Keycloak

v4.11.0 published on Thursday, Aug 4, 2022 by Pulumi

getClientAuthorizationPolicy

This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.

Example Usage

In this example, we'll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            RealmName = "my-realm",
            Enabled = true,
        });
        var clientWithAuthz = new Keycloak.OpenId.Client("clientWithAuthz", new Keycloak.OpenId.ClientArgs
        {
            ClientId = "client-with-authz",
            RealmId = realm.Id,
            AccessType = "CONFIDENTIAL",
            ServiceAccountsEnabled = true,
            Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
            {
                PolicyEnforcementMode = "ENFORCING",
            },
        });
        var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new Keycloak.OpenId.GetClientAuthorizationPolicyInvokeArgs
        {
            RealmId = realm.Id,
            ResourceServerId = clientWithAuthz.ResourceServerId,
            Name = "Default Permission",
        });
        var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new Keycloak.OpenId.ClientAuthorizationResourceArgs
        {
            ResourceServerId = clientWithAuthz.ResourceServerId,
            RealmId = realm.Id,
            Uris = 
            {
                "/endpoint/*",
            },
            Attributes = 
            {
                { "foo", "bar" },
            },
        });
        var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new Keycloak.OpenId.ClientAuthorizationPermissionArgs
        {
            ResourceServerId = clientWithAuthz.ResourceServerId,
            RealmId = realm.Id,
            Policies = 
            {
                defaultPermission.Apply(defaultPermission => defaultPermission.Id),
            },
            Resources = 
            {
                resource.Id,
            },
        });
    }

}

package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		clientWithAuthz, err := openid.NewClient(ctx, "clientWithAuthz", &openid.ClientArgs{
			ClientId:               pulumi.String("client-with-authz"),
			RealmId:                realm.ID(),
			AccessType:             pulumi.String("CONFIDENTIAL"),
			ServiceAccountsEnabled: pulumi.Bool(true),
			Authorization: &openid.ClientAuthorizationArgs{
				PolicyEnforcementMode: pulumi.String("ENFORCING"),
			},
		})
		if err != nil {
			return err
		}
		defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
			RealmId:          realm.ID(),
			ResourceServerId: clientWithAuthz.ResourceServerId,
			Name:             pulumi.String("Default Permission"),
		}, nil)
		resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
			ResourceServerId: clientWithAuthz.ResourceServerId,
			RealmId:          realm.ID(),
			Uris: pulumi.StringArray{
				pulumi.String("/endpoint/*"),
			},
			Attributes: pulumi.AnyMap{
				"foo": pulumi.Any("bar"),
			},
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
			ResourceServerId: clientWithAuthz.ResourceServerId,
			RealmId:          realm.ID(),
			Policies: pulumi.StringArray{
				defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (string, error) {
					return defaultPermission.Id, nil
				}).(pulumi.StringOutput),
			},
			Resources: pulumi.StringArray{
				resource.ID(),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()        
            .clientId("client-with-authz")
            .realmId(realm.id())
            .accessType("CONFIDENTIAL")
            .serviceAccountsEnabled(true)
            .authorization(ClientAuthorizationArgs.builder()
                .policyEnforcementMode("ENFORCING")
                .build())
            .build());

        final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
            .realmId(realm.id())
            .resourceServerId(clientWithAuthz.resourceServerId())
            .name("Default Permission")
            .build());

        var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()        
            .resourceServerId(clientWithAuthz.resourceServerId())
            .realmId(realm.id())
            .uris("/endpoint/*")
            .attributes(Map.of("foo", "bar"))
            .build());

        var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()        
            .resourceServerId(clientWithAuthz.resourceServerId())
            .realmId(realm.id())
            .policies(defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult).applyValue(defaultPermission -> defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult.id())))
            .resources(resource.id())
            .build());

    }
}

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
client_with_authz = keycloak.openid.Client("clientWithAuthz",
    client_id="client-with-authz",
    realm_id=realm.id,
    access_type="CONFIDENTIAL",
    service_accounts_enabled=True,
    authorization=keycloak.openid.ClientAuthorizationArgs(
        policy_enforcement_mode="ENFORCING",
    ))
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
    resource_server_id=client_with_authz.resource_server_id,
    name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
    resource_server_id=client_with_authz.resource_server_id,
    realm_id=realm.id,
    uris=["/endpoint/*"],
    attributes={
        "foo": "bar",
    })
permission = keycloak.openid.ClientAuthorizationPermission("permission",
    resource_server_id=client_with_authz.resource_server_id,
    realm_id=realm.id,
    policies=[default_permission.id],
    resources=[resource.id])

