.Bool(false),
    	ExtraConfig: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	BackchannelLogoutUrl:             pulumi.String("string"),
    	FrontchannelLogoutUrl:            pulumi.String("string"),
    	ClientAuthenticatorType:          pulumi.String("string"),
    	FrontchannelLogoutEnabled:        pulumi.Bool(false),
    	ClientOfflineSessionIdleTimeout:  pulumi.String("string"),
    	ClientOfflineSessionMaxLifespan:  pulumi.String("string"),
    	ClientSecret:                     pulumi.String("string"),
    	ClientSessionIdleTimeout:         pulumi.String("string"),
    	ClientSessionMaxLifespan:         pulumi.String("string"),
    	ConsentRequired:                  pulumi.Bool(false),
    	ConsentScreenText:                pulumi.String("string"),
    	Description:                      pulumi.String("string"),
    	DirectAccessGrantsEnabled:        pulumi.Bool(false),
    	DisplayOnConsentScreen:           pulumi.Bool(false),
    	Enabled:                          pulumi.Bool(false),
    	AccessTokenLifespan:              pulumi.String("string"),
    	BackchannelLogoutSessionRequired: pulumi.Bool(false),
    	Authorization: &openid.ClientAuthorizationArgs{
    		PolicyEnforcementMode:         pulumi.String("string"),
    		AllowRemoteResourceManagement: pulumi.Bool(false),
    		DecisionStrategy:              pulumi.String("string"),
    		KeepDefaults:                  pulumi.Bool(false),
    	},
    	BaseUrl:                               pulumi.String("string"),
    	FullScopeAllowed:                      pulumi.Bool(false),
    	ImplicitFlowEnabled:                   pulumi.Bool(false),
    	Import:                                pulumi.Bool(false),
    	LoginTheme:                            pulumi.String("string"),
    	Name:                                  pulumi.String("string"),
    	Oauth2DeviceAuthorizationGrantEnabled: pulumi.Bool(false),
    	Oauth2DeviceCodeLifespan:              pulumi.String("string"),
    	Oauth2DevicePollingInterval:           pulumi.String("string"),
    	PkceCodeChallengeMethod:               pulumi.String("string"),
    	AdminUrl:                              pulumi.String("string"),
    	RootUrl:                               pulumi.String("string"),
    	ServiceAccountsEnabled:                pulumi.Bool(false),
    	StandardFlowEnabled:                   pulumi.Bool(false),
    	UseRefreshTokens:                      pulumi.Bool(false),
    	UseRefreshTokensClientCredentials:     pulumi.Bool(false),
    	ValidPostLogoutRedirectUris: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	ValidRedirectUris: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	WebOrigins: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    })
    
    var clientResource = new Client("clientResource", ClientArgs.builder()
        .clientId("string")
        .accessType("string")
        .realmId("string")
        .excludeSessionStateFromAuthResponse(false)
        .authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs.builder()
            .browserId("string")
            .directGrantId("string")
            .build())
        .backchannelLogoutRevokeOfflineSessions(false)
        .extraConfig(Map.of("string", "string"))
        .backchannelLogoutUrl("string")
        .frontchannelLogoutUrl("string")
        .clientAuthenticatorType("string")
        .frontchannelLogoutEnabled(false)
        .clientOfflineSessionIdleTimeout("string")
        .clientOfflineSessionMaxLifespan("string")
        .clientSecret("string")
        .clientSessionIdleTimeout("string")
        .clientSessionMaxLifespan("string")
        .consentRequired(false)
        .consentScreenText("string")
        .description("string")
        .directAccessGrantsEnabled(false)
        .displayOnConsentScreen(false)
        .enabled(false)
        .accessTokenLifespan("string")
        .backchannelLogoutSessionRequired(false)
        .authorization(ClientAuthorizationArgs.builder()
            .policyEnforcementMode("string")
            .allowRemoteResourceManagement(false)
            .decisionStrategy("string")
            .keepDefaults(false)
            .build())
        .baseUrl("string")
        .fullScopeAllowed(false)
        .implicitFlowEnabled(false)
        .import_(false)
        .loginTheme("string")
        .name("string")
        .oauth2DeviceAuthorizationGrantEnabled(false)
        .oauth2DeviceCodeLifespan("string")
        .oauth2DevicePollingInterval("string")
        .pkceCodeChallengeMethod("string")
        .adminUrl("string")
        .rootUrl("string")
        .serviceAccountsEnabled(false)
        .standardFlowEnabled(false)
        .useRefreshTokens(false)
        .useRefreshTokensClientCredentials(false)
        .validPostLogoutRedirectUris("string")
        .validRedirectUris("string")
        .webOrigins("string")
        .build());
    
