Keycloak
getClientAuthorizationPolicy
This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.
Example Usage
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
RealmName = "my-realm",
Enabled = true,
});
var clientWithAuthz = new Keycloak.OpenId.Client("clientWithAuthz", new Keycloak.OpenId.ClientArgs
{
ClientId = "client-with-authz",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "ENFORCING",
},
});
var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new Keycloak.OpenId.GetClientAuthorizationPolicyInvokeArgs
{
RealmId = realm.Id,
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "Default Permission",
});
var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new Keycloak.OpenId.ClientAuthorizationResourceArgs
{
ResourceServerId = clientWithAuthz.ResourceServerId,
RealmId = realm.Id,
Uris =
{
"/endpoint/*",
},
Attributes =
{
{ "foo", "bar" },
},
});
var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new Keycloak.OpenId.ClientAuthorizationPermissionArgs
{
ResourceServerId = clientWithAuthz.ResourceServerId,
RealmId = realm.Id,
Policies =
{
defaultPermission.Apply(defaultPermission => defaultPermission.Id),
},
Resources =
{
resource.Id,
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
clientWithAuthz, err := openid.NewClient(ctx, "clientWithAuthz", &openid.ClientArgs{
ClientId: pulumi.String("client-with-authz"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("ENFORCING"),
},
})
if err != nil {
return err
}
defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
RealmId: realm.ID(),
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("Default Permission"),
}, nil)
resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
RealmId: realm.ID(),
Uris: pulumi.StringArray{
pulumi.String("/endpoint/*"),
},
Attributes: pulumi.AnyMap{
"foo": pulumi.Any("bar"),
},
})
if err != nil {
return err
}
_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
RealmId: realm.ID(),
Policies: pulumi.StringArray{
defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (string, error) {
return defaultPermission.Id, nil
}).(pulumi.StringOutput),
},
Resources: pulumi.StringArray{
resource.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()
.clientId("client-with-authz")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("ENFORCING")
.build())
.build());
final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
.realmId(realm.id())
.resourceServerId(clientWithAuthz.resourceServerId())
.name("Default Permission")
.build());
var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.realmId(realm.id())
.uris("/endpoint/*")
.attributes(Map.of("foo", "bar"))
.build());
var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.realmId(realm.id())
.policies(defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult).applyValue(defaultPermission -> defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult.id())))
.resources(resource.id())
.build());
}
}
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client_with_authz = keycloak.openid.Client("clientWithAuthz",
client_id="client-with-authz",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
authorization=keycloak.openid.ClientAuthorizationArgs(
policy_enforcement_mode="ENFORCING",
))
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
resource_server_id=client_with_authz.resource_server_id,
name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
resource_server_id=client_with_authz.resource_server_id,
realm_id=realm.id,
uris=["/endpoint/*"],
attributes={
"foo": "bar",
})
permission = keycloak.openid.ClientAuthorizationPermission("permission",
resource_server_id=client_with_authz.resource_server_id,
realm_id=realm.id,
policies=[default_permission.id],
resources=[resource.id])
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("clientWithAuthz", {
clientId: "client-with-authz",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
authorization: {
policyEnforcementMode: "ENFORCING",
},
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
realmId: realm.id,
resourceServerId: clientWithAuthz.resourceServerId,
name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
resourceServerId: clientWithAuthz.resourceServerId,
realmId: realm.id,
uris: ["/endpoint/*"],
attributes: {
foo: "bar",
},
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
resourceServerId: clientWithAuthz.resourceServerId,
realmId: realm.id,
policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
resources: [resource.id],
});
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
clientWithAuthz:
type: keycloak:openid:Client
properties:
clientId: client-with-authz
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
authorization:
policyEnforcementMode: ENFORCING
resource:
type: keycloak:openid:ClientAuthorizationResource
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
realmId: ${realm.id}
uris:
- /endpoint/*
attributes:
foo: bar
permission:
type: keycloak:openid:ClientAuthorizationPermission
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
realmId: ${realm.id}
policies:
- ${defaultPermission.id}
resources:
- ${resource.id}
variables:
defaultPermission:
Fn::Invoke:
Function: keycloak:openid:getClientAuthorizationPolicy
Arguments:
realmId: ${realm.id}
resourceServerId: ${clientWithAuthz.resourceServerId}
name: Default Permission
Using getClientAuthorizationPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>
def get_client_authorization_policy(name: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
resource_server_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]
func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput
> Note: This function is named GetClientAuthorizationPolicy
in the Go SDK.
public static class GetClientAuthorizationPolicy
{
public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
Fn::Invoke:
Function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
Arguments:
# Arguments dictionary
The following arguments are supported:
- Name string
The name of the authorization policy.
- Realm
Id string The realm this authorization policy exists within.
- Resource
Server stringId The ID of the resource server this authorization policy is attached to.
- Name string
The name of the authorization policy.
- Realm
Id string The realm this authorization policy exists within.
- Resource
Server stringId The ID of the resource server this authorization policy is attached to.
- name String
The name of the authorization policy.
- realm
Id String The realm this authorization policy exists within.
- resource
Server StringId The ID of the resource server this authorization policy is attached to.
- name string
The name of the authorization policy.
- realm
Id string The realm this authorization policy exists within.
- resource
Server stringId The ID of the resource server this authorization policy is attached to.
- name str
The name of the authorization policy.
- realm_
id str The realm this authorization policy exists within.
- resource_
server_ strid The ID of the resource server this authorization policy is attached to.
- name String
The name of the authorization policy.
- realm
Id String The realm this authorization policy exists within.
- resource
Server StringId The ID of the resource server this authorization policy is attached to.
getClientAuthorizationPolicy Result
The following output properties are available:
- Decision
Strategy string (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- Id string
The provider-assigned unique ID for this managed resource.
- Logic string
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- Name string
- Owner string
(Computed) The ID of the owning resource. Applies to resources.
- Policies List<string>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources List<string>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes List<string>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
- Decision
Strategy string (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- Id string
The provider-assigned unique ID for this managed resource.
- Logic string
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- Name string
- Owner string
(Computed) The ID of the owning resource. Applies to resources.
- Policies []string
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources []string
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes []string
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
- decision
Strategy String (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- id String
The provider-assigned unique ID for this managed resource.
- logic String
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- name String
- owner String
(Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
- decision
Strategy string (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- id string
The provider-assigned unique ID for this managed resource.
- logic string
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- name string
- owner string
(Computed) The ID of the owning resource. Applies to resources.
- policies string[]
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id string - resource
Server stringId - resources string[]
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes string[]
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type string
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
- decision_
strategy str (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- id str
The provider-assigned unique ID for this managed resource.
- logic str
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- name str
- owner str
(Computed) The ID of the owning resource. Applies to resources.
- policies Sequence[str]
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm_
id str - resource_
server_ strid - resources Sequence[str]
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes Sequence[str]
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type str
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
- decision
Strategy String (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE
,CONSENSUS
, orUNANIMOUS
. Applies to permissions.- id String
The provider-assigned unique ID for this managed resource.
- logic String
(Computed) Dictates how the policy decision should be made. Can be either
POSITIVE
orNEGATIVE
. Applies to policies.- name String
- owner String
(Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
(Computed) The type of this policy / permission. For permissions, this could be
resource
orscope
. For policies, this could be any type of authorization policy, such asjs
.
Package Details
- Repository
- https://github.com/pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
keycloak
Terraform Provider.