Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
Allows for creating and managing Realms within Keycloak.
A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.
Default Client Scopes
default_default_client_scopes- (Optional) A list of default default client scopes to be used for client definitions. Defaults to[]or keycloak’s built-in default default client-scopes.default_optional_client_scopes- (Optional) A list of default optional client scopes to be used for client definitions. Defaults to[]or keycloak’s built-in default optional client-scopes.
Example Usage
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
AccessCodeLifespan = "1h",
Attributes =
{
{ "mycustomAttribute", "myCustomValue" },
},
DisplayName = "my realm",
DisplayNameHtml = "<b>my realm</b>",
Enabled = true,
Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
{
DefaultLocale = "en",
SupportedLocales =
{
"en",
"de",
"es",
},
},
LoginTheme = "base",
PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
RealmName = "my-realm",
SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
{
BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
{
FailureResetTimeSeconds = 43200,
MaxFailureWaitSeconds = 900,
MaxLoginFailures = 30,
MinimumQuickLoginWaitSeconds = 60,
PermanentLockout = false,
QuickLoginCheckMilliSeconds = 1000,
WaitIncrementSeconds = 60,
},
Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
{
ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
ContentSecurityPolicyReportOnly = "",
StrictTransportSecurity = "max-age=31536000; includeSubDomains",
XContentTypeOptions = "nosniff",
XFrameOptions = "DENY",
XRobotsTag = "none",
XXssProtection = "1; mode=block",
},
},
SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
{
Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
{
Password = "password",
Username = "tom",
},
From = "example@example.com",
Host = "smtp.example.com",
},
SslRequired = "external",
WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
{
RelyingPartyEntityName = "Example",
RelyingPartyId = "keycloak.example.com",
SignatureAlgorithms =
{
"ES256",
"RS256",
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
AccessCodeLifespan: pulumi.String("1h"),
Attributes: pulumi.AnyMap{
"mycustomAttribute": pulumi.Any("myCustomValue"),
},
DisplayName: pulumi.String("my realm"),
DisplayNameHtml: pulumi.String("<b>my realm</b>"),
Enabled: pulumi.Bool(true),
Internationalization: &RealmInternationalizationArgs{
DefaultLocale: pulumi.String("en"),
SupportedLocales: pulumi.StringArray{
pulumi.String("en"),
pulumi.String("de"),
pulumi.String("es"),
},
},
LoginTheme: pulumi.String("base"),
PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
Realm: pulumi.String("my-realm"),
SecurityDefenses: &RealmSecurityDefensesArgs{
BruteForceDetection: &RealmSecurityDefensesBruteForceDetectionArgs{
FailureResetTimeSeconds: pulumi.Int(43200),
MaxFailureWaitSeconds: pulumi.Int(900),
MaxLoginFailures: pulumi.Int(30),
MinimumQuickLoginWaitSeconds: pulumi.Int(60),
PermanentLockout: pulumi.Bool(false),
QuickLoginCheckMilliSeconds: pulumi.Int(1000),
WaitIncrementSeconds: pulumi.Int(60),
},
Headers: &RealmSecurityDefensesHeadersArgs{
ContentSecurityPolicy: pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
ContentSecurityPolicyReportOnly: pulumi.String(""),
StrictTransportSecurity: pulumi.String("max-age=31536000; includeSubDomains"),
XContentTypeOptions: pulumi.String("nosniff"),
XFrameOptions: pulumi.String("DENY"),
XRobotsTag: pulumi.String("none"),
XXssProtection: pulumi.String("1; mode=block"),
},
},
SmtpServer: &RealmSmtpServerArgs{
Auth: &RealmSmtpServerAuthArgs{
Password: pulumi.String("password"),
Username: pulumi.String("tom"),
},
From: pulumi.String("example@example.com"),
Host: pulumi.String("smtp.example.com"),
},
SslRequired: pulumi.String("external"),
WebAuthnPolicy: &RealmWebAuthnPolicyArgs{
RelyingPartyEntityName: pulumi.String("Example"),
RelyingPartyId: pulumi.String("keycloak.example.com"),
SignatureAlgorithms: pulumi.StringArray{
pulumi.String("ES256"),
pulumi.String("RS256"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.inputs.RealmInternationalizationArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;
import com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.accessCodeLifespan("1h")
.attributes(Map.of("mycustomAttribute", "myCustomValue"))
.displayName("my realm")
.displayNameHtml("<b>my realm</b>")
.enabled(true)
.internationalization(RealmInternationalizationArgs.builder()
.defaultLocale("en")
.supportedLocales(
"en",
"de",
"es")
.build())
.loginTheme("base")
.passwordPolicy("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername")
.realm("my-realm")
.securityDefenses(RealmSecurityDefensesArgs.builder()
.bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
.failureResetTimeSeconds(43200)
.maxFailureWaitSeconds(900)
.maxLoginFailures(30)
.minimumQuickLoginWaitSeconds(60)
.permanentLockout(false)
.quickLoginCheckMilliSeconds(1000)
.waitIncrementSeconds(60)
.build())
.headers(RealmSecurityDefensesHeadersArgs.builder()
.contentSecurityPolicy("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
.contentSecurityPolicyReportOnly("")
.strictTransportSecurity("max-age=31536000; includeSubDomains")
.xContentTypeOptions("nosniff")
.xFrameOptions("DENY")
.xRobotsTag("none")
.xXssProtection("1; mode=block")
.build())
.build())
.smtpServer(RealmSmtpServerArgs.builder()
.auth(RealmSmtpServerAuthArgs.builder()
.password("password")
.username("tom")
.build())
.from("example@example.com")
.host("smtp.example.com")
.build())
.sslRequired("external")
.webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
.relyingPartyEntityName("Example")
.relyingPartyId("keycloak.example.com")
.signatureAlgorithms(
"ES256",
"RS256")
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
accessCodeLifespan: "1h",
attributes: {
mycustomAttribute: "myCustomValue",
},
displayName: "my realm",
displayNameHtml: "<b>my realm</b>",
enabled: true,
internationalization: {
defaultLocale: "en",
supportedLocales: [
"en",
"de",
"es",
],
},
loginTheme: "base",
passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
realm: "my-realm",
securityDefenses: {
bruteForceDetection: {
failureResetTimeSeconds: 43200,
maxFailureWaitSeconds: 900,
maxLoginFailures: 30,
minimumQuickLoginWaitSeconds: 60,
permanentLockout: false,
quickLoginCheckMilliSeconds: 1000,
waitIncrementSeconds: 60,
},
headers: {
contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
contentSecurityPolicyReportOnly: "",
strictTransportSecurity: "max-age=31536000; includeSubDomains",
xContentTypeOptions: "nosniff",
xFrameOptions: "DENY",
xRobotsTag: "none",
xXssProtection: "1; mode=block",
},
},
smtpServer: {
auth: {
password: "password",
username: "tom",
},
from: "example@example.com",
host: "smtp.example.com",
},
sslRequired: "external",
webAuthnPolicy: {
relyingPartyEntityName: "Example",
relyingPartyId: "keycloak.example.com",
signatureAlgorithms: [
"ES256",
"RS256",
],
},
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
access_code_lifespan="1h",
attributes={
"mycustomAttribute": "myCustomValue",
},
display_name="my realm",