    client_resource = keycloak.openid.Client("clientResource",
        client_id="string",
        access_type="string",
        realm_id="string",
        exclude_session_state_from_auth_response=False,
        authentication_flow_binding_overrides={
            "browser_id": "string",
            "direct_grant_id": "string",
        },
        backchannel_logout_revoke_offline_sessions=False,
        extra_config={
            "string": "string",
        },
        backchannel_logout_url="string",
        frontchannel_logout_url="string",
        client_authenticator_type="string",
        frontchannel_logout_enabled=False,
        client_offline_session_idle_timeout="string",
        client_offline_session_max_lifespan="string",
        client_secret="string",
        client_session_idle_timeout="string",
        client_session_max_lifespan="string",
        consent_required=False,
        consent_screen_text="string",
        description="string",
        direct_access_grants_enabled=False,
        display_on_consent_screen=False,
        enabled=False,
        access_token_lifespan="string",
        backchannel_logout_session_required=False,
        authorization={
            "policy_enforcement_mode": "string",
            "allow_remote_resource_management": False,
            "decision_strategy": "string",
            "keep_defaults": False,
        },
        base_url="string",
        full_scope_allowed=False,
        implicit_flow_enabled=False,
        import_=False,
        login_theme="string",
        name="string",
        oauth2_device_authorization_grant_enabled=False,
        oauth2_device_code_lifespan="string",
        oauth2_device_polling_interval="string",
        pkce_code_challenge_method="string",
        admin_url="string",
        root_url="string",
        service_accounts_enabled=False,
        standard_flow_enabled=False,
        use_refresh_tokens=False,
        use_refresh_tokens_client_credentials=False,
        valid_post_logout_redirect_uris=["string"],
        valid_redirect_uris=["string"],
        web_origins=["string"])
    
    const clientResource = new keycloak.openid.Client("clientResource", {
        clientId: "string",
        accessType: "string",
        realmId: "string",
        excludeSessionStateFromAuthResponse: false,
        authenticationFlowBindingOverrides: {
            browserId: "string",
            directGrantId: "string",
        },
        backchannelLogoutRevokeOfflineSessions: false,
        extraConfig: {
            string: "string",
        },
        backchannelLogoutUrl: "string",
        frontchannelLogoutUrl: "string",
        clientAuthenticatorType: "string",
        frontchannelLogoutEnabled: false,
        clientOfflineSessionIdleTimeout: "string",
        clientOfflineSessionMaxLifespan: "string",
        clientSecret: "string",
        clientSessionIdleTimeout: "string",
        clientSessionMaxLifespan: "string",
        consentRequired: false,
        consentScreenText: "string",
        description: "string",
        directAccessGrantsEnabled: false,
        displayOnConsentScreen: false,
        enabled: false,
        accessTokenLifespan: "string",
        backchannelLogoutSessionRequired: false,
        authorization: {
            policyEnforcementMode: "string",
            allowRemoteResourceManagement: false,
            decisionStrategy: "string",
            keepDefaults: false,
        },
        baseUrl: "string",
        fullScopeAllowed: false,
        implicitFlowEnabled: false,
        "import": false,
        loginTheme: "string",
        name: "string",
        oauth2DeviceAuthorizationGrantEnabled: false,
        oauth2DeviceCodeLifespan: "string",
        oauth2DevicePollingInterval: "string",
        pkceCodeChallengeMethod: "string",
        adminUrl: "string",
        rootUrl: "string",
        serviceAccountsEnabled: false,
        standardFlowEnabled: false,
        useRefreshTokens: false,
        useRefreshTokensClientCredentials: false,
        validPostLogoutRedirectUris: ["string"],
        validRedirectUris: ["string"],
        webOrigins: ["string"],
    });
    