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("clientWithAuthz", {
    clientId: "client-with-authz",
    realmId: realm.id,
    accessType: "CONFIDENTIAL",
    serviceAccountsEnabled: true,
    authorization: {
        policyEnforcementMode: "ENFORCING",
    },
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
    realmId: realm.id,
    resourceServerId: clientWithAuthz.resourceServerId,
    name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
    resourceServerId: clientWithAuthz.resourceServerId,
    realmId: realm.id,
    uris: ["/endpoint/*"],
    attributes: {
        foo: "bar",
    },
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
    resourceServerId: clientWithAuthz.resourceServerId,
    realmId: realm.id,
    policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
    resources: [resource.id],
});

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  clientWithAuthz:
    type: keycloak:openid:Client
    properties:
      clientId: client-with-authz
      realmId: ${realm.id}
      accessType: CONFIDENTIAL
      serviceAccountsEnabled: true
      authorization:
        policyEnforcementMode: ENFORCING
  resource:
    type: keycloak:openid:ClientAuthorizationResource
    properties:
      resourceServerId: ${clientWithAuthz.resourceServerId}
      realmId: ${realm.id}
      uris:
        - /endpoint/*
      attributes:
        foo: bar
  permission:
    type: keycloak:openid:ClientAuthorizationPermission
    properties:
      resourceServerId: ${clientWithAuthz.resourceServerId}
      realmId: ${realm.id}
      policies:
        - ${defaultPermission.id}
      resources:
        - ${resource.id}
variables:
  defaultPermission:
    Fn::Invoke:
      Function: keycloak:openid:getClientAuthorizationPolicy
      Arguments:
        realmId: ${realm.id}
        resourceServerId: ${clientWithAuthz.resourceServerId}
        name: Default Permission

Using getClientAuthorizationPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>

def get_client_authorization_policy(name: Optional[str] = None,
                                    realm_id: Optional[str] = None,
                                    resource_server_id: Optional[str] = None,
                                    opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
                                    realm_id: Optional[pulumi.Input[str]] = None,
                                    resource_server_id: Optional[pulumi.Input[str]] = None,
                                    opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]

func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput

> Note: This function is named GetClientAuthorizationPolicy in the Go SDK.

public static class GetClientAuthorizationPolicy 
{
    public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet

fn::invoke:
  function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string: The name of the authorization policy.
RealmId string: The realm this authorization policy exists within.
ResourceServerId string: The ID of the resource server this authorization policy is attached to.

Name string: The name of the authorization policy.
RealmId string: The realm this authorization policy exists within.
ResourceServerId string: The ID of the resource server this authorization policy is attached to.

name String: The name of the authorization policy.
realmId String: The realm this authorization policy exists within.
resourceServerId String: The ID of the resource server this authorization policy is attached to.

name string: The name of the authorization policy.
realmId string: The realm this authorization policy exists within.
resourceServerId string: The ID of the resource server this authorization policy is attached to.

name str: The name of the authorization policy.
realm_id str: The realm this authorization policy exists within.
resource_server_id str: The ID of the resource server this authorization policy is attached to.

name String: The name of the authorization policy.
realmId String: The realm this authorization policy exists within.
resourceServerId String: The ID of the resource server this authorization policy is attached to.

getClientAuthorizationPolicy Result

The following output properties are available:

DecisionStrategy string: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
Id string: The provider-assigned unique ID for this managed resource.
Logic string: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
Name string
Owner string: (Computed) The ID of the owning resource. Applies to resources.
Policies List<string>: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
RealmId string
ResourceServerId string
Resources List<string>: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
Scopes List<string>: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
Type string: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

DecisionStrategy string: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
Id string: The provider-assigned unique ID for this managed resource.
Logic string: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
Name string
Owner string: (Computed) The ID of the owning resource. Applies to resources.
Policies []string: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
RealmId string
ResourceServerId string
Resources []string: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
Scopes []string: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
Type string: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

decisionStrategy String: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id String: The provider-assigned unique ID for this managed resource.
logic String: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name String
owner String: (Computed) The ID of the owning resource. Applies to resources.
policies List<String>: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId String
resourceServerId String
resources List<String>: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes List<String>: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type String: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

decisionStrategy string: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id string: The provider-assigned unique ID for this managed resource.
logic string: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name string
owner string: (Computed) The ID of the owning resource. Applies to resources.
policies string[]: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId string
resourceServerId string
resources string[]: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes string[]: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type string: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

decision_strategy str: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id str: The provider-assigned unique ID for this managed resource.
logic str: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name str
owner str: (Computed) The ID of the owning resource. Applies to resources.
policies Sequence[str]: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realm_id str
resource_server_id str
resources Sequence[str]: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes Sequence[str]: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type str: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

decisionStrategy String: (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id String: The provider-assigned unique ID for this managed resource.
logic String: (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name String
owner String: (Computed) The ID of the owning resource. Applies to resources.
policies List<String>: (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId String
resourceServerId String
resources List<String>: (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes List<String>: (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type String: (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

Package Details

Repository: https://github.com/pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.