display_name_html="<b>my realm</b>",
enabled=True,
internationalization=keycloak.RealmInternationalizationArgs(
default_locale="en",
supported_locales=[
"en",
"de",
"es",
],
),
login_theme="base",
password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
realm="my-realm",
security_defenses=keycloak.RealmSecurityDefensesArgs(
brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
failure_reset_time_seconds=43200,
max_failure_wait_seconds=900,
max_login_failures=30,
minimum_quick_login_wait_seconds=60,
permanent_lockout=False,
quick_login_check_milli_seconds=1000,
wait_increment_seconds=60,
),
headers=keycloak.RealmSecurityDefensesHeadersArgs(
content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
content_security_policy_report_only="",
strict_transport_security="max-age=31536000; includeSubDomains",
x_content_type_options="nosniff",
x_frame_options="DENY",
x_robots_tag="none",
x_xss_protection="1; mode=block",
),
),
smtp_server=keycloak.RealmSmtpServerArgs(
auth=keycloak.RealmSmtpServerAuthArgs(
password="password",
username="tom",
),
from_="example@example.com",
host="smtp.example.com",
),
ssl_required="external",
web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
relying_party_entity_name="Example",
relying_party_id="keycloak.example.com",
signature_algorithms=[
"ES256",
"RS256",
],
))
resources:
realm:
type: keycloak:Realm
properties:
accessCodeLifespan: 1h
attributes:
mycustomAttribute: myCustomValue
displayName: my realm
displayNameHtml: <b>my realm</b>
enabled: true
internationalization:
defaultLocale: en
supportedLocales:
- en
- de
- es
loginTheme: base
passwordPolicy: upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername
realm: my-realm
securityDefenses:
bruteForceDetection:
failureResetTimeSeconds: 43200
maxFailureWaitSeconds: 900
maxLoginFailures: 30
minimumQuickLoginWaitSeconds: 60
permanentLockout: false
quickLoginCheckMilliSeconds: 1000
waitIncrementSeconds: 60
headers:
contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
contentSecurityPolicyReportOnly:
strictTransportSecurity: max-age=31536000; includeSubDomains
xContentTypeOptions: nosniff
xFrameOptions: DENY
xRobotsTag: none
xXssProtection: 1; mode=block
smtpServer:
auth:
password: password
username: tom
from: example@example.com
host: smtp.example.com
sslRequired: external
webAuthnPolicy:
relyingPartyEntityName: Example
relyingPartyId: keycloak.example.com
signatureAlgorithms:
- ES256
- RS256
Create Realm Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);@overload
def Realm(resource_name: str,
args: RealmArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Realm(resource_name: str,
opts: Optional[ResourceOptions] = None,
realm: Optional[str] = None,
access_code_lifespan: Optional[str] = None,
access_code_lifespan_login: Optional[str] = None,
access_code_lifespan_user_action: Optional[str] = None,
access_token_lifespan: Optional[str] = None,
access_token_lifespan_for_implicit_flow: Optional[str] = None,
account_theme: Optional[str] = None,
action_token_generated_by_admin_lifespan: Optional[str] = None,
action_token_generated_by_user_lifespan: Optional[str] = None,
admin_theme: Optional[str] = None,
attributes: Optional[Mapping[str, Any]] = None,
browser_flow: Optional[str] = None,
client_authentication_flow: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
default_default_client_scopes: Optional[Sequence[str]] = None,
default_optional_client_scopes: Optional[Sequence[str]] = None,
default_signature_algorithm: Optional[str] = None,
direct_grant_flow: Optional[str] = None,
display_name: Optional[str] = None,
display_name_html: Optional[str] = None,
docker_authentication_flow: Optional[str] = None,
duplicate_emails_allowed: Optional[bool] = None,
edit_username_allowed: Optional[bool] = None,
email_theme: Optional[str] = None,
enabled: Optional[bool] = None,
internationalization: Optional[RealmInternationalizationArgs] = None,
login_theme: Optional[str] = None,
login_with_email_allowed: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[int] = None,
offline_session_idle_timeout: Optional[str] = None,
offline_session_max_lifespan: Optional[str] = None,
offline_session_max_lifespan_enabled: Optional[bool] = None,
otp_policy: Optional[RealmOtpPolicyArgs] = None,
password_policy: Optional[str] = None,
refresh_token_max_reuse: Optional[int] = None,
registration_allowed: Optional[bool] = None,
registration_email_as_username: Optional[bool] = None,
registration_flow: Optional[str] = None,
remember_me: Optional[bool] = None,
reset_credentials_flow: Optional[str] = None,
reset_password_allowed: Optional[bool] = None,
revoke_refresh_token: Optional[bool] = None,
security_defenses: Optional[RealmSecurityDefensesArgs] = None,
smtp_server: Optional[RealmSmtpServerArgs] = None,
ssl_required: Optional[str] = None,
sso_session_idle_timeout: Optional[str] = None,
sso_session_idle_timeout_remember_me: Optional[str] = None,
sso_session_max_lifespan: Optional[str] = None,
sso_session_max_lifespan_remember_me: Optional[str] = None,
user_managed_access: Optional[bool] = None,
verify_email: Optional[bool] = None,
web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)type: keycloak:Realm
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RealmArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var realmResource = new Keycloak.Realm("realmResource", new()
{
RealmName = "string",
AccessCodeLifespan = "string",
AccessCodeLifespanLogin = "string",
AccessCodeLifespanUserAction = "string",
AccessTokenLifespan = "string",
AccessTokenLifespanForImplicitFlow = "string",
AccountTheme = "string",
ActionTokenGeneratedByAdminLifespan = "string",
ActionTokenGeneratedByUserLifespan = "string",
AdminTheme = "string",
Attributes =
{
{ "string", "any" },
},
BrowserFlow = "string",
ClientAuthenticationFlow = "string",
ClientSessionIdleTimeout = "string",
ClientSessionMaxLifespan = "string",
DefaultDefaultClientScopes = new[]
{
"string",
},
DefaultOptionalClientScopes = new[]
{
"string",
},
DefaultSignatureAlgorithm = "string",
DirectGrantFlow = "string",
DisplayName = "string",
DisplayNameHtml = "string",
DockerAuthenticationFlow = "string",
DuplicateEmailsAllowed = false,
EditUsernameAllowed = false,
EmailTheme = "string",
Enabled = false,
Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
{
DefaultLocale = "string",
SupportedLocales = new[]
{
"string",
},
},
LoginTheme = "string",
LoginWithEmailAllowed = false,
Oauth2DeviceCodeLifespan = "string",
Oauth2DevicePollingInterval = 0,
OfflineSessionIdleTimeout = "string",
OfflineSessionMaxLifespan = "string",
OfflineSessionMaxLifespanEnabled = false,
OtpPolicy = new Keycloak.Inputs.RealmOtpPolicyArgs
{
Algorithm = "string",
Digits = 0,
InitialCounter = 0,
LookAheadWindow = 0,
Period = 0,
Type = "string",
},
PasswordPolicy = "string",
RefreshTokenMaxReuse = 0,
RegistrationAllowed = false,
RegistrationEmailAsUsername = false,
RegistrationFlow = "string",
RememberMe = false,
ResetCredentialsFlow = "string",
ResetPasswordAllowed = false,
RevokeRefreshToken = false,
SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
{
BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
{
FailureResetTimeSeconds = 0,
MaxFailureWaitSeconds = 0,
MaxLoginFailures = 0,
MinimumQuickLoginWaitSeconds = 0,
PermanentLockout = false,
QuickLoginCheckMilliSeconds = 0,
WaitIncrementSeconds = 0,
},
Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
{
ContentSecurityPolicy = "string",
ContentSecurityPolicyReportOnly = "string",
StrictTransportSecurity = "string",
XContentTypeOptions = "string",
XFrameOptions = "string",
XRobotsTag = "string",
XXssProtection = "string",
},
},
SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
{
From = "string",
Host = "string",
Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
{
Password = "string",
Username = "string",
},
EnvelopeFrom = "string",
FromDisplayName = "string",
Port = "string",
ReplyTo = "string",
ReplyToDisplayName = "string",
Ssl = false,
Starttls = false,
},
SslRequired = "string",
SsoSessionIdleTimeout = "string",
SsoSessionIdleTimeoutRememberMe = "string",
SsoSessionMaxLifespan = "string",
SsoSessionMaxLifespanRememberMe = "string",
UserManagedAccess = false,
VerifyEmail = false,
WebAuthnPasswordlessPolicy = new Keycloak.Inputs.RealmWebAuthnPasswordlessPolicyArgs
{
AcceptableAaguids = new[]
{
"string",
},
AttestationConveyancePreference = "string",
AuthenticatorAttachment = "string",
AvoidSameAuthenticatorRegister = false,
CreateTimeout = 0,
RelyingPartyEntityName = "string",
RelyingPartyId = "string",
RequireResidentKey = "string",
SignatureAlgorithms = new[]
{
"string",
},
UserVerificationRequirement = "string",
},
WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
{
AcceptableAaguids = new[]
{
"string",
},
AttestationConveyancePreference = "string",
AuthenticatorAttachment = "string",
AvoidSameAuthenticatorRegister = false,
CreateTimeout = 0,
RelyingPartyEntityName = "string",
RelyingPartyId = "string",
RequireResidentKey = "string",
SignatureAlgorithms = new[]
{
"string",
},
UserVerificationRequirement = "string",
},
});
example, err := keycloak.NewRealm(ctx, "realmResource", &keycloak.RealmArgs{
Realm: pulumi.String("string"),
AccessCodeLifespan: pulumi.String("string"),
AccessCodeLifespanLogin: pulumi.String("string"),
AccessCodeLifespanUserAction: pulumi.String("string"),
AccessTokenLifespan: pulumi.String("string"),
AccessTokenLifespanForImplicitFlow: pulumi.String("string"),
AccountTheme: pulumi.String("string"),
ActionTokenGeneratedByAdminLifespan: pulumi.String("string"),
ActionTokenGeneratedByUserLifespan: pulumi.String("string"),
AdminTheme: pulumi.String("string"),
Attributes: pulumi.Map{
"string": pulumi.Any("any"),
},
BrowserFlow: pulumi.String("string"),
ClientAuthenticationFlow: pulumi.String("string"),
ClientSessionIdleTimeout: pulumi.String("string"),
ClientSessionMaxLifespan: pulumi.String("string"),
DefaultDefaultClientScopes: pulumi.StringArray{
pulumi.String("string"),
},
DefaultOptionalClientScopes: pulumi.StringArray{
pulumi.String("string"),
},
DefaultSignatureAlgorithm: pulumi.String("string"),
DirectGrantFlow: pulumi.String("string"),
DisplayName: pulumi.String("string"),
DisplayNameHtml: pulumi.String("string"),
DockerAuthenticationFlow: pulumi.String("string"),
DuplicateEmailsAllowed: pulumi.Bool(false),
EditUsernameAllowed: pulumi.Bool(false),
EmailTheme: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Internationalization: &keycloak.RealmInternationalizationArgs{
DefaultLocale: pulumi.String("string"),
SupportedLocales: pulumi.StringArray{
pulumi.String("string"),
},
},
LoginTheme: pulumi.String("string"),
LoginWithEmailAllowed: pulumi.Bool(false),
Oauth2DeviceCodeLifespan: pulumi.String("string"),
Oauth2DevicePollingInterval: pulumi.Int(0),
OfflineSessionIdleTimeout: pulumi.String("string"),
OfflineSessionMaxLifespan: pulumi.String("string"),
OfflineSessionMaxLifespanEnabled: pulumi.Bool(false),
OtpPolicy: &keycloak.RealmOtpPolicyArgs{
Algorithm: pulumi.String("string"),
Digits: pulumi.Int(0),
InitialCounter: pulumi.Int(0),
LookAheadWindow: pulumi.Int(0),
Period: pulumi.Int(0),
Type: pulumi.String("string"),
},
PasswordPolicy: pulumi.String("string"),
RefreshTokenMaxReuse: pulumi.Int(0),
RegistrationAllowed: pulumi.Bool(false),
RegistrationEmailAsUsername: pulumi.Bool(false),
RegistrationFlow: pulumi.String("string"),
RememberMe: pulumi.Bool(false),
ResetCredentialsFlow: pulumi.String("string"),
ResetPasswordAllowed: pulumi.Bool(false),
RevokeRefreshToken: pulumi.Bool(false),
SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{
BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{
FailureResetTimeSeconds: pulumi.Int(0),
MaxFailureWaitSeconds: pulumi.Int(0),
MaxLoginFailures: pulumi.Int(0),
MinimumQuickLoginWaitSeconds: pulumi.Int(0),
PermanentLockout: pulumi.Bool(false),
QuickLoginCheckMilliSeconds: pulumi.Int(0),
WaitIncrementSeconds: pulumi.Int(0),
},
Headers: &keycloak.RealmSecurityDefensesHeadersArgs{
ContentSecurityPolicy: pulumi.String("string"),
ContentSecurityPolicyReportOnly: pulumi.String("string"),
StrictTransportSecurity: pulumi.String("string"),
XContentTypeOptions: pulumi.String("string"),
XFrameOptions: pulumi.String("string"),
XRobotsTag: pulumi.String("string"),
XXssProtection: pulumi.String("string"),
},
},
SmtpServer: &keycloak.RealmSmtpServerArgs{
From: pulumi.String("string"),
Host: pulumi.String("string"),
Auth: &keycloak.RealmSmtpServerAuthArgs{
Password: pulumi.String("string"),
Username: pulumi.String("string"),
},
EnvelopeFrom: pulumi.String("string"),
FromDisplayName: pulumi.String("string"),
Port: pulumi.String("string"),
ReplyTo: pulumi.String("string"),
ReplyToDisplayName: pulumi.String("string"),
Ssl: pulumi.Bool(false),
Starttls: pulumi.Bool(false),
},
SslRequired: pulumi.String("string"),
SsoSessionIdleTimeout: pulumi.String("string"),
SsoSessionIdleTimeoutRememberMe: pulumi.String("string"),
SsoSessionMaxLifespan: pulumi.String("string"),
SsoSessionMaxLifespanRememberMe: pulumi.String("string"),
UserManagedAccess: pulumi.Bool(false),
VerifyEmail: pulumi.Bool(false),
WebAuthnPasswordlessPolicy: &keycloak.RealmWebAuthnPasswordlessPolicyArgs{
AcceptableAaguids: pulumi.StringArray{
pulumi.String("string"),
},
AttestationConveyancePreference: pulumi.String("string"),
AuthenticatorAttachment: pulumi.String("string"),
AvoidSameAuthenticatorRegister: pulumi.Bool(false),
CreateTimeout: pulumi.Int(0),
RelyingPartyEntityName: pulumi.String("string"),
RelyingPartyId: pulumi.String("string"),
RequireResidentKey: pulumi.String("string"),
SignatureAlgorithms: pulumi.StringArray{
pulumi.String("string"),
},
UserVerificationRequirement: pulumi.String("string"),
},
WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{
AcceptableAaguids: pulumi.StringArray{
pulumi.String("string"),
},
AttestationConveyancePreference: pulumi.String("string"),
AuthenticatorAttachment: pulumi.String("string"),
AvoidSameAuthenticatorRegister: pulumi.Bool(false),
CreateTimeout: pulumi.Int(0),
RelyingPartyEntityName: pulumi.String("string"),
RelyingPartyId: pulumi.String("string"),
RequireResidentKey: pulumi.String("string"),
SignatureAlgorithms: pulumi.StringArray{
pulumi.String("string"),
},
UserVerificationRequirement: pulumi.String("string"),