    type: keycloak:openid:Client
    properties:
        accessTokenLifespan: string
        accessType: string
        adminUrl: string
        authenticationFlowBindingOverrides:
            browserId: string
            directGrantId: string
        authorization:
            allowRemoteResourceManagement: false
            decisionStrategy: string
            keepDefaults: false
            policyEnforcementMode: string
        backchannelLogoutRevokeOfflineSessions: false
        backchannelLogoutSessionRequired: false
        backchannelLogoutUrl: string
        baseUrl: string
        clientAuthenticatorType: string
        clientId: string
        clientOfflineSessionIdleTimeout: string
        clientOfflineSessionMaxLifespan: string
        clientSecret: string
        clientSessionIdleTimeout: string
        clientSessionMaxLifespan: string
        consentRequired: false
        consentScreenText: string
        description: string
        directAccessGrantsEnabled: false
        displayOnConsentScreen: false
        enabled: false
        excludeSessionStateFromAuthResponse: false
        extraConfig:
            string: string
        frontchannelLogoutEnabled: false
        frontchannelLogoutUrl: string
        fullScopeAllowed: false
        implicitFlowEnabled: false
        import: false
        loginTheme: string
        name: string
        oauth2DeviceAuthorizationGrantEnabled: false
        oauth2DeviceCodeLifespan: string
        oauth2DevicePollingInterval: string
        pkceCodeChallengeMethod: string
        realmId: string
        rootUrl: string
        serviceAccountsEnabled: false
        standardFlowEnabled: false
        useRefreshTokens: false
        useRefreshTokensClientCredentials: false
        validPostLogoutRedirectUris:
            - string
        validRedirectUris:
            - string
        webOrigins:
            - string
    

    Client Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Client resource accepts the following input properties:

    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    RealmId string
    The realm this client is attached to.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AdminUrl string
    URL to the admin interface of the client.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    Authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig Dictionary<string, string>
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins List<string>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    RealmId string
    The realm this client is attached to.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AdminUrl string
    URL to the admin interface of the client.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    Authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig map[string]string
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins []string
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    realmId String
    The realm this client is attached to.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl String
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String,String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    clientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    realmId string
    The realm this client is attached to.
    accessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl string
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description string
    The description of this client in the GUI.
    directAccessGrantsEnabled boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig {[key: string]: string}
    frontchannelLogoutEnabled boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme string
    The client login theme. This will override the default theme for the realm.
    name string
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins string[]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    access_type str
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    client_id str
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    realm_id str
    The realm this client is attached to.
    access_token_lifespan str
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    admin_url str
    URL to the admin interface of the client.
    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannel_logout_revoke_offline_sessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannel_logout_session_required bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannel_logout_url str
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    base_url str
    Default URL to use when the auth server needs to redirect or link back to the client.
    client_authenticator_type str
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    client_offline_session_idle_timeout str
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    client_offline_session_max_lifespan str
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    client_secret str
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    client_session_idle_timeout str
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    client_session_max_lifespan str
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consent_required bool
    When true, users have to consent to client access. Defaults to false.
    consent_screen_text str
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description str
    The description of this client in the GUI.
    direct_access_grants_enabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    display_on_consent_screen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    exclude_session_state_from_auth_response bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extra_config Mapping[str, str]
    frontchannel_logout_enabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannel_logout_url str
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    full_scope_allowed bool
    Allow to include all roles mappings in the access token.
    implicit_flow_enabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    login_theme str
    The client login theme. This will override the default theme for the realm.
    name str
    The display name of this client in the GUI.
    oauth2_device_authorization_grant_enabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2_device_code_lifespan str
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2_device_polling_interval str
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkce_code_challenge_method str
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    root_url str
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    service_accounts_enabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standard_flow_enabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    use_refresh_tokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    use_refresh_tokens_client_credentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    valid_post_logout_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    valid_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    web_origins Sequence[str]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    realmId String
    The realm this client is attached to.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    adminUrl String
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides Property Map
    Override realm authentication flow bindings
    authorization Property Map
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    Id string
    The provider-assigned unique ID for this managed resource.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id String
    The provider-assigned unique ID for this managed resource.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id string
    The provider-assigned unique ID for this managed resource.
    resourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id str
    The provider-assigned unique ID for this managed resource.
    resource_server_id str
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    service_account_user_id str
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    id String
    The provider-assigned unique ID for this managed resource.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

