Docs Home
Keycloak v6.5.0 published on Tuesday, May 13, 2025 by Pulumi
keycloak.openid.getClientAuthorizationPolicy
Explore with Pulumi AI
This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.
Example Usage
In this example, we’ll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default
permission for this client called “Default Permission”. We’ll use the keycloak.openid.getClientAuthorizationPolicy data
source to fetch information about this permission, so we can use it to create a new resource-based authorization permission.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("client_with_authz", {
clientId: "client-with-authz",
name: "client-with-authz",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
authorization: {
policyEnforcementMode: "ENFORCING",
},
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
realmId: realm.id,
resourceServerId: clientWithAuthz.resourceServerId,
name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
resourceServerId: clientWithAuthz.resourceServerId,
name: "authorization-resource",
realmId: realm.id,
uris: ["/endpoint/*"],
attributes: {
foo: "bar",
},
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
resourceServerId: clientWithAuthz.resourceServerId,
realmId: realm.id,
name: "authorization-permission",
policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
resources: [resource.id],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client_with_authz = keycloak.openid.Client("client_with_authz",
client_id="client-with-authz",
name="client-with-authz",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
authorization={
"policy_enforcement_mode": "ENFORCING",
})
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
resource_server_id=client_with_authz.resource_server_id,
name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
resource_server_id=client_with_authz.resource_server_id,
name="authorization-resource",
realm_id=realm.id,
uris=["/endpoint/*"],
attributes={
"foo": "bar",
})
permission = keycloak.openid.ClientAuthorizationPermission("permission",
resource_server_id=client_with_authz.resource_server_id,
realm_id=realm.id,
name="authorization-permission",
policies=[default_permission.id],
resources=[resource.id])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
clientWithAuthz, err := openid.NewClient(ctx, "client_with_authz", &openid.ClientArgs{
ClientId: pulumi.String("client-with-authz"),
Name: pulumi.String("client-with-authz"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("ENFORCING"),
},
})
if err != nil {
return err
}
defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
RealmId: realm.ID(),
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("Default Permission"),
}, nil)
resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("authorization-resource"),
RealmId: realm.ID(),
Uris: pulumi.StringArray{
pulumi.String("/endpoint/*"),
},
Attributes: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
RealmId: realm.ID(),
Name: pulumi.String("authorization-permission"),
Policies: pulumi.StringArray{
pulumi.String(defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (*string, error) {
return &defaultPermission.Id, nil
}).(pulumi.StringPtrOutput)),
},
Resources: pulumi.StringArray{
resource.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var clientWithAuthz = new Keycloak.OpenId.Client("client_with_authz", new()
{
ClientId = "client-with-authz",
Name = "client-with-authz",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "ENFORCING",
},
});
var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()
{
RealmId = realm.Id,
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "Default Permission",
});
var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "authorization-resource",
RealmId = realm.Id,
Uris = new[]
{
"/endpoint/*",
},
Attributes =
{
{ "foo", "bar" },
},
});
var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
RealmId = realm.Id,
Name = "authorization-permission",
Policies = new[]
{
defaultPermission.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id),
},
Resources = new[]
{
resource.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()
.clientId("client-with-authz")
.name("client-with-authz")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("ENFORCING")
.build())
.build());
final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
.realmId(realm.id())
.resourceServerId(clientWithAuthz.resourceServerId())
.name("Default Permission")
.build());
var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.name("authorization-resource")
.realmId(realm.id())
.uris("/endpoint/*")
.attributes(Map.of("foo", "bar"))
.build());
var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.realmId(realm.id())
.name("authorization-permission")
.policies(defaultPermission.applyValue(_defaultPermission -> _defaultPermission.id()))
.resources(resource.id())
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
clientWithAuthz:
type: keycloak:openid:Client
name: client_with_authz
properties:
clientId: client-with-authz
name: client-with-authz
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
authorization:
policyEnforcementMode: ENFORCING
resource:
type: keycloak:openid:ClientAuthorizationResource
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
name: authorization-resource
realmId: ${realm.id}
uris:
- /endpoint/*
attributes:
foo: bar
permission:
type: keycloak:openid:ClientAuthorizationPermission
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
realmId: ${realm.id}
name: authorization-permission
policies:
- ${defaultPermission.id}
resources:
- ${resource.id}
variables:
defaultPermission:
fn::invoke:
function: keycloak:openid:getClientAuthorizationPolicy
arguments:
realmId: ${realm.id}
resourceServerId: ${clientWithAuthz.resourceServerId}
name: Default Permission
Using getClientAuthorizationPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>def get_client_authorization_policy(name: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
resource_server_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput> Note: This function is named GetClientAuthorizationPolicy in the Go SDK.
public static class GetClientAuthorizationPolicy
{
public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
public static Output<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
fn::invoke:
function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
- The name of the authorization policy.
- Realm
Id string - The realm this authorization policy exists within.
- Resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- Name string
- The name of the authorization policy.
- Realm
Id string - The realm this authorization policy exists within.
- Resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- name String
- The name of the authorization policy.
- realm
Id String - The realm this authorization policy exists within.
- resource
Server StringId - The ID of the resource server this authorization policy is attached to.
- name string
- The name of the authorization policy.
- realm
Id string - The realm this authorization policy exists within.
- resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- name str
- The name of the authorization policy.
- realm_
id str - The realm this authorization policy exists within.
- resource_
server_ strid - The ID of the resource server this authorization policy is attached to.
- name String
- The name of the authorization policy.
- realm
Id String - The realm this authorization policy exists within.
- resource
Server StringId - The ID of the resource server this authorization policy is attached to.
getClientAuthorizationPolicy Result
The following output properties are available:
- Decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - Id string
- The provider-assigned unique ID for this managed resource.
- Logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - Name string
- Owner string
- (Computed) The ID of the owning resource. Applies to resources.
- Policies List<string>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources List<string>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes List<string>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- Decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - Id string
- The provider-assigned unique ID for this managed resource.
- Logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - Name string
- Owner string
- (Computed) The ID of the owning resource. Applies to resources.
- Policies []string
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources []string
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes []string
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy String - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id String
- The provider-assigned unique ID for this managed resource.
- logic String
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name String
- owner String
- (Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id string
- The provider-assigned unique ID for this managed resource.
- logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name string
- owner string
- (Computed) The ID of the owning resource. Applies to resources.
- policies string[]
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id string - resource
Server stringId - resources string[]
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes string[]
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision_
strategy str - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id str
- The provider-assigned unique ID for this managed resource.
- logic str
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name str
- owner str
- (Computed) The ID of the owning resource. Applies to resources.
- policies Sequence[str]
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm_
id str - resource_
server_ strid - resources Sequence[str]
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes Sequence[str]
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type str
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy String - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id String
- The provider-assigned unique ID for this managed resource.
- logic String
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name String
- owner String
- (Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.