},
})
var realmResource = new Realm("realmResource", RealmArgs.builder()
.realm("string")
.accessCodeLifespan("string")
.accessCodeLifespanLogin("string")
.accessCodeLifespanUserAction("string")
.accessTokenLifespan("string")
.accessTokenLifespanForImplicitFlow("string")
.accountTheme("string")
.actionTokenGeneratedByAdminLifespan("string")
.actionTokenGeneratedByUserLifespan("string")
.adminTheme("string")
.attributes(Map.of("string", "any"))
.browserFlow("string")
.clientAuthenticationFlow("string")
.clientSessionIdleTimeout("string")
.clientSessionMaxLifespan("string")
.defaultDefaultClientScopes("string")
.defaultOptionalClientScopes("string")
.defaultSignatureAlgorithm("string")
.directGrantFlow("string")
.displayName("string")
.displayNameHtml("string")
.dockerAuthenticationFlow("string")
.duplicateEmailsAllowed(false)
.editUsernameAllowed(false)
.emailTheme("string")
.enabled(false)
.internationalization(RealmInternationalizationArgs.builder()
.defaultLocale("string")
.supportedLocales("string")
.build())
.loginTheme("string")
.loginWithEmailAllowed(false)
.oauth2DeviceCodeLifespan("string")
.oauth2DevicePollingInterval(0)
.offlineSessionIdleTimeout("string")
.offlineSessionMaxLifespan("string")
.offlineSessionMaxLifespanEnabled(false)
.otpPolicy(RealmOtpPolicyArgs.builder()
.algorithm("string")
.digits(0)
.initialCounter(0)
.lookAheadWindow(0)
.period(0)
.type("string")
.build())
.passwordPolicy("string")
.refreshTokenMaxReuse(0)
.registrationAllowed(false)
.registrationEmailAsUsername(false)
.registrationFlow("string")
.rememberMe(false)
.resetCredentialsFlow("string")
.resetPasswordAllowed(false)
.revokeRefreshToken(false)
.securityDefenses(RealmSecurityDefensesArgs.builder()
.bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
.failureResetTimeSeconds(0)
.maxFailureWaitSeconds(0)
.maxLoginFailures(0)
.minimumQuickLoginWaitSeconds(0)
.permanentLockout(false)
.quickLoginCheckMilliSeconds(0)
.waitIncrementSeconds(0)
.build())
.headers(RealmSecurityDefensesHeadersArgs.builder()
.contentSecurityPolicy("string")
.contentSecurityPolicyReportOnly("string")
.strictTransportSecurity("string")
.xContentTypeOptions("string")
.xFrameOptions("string")
.xRobotsTag("string")
.xXssProtection("string")
.build())
.build())
.smtpServer(RealmSmtpServerArgs.builder()
.from("string")
.host("string")
.auth(RealmSmtpServerAuthArgs.builder()
.password("string")
.username("string")
.build())
.envelopeFrom("string")
.fromDisplayName("string")
.port("string")
.replyTo("string")
.replyToDisplayName("string")
.ssl(false)
.starttls(false)
.build())
.sslRequired("string")
.ssoSessionIdleTimeout("string")
.ssoSessionIdleTimeoutRememberMe("string")
.ssoSessionMaxLifespan("string")
.ssoSessionMaxLifespanRememberMe("string")
.userManagedAccess(false)
.verifyEmail(false)
.webAuthnPasswordlessPolicy(RealmWebAuthnPasswordlessPolicyArgs.builder()
.acceptableAaguids("string")
.attestationConveyancePreference("string")
.authenticatorAttachment("string")
.avoidSameAuthenticatorRegister(false)
.createTimeout(0)
.relyingPartyEntityName("string")
.relyingPartyId("string")
.requireResidentKey("string")
.signatureAlgorithms("string")
.userVerificationRequirement("string")
.build())
.webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
.acceptableAaguids("string")
.attestationConveyancePreference("string")
.authenticatorAttachment("string")
.avoidSameAuthenticatorRegister(false)
.createTimeout(0)
.relyingPartyEntityName("string")
.relyingPartyId("string")
.requireResidentKey("string")
.signatureAlgorithms("string")
.userVerificationRequirement("string")
.build())
.build());
realm_resource = keycloak.Realm("realmResource",
realm="string",
access_code_lifespan="string",
access_code_lifespan_login="string",
access_code_lifespan_user_action="string",
access_token_lifespan="string",
access_token_lifespan_for_implicit_flow="string",
account_theme="string",
action_token_generated_by_admin_lifespan="string",
action_token_generated_by_user_lifespan="string",
admin_theme="string",
attributes={
"string": "any",
},
browser_flow="string",
client_authentication_flow="string",
client_session_idle_timeout="string",
client_session_max_lifespan="string",
default_default_client_scopes=["string"],
default_optional_client_scopes=["string"],
default_signature_algorithm="string",
direct_grant_flow="string",
display_name="string",
display_name_html="string",
docker_authentication_flow="string",
duplicate_emails_allowed=False,
edit_username_allowed=False,
email_theme="string",
enabled=False,
internationalization={
"default_locale": "string",
"supported_locales": ["string"],
},
login_theme="string",
login_with_email_allowed=False,
oauth2_device_code_lifespan="string",
oauth2_device_polling_interval=0,
offline_session_idle_timeout="string",
offline_session_max_lifespan="string",
offline_session_max_lifespan_enabled=False,
otp_policy={
"algorithm": "string",
"digits": 0,
"initial_counter": 0,
"look_ahead_window": 0,
"period": 0,
"type": "string",
},
password_policy="string",
refresh_token_max_reuse=0,
registration_allowed=False,
registration_email_as_username=False,
registration_flow="string",
remember_me=False,
reset_credentials_flow="string",
reset_password_allowed=False,
revoke_refresh_token=False,
security_defenses={
"brute_force_detection": {
"failure_reset_time_seconds": 0,
"max_failure_wait_seconds": 0,
"max_login_failures": 0,
"minimum_quick_login_wait_seconds": 0,
"permanent_lockout": False,
"quick_login_check_milli_seconds": 0,
"wait_increment_seconds": 0,
},
"headers": {
"content_security_policy": "string",
"content_security_policy_report_only": "string",
"strict_transport_security": "string",
"x_content_type_options": "string",
"x_frame_options": "string",
"x_robots_tag": "string",
"x_xss_protection": "string",
},
},
smtp_server={
"from_": "string",
"host": "string",
"auth": {
"password": "string",
"username": "string",
},
"envelope_from": "string",
"from_display_name": "string",
"port": "string",
"reply_to": "string",
"reply_to_display_name": "string",
"ssl": False,
"starttls": False,
},
ssl_required="string",
sso_session_idle_timeout="string",
sso_session_idle_timeout_remember_me="string",
sso_session_max_lifespan="string",
sso_session_max_lifespan_remember_me="string",
user_managed_access=False,
verify_email=False,
web_authn_passwordless_policy={
"acceptable_aaguids": ["string"],
"attestation_conveyance_preference": "string",
"authenticator_attachment": "string",
"avoid_same_authenticator_register": False,
"create_timeout": 0,
"relying_party_entity_name": "string",
"relying_party_id": "string",
"require_resident_key": "string",
"signature_algorithms": ["string"],
"user_verification_requirement": "string",
},
web_authn_policy={
"acceptable_aaguids": ["string"],
"attestation_conveyance_preference": "string",
"authenticator_attachment": "string",
"avoid_same_authenticator_register": False,
"create_timeout": 0,
"relying_party_entity_name": "string",
"relying_party_id": "string",
"require_resident_key": "string",
"signature_algorithms": ["string"],
"user_verification_requirement": "string",