    Look up Existing Client Resource

    Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_token_lifespan: Optional[str] = None,
            access_type: Optional[str] = None,
            admin_url: Optional[str] = None,
            authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
            authorization: Optional[ClientAuthorizationArgs] = None,
            backchannel_logout_revoke_offline_sessions: Optional[bool] = None,
            backchannel_logout_session_required: Optional[bool] = None,
            backchannel_logout_url: Optional[str] = None,
            base_url: Optional[str] = None,
            client_authenticator_type: Optional[str] = None,
            client_id: Optional[str] = None,
            client_offline_session_idle_timeout: Optional[str] = None,
            client_offline_session_max_lifespan: Optional[str] = None,
            client_secret: Optional[str] = None,
            client_session_idle_timeout: Optional[str] = None,
            client_session_max_lifespan: Optional[str] = None,
            consent_required: Optional[bool] = None,
            consent_screen_text: Optional[str] = None,
            description: Optional[str] = None,
            direct_access_grants_enabled: Optional[bool] = None,
            display_on_consent_screen: Optional[bool] = None,
            enabled: Optional[bool] = None,
            exclude_session_state_from_auth_response: Optional[bool] = None,
            extra_config: Optional[Mapping[str, str]] = None,
            frontchannel_logout_enabled: Optional[bool] = None,
            frontchannel_logout_url: Optional[str] = None,
            full_scope_allowed: Optional[bool] = None,
            implicit_flow_enabled: Optional[bool] = None,
            import_: Optional[bool] = None,
            login_theme: Optional[str] = None,
            name: Optional[str] = None,
            oauth2_device_authorization_grant_enabled: Optional[bool] = None,
            oauth2_device_code_lifespan: Optional[str] = None,
            oauth2_device_polling_interval: Optional[str] = None,
            pkce_code_challenge_method: Optional[str] = None,
            realm_id: Optional[str] = None,
            resource_server_id: Optional[str] = None,
            root_url: Optional[str] = None,
            service_account_user_id: Optional[str] = None,
            service_accounts_enabled: Optional[bool] = None,
            standard_flow_enabled: Optional[bool] = None,
            use_refresh_tokens: Optional[bool] = None,
            use_refresh_tokens_client_credentials: Optional[bool] = None,
            valid_post_logout_redirect_uris: Optional[Sequence[str]] = None,
            valid_redirect_uris: Optional[Sequence[str]] = None,
            web_origins: Optional[Sequence[str]] = None) -> Client
    func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
    public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
    public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
    resources:  _:    type: keycloak:openid:Client    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    AdminUrl string
    URL to the admin interface of the client.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    Authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig Dictionary<string, string>
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RealmId string
    The realm this client is attached to.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris List<string>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins List<string>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    AccessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    AccessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    AdminUrl string
    URL to the admin interface of the client.
    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    Authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    BackchannelLogoutRevokeOfflineSessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    BackchannelLogoutSessionRequired bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    BackchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    BaseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    ClientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    ClientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    ClientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    ClientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    ClientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    ClientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    ClientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    ConsentRequired bool
    When true, users have to consent to client access. Defaults to false.
    ConsentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    Description string
    The description of this client in the GUI.
    DirectAccessGrantsEnabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    DisplayOnConsentScreen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    Enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    ExcludeSessionStateFromAuthResponse bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    ExtraConfig map[string]string
    FrontchannelLogoutEnabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    FrontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    FullScopeAllowed bool
    Allow to include all roles mappings in the access token.
    ImplicitFlowEnabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    Import bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    LoginTheme string
    The client login theme. This will override the default theme for the realm.
    Name string
    The display name of this client in the GUI.
    Oauth2DeviceAuthorizationGrantEnabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    Oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    Oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    PkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    RealmId string
    The realm this client is attached to.
    ResourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    RootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    ServiceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    ServiceAccountsEnabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    StandardFlowEnabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    UseRefreshTokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    UseRefreshTokensClientCredentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    ValidPostLogoutRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    ValidRedirectUris []string
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    WebOrigins []string
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl String
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String,String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId String
    The realm this client is attached to.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan string
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType string