})
const realmResource = new keycloak.Realm("realmResource", {
realm: "string",
accessCodeLifespan: "string",
accessCodeLifespanLogin: "string",
accessCodeLifespanUserAction: "string",
accessTokenLifespan: "string",
accessTokenLifespanForImplicitFlow: "string",
accountTheme: "string",
actionTokenGeneratedByAdminLifespan: "string",
actionTokenGeneratedByUserLifespan: "string",
adminTheme: "string",
attributes: {
string: "any",
},
browserFlow: "string",
clientAuthenticationFlow: "string",
clientSessionIdleTimeout: "string",
clientSessionMaxLifespan: "string",
defaultDefaultClientScopes: ["string"],
defaultOptionalClientScopes: ["string"],
defaultSignatureAlgorithm: "string",
directGrantFlow: "string",
displayName: "string",
displayNameHtml: "string",
dockerAuthenticationFlow: "string",
duplicateEmailsAllowed: false,
editUsernameAllowed: false,
emailTheme: "string",
enabled: false,
internationalization: {
defaultLocale: "string",
supportedLocales: ["string"],
},
loginTheme: "string",
loginWithEmailAllowed: false,
oauth2DeviceCodeLifespan: "string",
oauth2DevicePollingInterval: 0,
offlineSessionIdleTimeout: "string",
offlineSessionMaxLifespan: "string",
offlineSessionMaxLifespanEnabled: false,
otpPolicy: {
algorithm: "string",
digits: 0,
initialCounter: 0,
lookAheadWindow: 0,
period: 0,
type: "string",
},
passwordPolicy: "string",
refreshTokenMaxReuse: 0,
registrationAllowed: false,
registrationEmailAsUsername: false,
registrationFlow: "string",
rememberMe: false,
resetCredentialsFlow: "string",
resetPasswordAllowed: false,
revokeRefreshToken: false,
securityDefenses: {
bruteForceDetection: {
failureResetTimeSeconds: 0,
maxFailureWaitSeconds: 0,
maxLoginFailures: 0,
minimumQuickLoginWaitSeconds: 0,
permanentLockout: false,
quickLoginCheckMilliSeconds: 0,
waitIncrementSeconds: 0,
},
headers: {
contentSecurityPolicy: "string",
contentSecurityPolicyReportOnly: "string",
strictTransportSecurity: "string",
xContentTypeOptions: "string",
xFrameOptions: "string",
xRobotsTag: "string",
xXssProtection: "string",
},
},
smtpServer: {
from: "string",
host: "string",
auth: {
password: "string",
username: "string",
},
envelopeFrom: "string",
fromDisplayName: "string",
port: "string",
replyTo: "string",
replyToDisplayName: "string",
ssl: false,
starttls: false,
},
sslRequired: "string",
ssoSessionIdleTimeout: "string",
ssoSessionIdleTimeoutRememberMe: "string",
ssoSessionMaxLifespan: "string",
ssoSessionMaxLifespanRememberMe: "string",
userManagedAccess: false,
verifyEmail: false,
webAuthnPasswordlessPolicy: {
acceptableAaguids: ["string"],
attestationConveyancePreference: "string",
authenticatorAttachment: "string",
avoidSameAuthenticatorRegister: false,
createTimeout: 0,
relyingPartyEntityName: "string",
relyingPartyId: "string",
requireResidentKey: "string",
signatureAlgorithms: ["string"],
userVerificationRequirement: "string",
},
webAuthnPolicy: {
acceptableAaguids: ["string"],
attestationConveyancePreference: "string",
authenticatorAttachment: "string",
avoidSameAuthenticatorRegister: false,
createTimeout: 0,
relyingPartyEntityName: "string",
relyingPartyId: "string",
requireResidentKey: "string",
signatureAlgorithms: ["string"],
userVerificationRequirement: "string",
},
});
type: keycloak:Realm
properties:
accessCodeLifespan: string
accessCodeLifespanLogin: string
accessCodeLifespanUserAction: string
accessTokenLifespan: string
accessTokenLifespanForImplicitFlow: string
accountTheme: string
actionTokenGeneratedByAdminLifespan: string
actionTokenGeneratedByUserLifespan: string
adminTheme: string
attributes:
string: any
browserFlow: string
clientAuthenticationFlow: string
clientSessionIdleTimeout: string
clientSessionMaxLifespan: string
defaultDefaultClientScopes:
- string
defaultOptionalClientScopes:
- string
defaultSignatureAlgorithm: string
directGrantFlow: string
displayName: string
displayNameHtml: string
dockerAuthenticationFlow: string
duplicateEmailsAllowed: false
editUsernameAllowed: false
emailTheme: string
enabled: false
internationalization:
defaultLocale: string
supportedLocales:
- string
loginTheme: string
loginWithEmailAllowed: false
oauth2DeviceCodeLifespan: string
oauth2DevicePollingInterval: 0
offlineSessionIdleTimeout: string
offlineSessionMaxLifespan: string
offlineSessionMaxLifespanEnabled: false
otpPolicy:
algorithm: string
digits: 0
initialCounter: 0
lookAheadWindow: 0
period: 0
type: string
passwordPolicy: string
realm: string
refreshTokenMaxReuse: 0
registrationAllowed: false
registrationEmailAsUsername: false
registrationFlow: string
rememberMe: false
resetCredentialsFlow: string
resetPasswordAllowed: false
revokeRefreshToken: false
securityDefenses:
bruteForceDetection:
failureResetTimeSeconds: 0
maxFailureWaitSeconds: 0
maxLoginFailures: 0
minimumQuickLoginWaitSeconds: 0
permanentLockout: false
quickLoginCheckMilliSeconds: 0
waitIncrementSeconds: 0
headers:
contentSecurityPolicy: string
contentSecurityPolicyReportOnly: string
strictTransportSecurity: string
xContentTypeOptions: string
xFrameOptions: string
xRobotsTag: string
xXssProtection: string
smtpServer:
auth:
password: string
username: string
envelopeFrom: string
from: string
fromDisplayName: string
host: string
port: string
replyTo: string
replyToDisplayName: string
ssl: false
starttls: false
sslRequired: string
ssoSessionIdleTimeout: string
ssoSessionIdleTimeoutRememberMe: string
ssoSessionMaxLifespan: string
ssoSessionMaxLifespanRememberMe: string
userManagedAccess: false
verifyEmail: false
webAuthnPasswordlessPolicy:
acceptableAaguids:
- string
attestationConveyancePreference: string
authenticatorAttachment: string
avoidSameAuthenticatorRegister: false
createTimeout: 0
relyingPartyEntityName: string
relyingPartyId: string
requireResidentKey: string
signatureAlgorithms:
- string
userVerificationRequirement: string
webAuthnPolicy:
acceptableAaguids:
- string
attestationConveyancePreference: string
authenticatorAttachment: string
avoidSameAuthenticatorRegister: false
createTimeout: 0
relyingPartyEntityName: string
relyingPartyId: string
requireResidentKey: string
signatureAlgorithms:
- string
userVerificationRequirement: string
Realm Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Realm resource accepts the following input properties:
- Realm
Name string - The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan - The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string - Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string - Used for the admin console.
- Attributes Dictionary<string, object>
- A map of custom attributes to add to the realm.
- Browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - Client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - Client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default List<string>Client Scopes - Default
Optional List<string>Client Scopes - Default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - Duplicate
Emails boolAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - Edit
Username boolAllowed - When true, the username field is editable.
- Email
Theme string - Used for emails that are sent by Keycloak.
- Enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - Internationalization
Realm
Internationalization - Login
Theme string - Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed - When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling intInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled - Enable
offline_session_max_lifespan. - Otp
Policy RealmOtp Policy - Password
Policy string - The password policy for users within the realm.
- Refresh
Token intMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- Registration
Allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username - When true, the user's email will be used as their username during registration.
- Registration
Flow string - The desired flow for user registration. Defaults to
registration. - Remember
Me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - Reset
Password boolAllowed - When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses - Smtp
Server RealmSmtp Server - Ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me - Sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me - User
Managed boolAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - Verify
Email bool - When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- Web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- Realm string
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan - The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string - Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string - Used for the admin console.
- Attributes map[string]interface{}
- A map of custom attributes to add to the realm.
- Browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - Client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - Client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default []stringClient Scopes - Default
Optional []stringClient Scopes - Default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - Duplicate
Emails boolAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - Edit
Username boolAllowed - When true, the username field is editable.
- Email
Theme string - Used for emails that are sent by Keycloak.
- Enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - Internationalization
Realm
Internationalization Args - Login
Theme string - Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed - When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling intInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled - Enable
offline_session_max_lifespan. - Otp
Policy RealmOtp Policy Args - Password
Policy string - The password policy for users within the realm.
- Refresh
Token intMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- Registration
Allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username - When true, the user's email will be used as their username during registration.
- Registration
Flow string - The desired flow for user registration. Defaults to
registration. - Remember
Me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - Reset
Password boolAllowed - When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses Args - Smtp
Server RealmSmtp Server Args - Ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me - Sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me - User
Managed boolAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - Verify
Email bool - When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Args - Configuration for WebAuthn Passwordless Policy authentication.
- Web
Authn RealmPolicy Web Authn Policy Args - Configuration for WebAuthn Policy authentication.
- realm String
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code StringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan - The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String - Used for account management pages.
- action
Token StringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String - Used for the admin console.
- attributes Map<String,Object>
- A map of custom attributes to add to the realm.
- browser
Flow String - The desired flow for browser authentication. Defaults to
browser. - client
Authentication StringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session StringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails BooleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username BooleanAllowed - When true, the username field is editable.
- email
Theme String - Used for emails that are sent by Keycloak.
- enabled Boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internationalization
Realm
Internationalization - login
Theme String - Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling IntegerInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy RealmOtp Policy - password
Policy String - The password policy for users within the realm.
- refresh
Token IntegerMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed Boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow String - The desired flow for user registration. Defaults to
registration. - remember
Me Boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password BooleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required String - Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me - sso
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me - user
Managed BooleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email Boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- realm string
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token stringLifespan - The amount of time an access token can be used before it expires.
- access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme string - Used for account management pages.
- action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme string - Used for the admin console.
- attributes {[key: string]: any}
- A map of custom attributes to add to the realm.
- browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default string[]Client Scopes - default
Optional string[]Client Scopes - default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name string - The display name for the realm that is shown when logging in to the admin console.
- display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails booleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username booleanAllowed - When true, the username field is editable.
- email
Theme string - Used for emails that are sent by Keycloak.
- enabled boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internationalization
Realm
Internationalization - login
Theme string - Used for the login, forgot password, and registration pages.
- login
With booleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling numberInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session booleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy RealmOtp Policy - password
Policy string - The password policy for users within the realm.
- refresh
Token numberMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email booleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow string - The desired flow for user registration. Defaults to
registration. - remember
Me boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password booleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh booleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session stringIdle Timeout Remember Me - sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session stringMax Lifespan Remember Me - user
Managed booleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- realm str
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access_
code_ strlifespan - The maximum amount of time a client has to finish the authorization code flow.
- access_
code_ strlifespan_ login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access_
code_ strlifespan_ user_ action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access_
token_ strlifespan - The amount of time an access token can be used before it expires.
- access_
token_ strlifespan_ for_ implicit_ flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account_
theme str - Used for account management pages.
- action_
token_ strgenerated_ by_ admin_ lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action_
token_ strgenerated_ by_ user_ lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin_
theme str - Used for the admin console.
- attributes Mapping[str, Any]
- A map of custom attributes to add to the realm.
- browser_
flow str - The desired flow for browser authentication. Defaults to
browser. - client_
authentication_ strflow - The desired flow for client authentication. Defaults to
clients. - client_
session_ stridle_ timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client_
session_ strmax_ lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default_
default_ Sequence[str]client_ scopes - default_
optional_ Sequence[str]client_ scopes - default_
signature_ stralgorithm - Default algorithm used to sign tokens for the realm.
- direct_
grant_ strflow - The desired flow for direct access authentication. Defaults to
direct grant. - display_
name str - The display name for the realm that is shown when logging in to the admin console.
- display_
name_ strhtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker_
authentication_ strflow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate_
emails_ boolallowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit_
username_ boolallowed - When true, the username field is editable.
- email_
theme str - Used for emails that are sent by Keycloak.
- enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internationalization
Realm
Internationalization Args - login_
theme str - Used for the login, forgot password, and registration pages.
- login_
with_ boolemail_ allowed - When true, users may log in with their email address.
- oauth2_
device_ strcode_ lifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2_
device_ intpolling_ interval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline_
session_ stridle_ timeout - The amount of time an offline session can be idle before it expires.
- offline_
session_ strmax_ lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline_
session_ boolmax_ lifespan_ enabled - Enable
offline_session_max_lifespan. - otp_
policy RealmOtp Policy Args - password_
policy str - The password policy for users within the realm.
- refresh_
token_ intmax_ reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration_
allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration_
email_ boolas_ username - When true, the user's email will be used as their username during registration.
- registration_
flow str - The desired flow for user registration. Defaults to
registration. - remember_
me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset_
credentials_ strflow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset_
password_ boolallowed - When true, a "forgot password" link will be displayed on the login page.
- revoke_
refresh_ booltoken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security_
defenses RealmSecurity Defenses Args - smtp_
server RealmSmtp Server Args - ssl_
required str - Can be one of following values: 'none, 'external' or 'all'
- sso_
session_ stridle_ timeout - The amount of time a session can be idle before it expires.
- sso_
session_ stridle_ timeout_ remember_ me - sso_
session_ strmax_ lifespan - The maximum amount of time before a session expires regardless of activity.
- sso_
session_ strmax_ lifespan_ remember_ me - user_
managed_ boolaccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify_
email bool - When true, users are required to verify their email address after registration and after email address changes.
- web_
authn_ Realmpasswordless_ policy Web Authn Passwordless Policy Args - Configuration for WebAuthn Passwordless Policy authentication.
- web_
authn_ Realmpolicy Web Authn Policy Args - Configuration for WebAuthn Policy authentication.
- realm String
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- access
Code StringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan - The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String - Used for account management pages.
- action
Token StringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String - Used for the admin console.
- attributes Map<Any>
- A map of custom attributes to add to the realm.
- browser
Flow String - The desired flow for browser authentication. Defaults to
browser. - client
Authentication StringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session StringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails BooleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username BooleanAllowed - When true, the username field is editable.
- email
Theme String - Used for emails that are sent by Keycloak.
- enabled Boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internationalization Property Map
- login
Theme String - Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling NumberInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy Property Map - password
Policy String - The password policy for users within the realm.
- refresh
Token NumberMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed Boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow String - The desired flow for user registration. Defaults to
registration. - remember
Me Boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password BooleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses Property Map - smtp
Server Property Map - ssl
Required String - Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me - sso
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me - user
Managed BooleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email Boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn Property MapPasswordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn Property MapPolicy - Configuration for WebAuthn Policy authentication.
Outputs
All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String
Look up Existing Realm Resource
Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_code_lifespan: Optional[str] = None,
access_code_lifespan_login: Optional[str] = None,
access_code_lifespan_user_action: Optional[str] = None,
access_token_lifespan: Optional[str] = None,
access_token_lifespan_for_implicit_flow: Optional[str] = None,
account_theme: Optional[str] = None,
action_token_generated_by_admin_lifespan: Optional[str] = None,
action_token_generated_by_user_lifespan: Optional[str] = None,
admin_theme: Optional[str] = None,
attributes: Optional[Mapping[str, Any]] = None,
browser_flow: Optional[str] = None,
client_authentication_flow: Optional[str] = None,
client_session_idle_timeout: Optional[str] = None,
client_session_max_lifespan: Optional[str] = None,
default_default_client_scopes: Optional[Sequence[str]] = None,
default_optional_client_scopes: Optional[Sequence[str]] = None,
default_signature_algorithm: Optional[str] = None,
direct_grant_flow: Optional[str] = None,
display_name: Optional[str] = None,
display_name_html: Optional[str] = None,
docker_authentication_flow: Optional[str] = None,
duplicate_emails_allowed: Optional[bool] = None,
edit_username_allowed: Optional[bool] = None,
email_theme: Optional[str] = None,
enabled: Optional[bool] = None,
internal_id: Optional[str] = None,
internationalization: Optional[RealmInternationalizationArgs] = None,
login_theme: Optional[str] = None,
login_with_email_allowed: Optional[bool] = None,
oauth2_device_code_lifespan: Optional[str] = None,
oauth2_device_polling_interval: Optional[int] = None,
offline_session_idle_timeout: Optional[str] = None,
offline_session_max_lifespan: Optional[str] = None,
offline_session_max_lifespan_enabled: Optional[bool] = None,
otp_policy: Optional[RealmOtpPolicyArgs] = None,
password_policy: Optional[str] = None,
realm: Optional[str] = None,
refresh_token_max_reuse: Optional[int] = None,
registration_allowed: Optional[bool] = None,
registration_email_as_username: Optional[bool] = None,
registration_flow: Optional[str] = None,
remember_me: Optional[bool] = None,
reset_credentials_flow: Optional[str] = None,
reset_password_allowed: Optional[bool] = None,
revoke_refresh_token: Optional[bool] = None,
security_defenses: Optional[RealmSecurityDefensesArgs] = None,
smtp_server: Optional[RealmSmtpServerArgs] = None,
ssl_required: Optional[str] = None,
sso_session_idle_timeout: Optional[str] = None,
sso_session_idle_timeout_remember_me: Optional[str] = None,
sso_session_max_lifespan: Optional[str] = None,
sso_session_max_lifespan_remember_me: Optional[str] = None,
user_managed_access: Optional[bool] = None,
verify_email: Optional[bool] = None,
web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realmfunc GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)public static Realm get(String name, Output<String> id, RealmState state, CustomResourceOptions options)resources: _: type: keycloak:Realm get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan - The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string - Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string - Used for the admin console.
- Attributes Dictionary<string, object>
- A map of custom attributes to add to the realm.
- Browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - Client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - Client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default List<string>Client Scopes - Default
Optional List<string>Client Scopes - Default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - Duplicate
Emails boolAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - Edit
Username boolAllowed - When true, the username field is editable.
- Email
Theme string - Used for emails that are sent by Keycloak.
- Enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - Internal
Id string - Internationalization
Realm
Internationalization - Login
Theme string - Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed - When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling intInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled - Enable
offline_session_max_lifespan. - Otp
Policy RealmOtp Policy - Password
Policy string - The password policy for users within the realm.
- Realm
Name string - The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Refresh
Token intMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- Registration
Allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username - When true, the user's email will be used as their username during registration.
- Registration
Flow string - The desired flow for user registration. Defaults to
registration. - Remember
Me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - Reset
Password boolAllowed - When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses - Smtp
Server RealmSmtp Server - Ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me - Sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me - User
Managed boolAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - Verify
Email bool - When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- Web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- Access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- Access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- Access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- Access
Token stringLifespan - The amount of time an access token can be used before it expires.
- Access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- Account
Theme string - Used for account management pages.
- Action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- Action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- Admin
Theme string - Used for the admin console.
- Attributes map[string]interface{}
- A map of custom attributes to add to the realm.
- Browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - Client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - Client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- Client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- Default
Default []stringClient Scopes - Default
Optional []stringClient Scopes - Default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- Direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- Docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - Duplicate
Emails boolAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - Edit
Username boolAllowed - When true, the username field is editable.
- Email
Theme string - Used for emails that are sent by Keycloak.
- Enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - Internal
Id string - Internationalization
Realm
Internationalization Args - Login
Theme string - Used for the login, forgot password, and registration pages.
- Login
With boolEmail Allowed - When true, users may log in with their email address.
- Oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- Oauth2Device
Polling intInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- Offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- Offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- Offline
Session boolMax Lifespan Enabled - Enable
offline_session_max_lifespan. - Otp
Policy RealmOtp Policy Args - Password
Policy string - The password policy for users within the realm.
- Realm string
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- Refresh
Token intMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- Registration
Allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- Registration
Email boolAs Username - When true, the user's email will be used as their username during registration.
- Registration
Flow string - The desired flow for user registration. Defaults to
registration. - Remember
Me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- Reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - Reset
Password boolAllowed - When true, a "forgot password" link will be displayed on the login page.
- Revoke
Refresh boolToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- Security
Defenses RealmSecurity Defenses Args - Smtp
Server RealmSmtp Server Args - Ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- Sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- Sso
Session stringIdle Timeout Remember Me - Sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- Sso
Session stringMax Lifespan Remember Me - User
Managed boolAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - Verify
Email bool - When true, users are required to verify their email address after registration and after email address changes.
- Web
Authn RealmPasswordless Policy Web Authn Passwordless Policy Args - Configuration for WebAuthn Passwordless Policy authentication.
- Web
Authn RealmPolicy Web Authn Policy Args - Configuration for WebAuthn Policy authentication.
- access
Code StringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan - The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String - Used for account management pages.
- action
Token StringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String - Used for the admin console.
- attributes Map<String,Object>
- A map of custom attributes to add to the realm.
- browser
Flow String - The desired flow for browser authentication. Defaults to
browser. - client
Authentication StringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session StringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails BooleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username BooleanAllowed - When true, the username field is editable.
- email
Theme String - Used for emails that are sent by Keycloak.
- enabled Boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internal
Id String - internationalization
Realm
Internationalization - login
Theme String - Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling IntegerInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy RealmOtp Policy - password
Policy String - The password policy for users within the realm.
- realm String
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token IntegerMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed Boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow String - The desired flow for user registration. Defaults to
registration. - remember
Me Boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password BooleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required String - Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me - sso
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me - user
Managed BooleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email Boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- access
Code stringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code stringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code stringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token stringLifespan - The amount of time an access token can be used before it expires.
- access
Token stringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme string - Used for account management pages.
- action
Token stringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token stringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme string - Used for the admin console.
- attributes {[key: string]: any}
- A map of custom attributes to add to the realm.
- browser
Flow string - The desired flow for browser authentication. Defaults to
browser. - client
Authentication stringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session stringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default string[]Client Scopes - default
Optional string[]Client Scopes - default
Signature stringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant stringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name string - The display name for the realm that is shown when logging in to the admin console.
- display
Name stringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication stringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails booleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username booleanAllowed - When true, the username field is editable.
- email
Theme string - Used for emails that are sent by Keycloak.