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl string
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides
    Override realm authentication flow bindings
    authorization ClientAuthorization
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl string
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl string
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType string
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId string
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout string
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan string
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret string
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout string
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan string
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText string
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description string
    The description of this client in the GUI.
    directAccessGrantsEnabled boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig {[key: string]: string}
    frontchannelLogoutEnabled boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl string
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme string
    The client login theme. This will override the default theme for the realm.
    name string
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan string
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval string
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod string
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId string
    The realm this client is attached to.
    resourceServerId string
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl string
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId string
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris string[]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins string[]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    access_token_lifespan str
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    access_type str
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    admin_url str
    URL to the admin interface of the client.
    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs
    Override realm authentication flow bindings
    authorization ClientAuthorizationArgs
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannel_logout_revoke_offline_sessions bool
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannel_logout_session_required bool
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannel_logout_url str
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    base_url str
    Default URL to use when the auth server needs to redirect or link back to the client.
    client_authenticator_type str
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    client_id str
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    client_offline_session_idle_timeout str
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    client_offline_session_max_lifespan str
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    client_secret str
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    client_session_idle_timeout str
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    client_session_max_lifespan str
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consent_required bool
    When true, users have to consent to client access. Defaults to false.
    consent_screen_text str
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description str
    The description of this client in the GUI.
    direct_access_grants_enabled bool
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    display_on_consent_screen bool
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled bool
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    exclude_session_state_from_auth_response bool
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extra_config Mapping[str, str]
    frontchannel_logout_enabled bool
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannel_logout_url str
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    full_scope_allowed bool
    Allow to include all roles mappings in the access token.
    implicit_flow_enabled bool
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import_ bool
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    login_theme str
    The client login theme. This will override the default theme for the realm.
    name str
    The display name of this client in the GUI.
    oauth2_device_authorization_grant_enabled bool
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2_device_code_lifespan str
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2_device_polling_interval str
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkce_code_challenge_method str
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realm_id str
    The realm this client is attached to.
    resource_server_id str
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    root_url str
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    service_account_user_id str
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    service_accounts_enabled bool
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standard_flow_enabled bool
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    use_refresh_tokens bool
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    use_refresh_tokens_client_credentials bool
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    valid_post_logout_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    valid_redirect_uris Sequence[str]
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    web_origins Sequence[str]
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.
    accessTokenLifespan String
    The amount of time in seconds before an access token expires. This will override the default for the realm.
    accessType String
    Specifies the type of client, which can be one of the following:

    • CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
    • PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
    • BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
    adminUrl String
    URL to the admin interface of the client.
    authenticationFlowBindingOverrides Property Map
    Override realm authentication flow bindings
    authorization Property Map
    When this block is present, fine-grained authorization will be enabled for this client. The client's access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments:
    backchannelLogoutRevokeOfflineSessions Boolean
    Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
    backchannelLogoutSessionRequired Boolean
    When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true.
    backchannelLogoutUrl String
    The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
    baseUrl String
    Default URL to use when the auth server needs to redirect or link back to the client.
    clientAuthenticatorType String
    Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types:

    • client-secret (Default) Use client id and client secret to authenticate client.
    • client-jwt Use signed JWT to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    • client-x509 Use x509 certificate to authenticate client. Set Subject DN in extra_config with attributes.x509.subjectdn = <subjectDn>
    • client-secret-jwt Use signed JWT with client secret to authenticate client. Set signing algorithm in extra_config with attributes.token.endpoint.auth.signing.alg = <alg>
    clientId String
    The Client ID for this client, referenced in the URI during authentication and in issued tokens.
    clientOfflineSessionIdleTimeout String
    Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
    clientOfflineSessionMaxLifespan String
    Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
    clientSecret String
    The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
    clientSessionIdleTimeout String
    Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
    clientSessionMaxLifespan String
    Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
    consentRequired Boolean
    When true, users have to consent to client access. Defaults to false.
    consentScreenText String
    The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true.
    description String
    The description of this client in the GUI.
    directAccessGrantsEnabled Boolean
    When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
    displayOnConsentScreen Boolean
    When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true.
    enabled Boolean
    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
    excludeSessionStateFromAuthResponse Boolean
    When true, the parameter session_state will not be included in OpenID Connect Authentication Response.
    extraConfig Map<String>
    frontchannelLogoutEnabled Boolean
    When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false.
    frontchannelLogoutUrl String
    The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true.
    fullScopeAllowed Boolean
    Allow to include all roles mappings in the access token.
    implicitFlowEnabled Boolean
    When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
    import Boolean
    When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true.
    loginTheme String
    The client login theme. This will override the default theme for the realm.
    name String
    The display name of this client in the GUI.
    oauth2DeviceAuthorizationGrantEnabled Boolean
    Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
    oauth2DeviceCodeLifespan String
    The maximum amount of time a client has to finish the device code flow before it expires.
    oauth2DevicePollingInterval String
    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
    pkceCodeChallengeMethod String
    The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
    realmId String
    The realm this client is attached to.
    resourceServerId String
    (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the .id attribute).
    rootUrl String
    When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required.
    serviceAccountUserId String
    (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
    serviceAccountsEnabled Boolean
    When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
    standardFlowEnabled Boolean
    When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
    useRefreshTokens Boolean
    If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true.
    useRefreshTokensClientCredentials Boolean
    If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false.
    validPostLogoutRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful logout.
    validRedirectUris List<String>
    A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
    webOrigins List<String>
    A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.

    Supporting Types

    ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs

    BrowserId string
    Browser flow id, (flow needs to exist)
    DirectGrantId string
    Direct grant flow id (flow needs to exist)
    BrowserId string
    Browser flow id, (flow needs to exist)
    DirectGrantId string
    Direct grant flow id (flow needs to exist)
    browserId String
    Browser flow id, (flow needs to exist)
    directGrantId String
    Direct grant flow id (flow needs to exist)
    browserId string
    Browser flow id, (flow needs to exist)
    directGrantId string
    Direct grant flow id (flow needs to exist)
    browser_id str
    Browser flow id, (flow needs to exist)
    direct_grant_id str
    Direct grant flow id (flow needs to exist)
    browserId String
    Browser flow id, (flow needs to exist)
    directGrantId String
    Direct grant flow id (flow needs to exist)

    ClientAuthorization, ClientAuthorizationArgs

    PolicyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    AllowRemoteResourceManagement bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    DecisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    KeepDefaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    PolicyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    AllowRemoteResourceManagement bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    DecisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    KeepDefaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode String
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement Boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy String
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults Boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode string
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy string
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policy_enforcement_mode str
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allow_remote_resource_management bool
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decision_strategy str
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keep_defaults bool
    When true, defaults set by Keycloak will be respected. Defaults to false.
    policyEnforcementMode String
    Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED.
    allowRemoteResourceManagement Boolean
    When true, resources can be managed remotely by the resource server. Defaults to false.
    decisionStrategy String
    Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    keepDefaults Boolean
    When true, defaults set by Keycloak will be respected. Defaults to false.

    Import

    Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak

    assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.

    Example:

    bash

    $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v6.2.1 published on Monday, Feb 3, 2025 by Pulumi