- enabled boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internal
Id string - internationalization
Realm
Internationalization - login
Theme string - Used for the login, forgot password, and registration pages.
- login
With booleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code stringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling numberInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session stringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session stringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session booleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy RealmOtp Policy - password
Policy string - The password policy for users within the realm.
- realm string
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token numberMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email booleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow string - The desired flow for user registration. Defaults to
registration. - remember
Me boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials stringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password booleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh booleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses RealmSecurity Defenses - smtp
Server RealmSmtp Server - ssl
Required string - Can be one of following values: 'none, 'external' or 'all'
- sso
Session stringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session stringIdle Timeout Remember Me - sso
Session stringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session stringMax Lifespan Remember Me - user
Managed booleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn RealmPasswordless Policy Web Authn Passwordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn RealmPolicy Web Authn Policy - Configuration for WebAuthn Policy authentication.
- access_
code_ strlifespan - The maximum amount of time a client has to finish the authorization code flow.
- access_
code_ strlifespan_ login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access_
code_ strlifespan_ user_ action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access_
token_ strlifespan - The amount of time an access token can be used before it expires.
- access_
token_ strlifespan_ for_ implicit_ flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account_
theme str - Used for account management pages.
- action_
token_ strgenerated_ by_ admin_ lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action_
token_ strgenerated_ by_ user_ lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin_
theme str - Used for the admin console.
- attributes Mapping[str, Any]
- A map of custom attributes to add to the realm.
- browser_
flow str - The desired flow for browser authentication. Defaults to
browser. - client_
authentication_ strflow - The desired flow for client authentication. Defaults to
clients. - client_
session_ stridle_ timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client_
session_ strmax_ lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default_
default_ Sequence[str]client_ scopes - default_
optional_ Sequence[str]client_ scopes - default_
signature_ stralgorithm - Default algorithm used to sign tokens for the realm.
- direct_
grant_ strflow - The desired flow for direct access authentication. Defaults to
direct grant. - display_
name str - The display name for the realm that is shown when logging in to the admin console.
- display_
name_ strhtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker_
authentication_ strflow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate_
emails_ boolallowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit_
username_ boolallowed - When true, the username field is editable.
- email_
theme str - Used for emails that are sent by Keycloak.
- enabled bool
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internal_
id str - internationalization
Realm
Internationalization Args - login_
theme str - Used for the login, forgot password, and registration pages.
- login_
with_ boolemail_ allowed - When true, users may log in with their email address.
- oauth2_
device_ strcode_ lifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2_
device_ intpolling_ interval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline_
session_ stridle_ timeout - The amount of time an offline session can be idle before it expires.
- offline_
session_ strmax_ lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline_
session_ boolmax_ lifespan_ enabled - Enable
offline_session_max_lifespan. - otp_
policy RealmOtp Policy Args - password_
policy str - The password policy for users within the realm.
- realm str
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh_
token_ intmax_ reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration_
allowed bool - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration_
email_ boolas_ username - When true, the user's email will be used as their username during registration.
- registration_
flow str - The desired flow for user registration. Defaults to
registration. - remember_
me bool - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset_
credentials_ strflow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset_
password_ boolallowed - When true, a "forgot password" link will be displayed on the login page.
- revoke_
refresh_ booltoken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security_
defenses RealmSecurity Defenses Args - smtp_
server RealmSmtp Server Args - ssl_
required str - Can be one of following values: 'none, 'external' or 'all'
- sso_
session_ stridle_ timeout - The amount of time a session can be idle before it expires.
- sso_
session_ stridle_ timeout_ remember_ me - sso_
session_ strmax_ lifespan - The maximum amount of time before a session expires regardless of activity.
- sso_
session_ strmax_ lifespan_ remember_ me - user_
managed_ boolaccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify_
email bool - When true, users are required to verify their email address after registration and after email address changes.
- web_
authn_ Realmpasswordless_ policy Web Authn Passwordless Policy Args - Configuration for WebAuthn Passwordless Policy authentication.
- web_
authn_ Realmpolicy Web Authn Policy Args - Configuration for WebAuthn Policy authentication.
- access
Code StringLifespan - The maximum amount of time a client has to finish the authorization code flow.
- access
Code StringLifespan Login - The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
- access
Code StringLifespan User Action - The maximum amount of time a user has to complete login related actions, such as updating a password.
- access
Token StringLifespan - The amount of time an access token can be used before it expires.
- access
Token StringLifespan For Implicit Flow - The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
- account
Theme String - Used for account management pages.
- action
Token StringGenerated By Admin Lifespan - The maximum time a user has to use an admin-generated permit before it expires.
- action
Token StringGenerated By User Lifespan - The maximum time a user has to use a user-generated permit before it expires.
- admin
Theme String - Used for the admin console.
- attributes Map<Any>
- A map of custom attributes to add to the realm.
- browser
Flow String - The desired flow for browser authentication. Defaults to
browser. - client
Authentication StringFlow - The desired flow for client authentication. Defaults to
clients. - client
Session StringIdle Timeout - The amount of time a session can be idle before it expires. Users can override it for individual clients.
- client
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
- default
Default List<String>Client Scopes - default
Optional List<String>Client Scopes - default
Signature StringAlgorithm - Default algorithm used to sign tokens for the realm.
- direct
Grant StringFlow - The desired flow for direct access authentication. Defaults to
direct grant. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- display
Name StringHtml - The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
- docker
Authentication StringFlow - The desired flow for Docker authentication. Defaults to
docker auth. - duplicate
Emails BooleanAllowed - When true, multiple users will be allowed to have the same email address. This argument must be set to
falseiflogin_with_email_allowedis set totrue. - edit
Username BooleanAllowed - When true, the username field is editable.
- email
Theme String - Used for emails that are sent by Keycloak.
- enabled Boolean
- When
false, users and clients will not be able to access this realm. Defaults totrue. - internal
Id String - internationalization Property Map
- login
Theme String - Used for the login, forgot password, and registration pages.
- login
With BooleanEmail Allowed - When true, users may log in with their email address.
- oauth2Device
Code StringLifespan - The maximum amount of time a client has to finish the device code flow before it expires.
- oauth2Device
Polling NumberInterval - The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
- offline
Session StringIdle Timeout - The amount of time an offline session can be idle before it expires.
- offline
Session StringMax Lifespan - The maximum amount of time before an offline session expires regardless of activity.
- offline
Session BooleanMax Lifespan Enabled - Enable
offline_session_max_lifespan. - otp
Policy Property Map - password
Policy String - The password policy for users within the realm.
- realm String
- The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
- refresh
Token NumberMax Reuse - Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
- registration
Allowed Boolean - When true, user registration will be enabled, and a link for registration will be displayed on the login page.
- registration
Email BooleanAs Username - When true, the user's email will be used as their username during registration.
- registration
Flow String - The desired flow for user registration. Defaults to
registration. - remember
Me Boolean - When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
- reset
Credentials StringFlow - The desired flow to use when a user attempts to reset their credentials. Defaults to
reset credentials. - reset
Password BooleanAllowed - When true, a "forgot password" link will be displayed on the login page.
- revoke
Refresh BooleanToken - If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
- security
Defenses Property Map - smtp
Server Property Map - ssl
Required String - Can be one of following values: 'none, 'external' or 'all'
- sso
Session StringIdle Timeout - The amount of time a session can be idle before it expires.
- sso
Session StringIdle Timeout Remember Me - sso
Session StringMax Lifespan - The maximum amount of time before a session expires regardless of activity.
- sso
Session StringMax Lifespan Remember Me - user
Managed BooleanAccess - When
true, users are allowed to manage their own resources. Defaults tofalse. - verify
Email Boolean - When true, users are required to verify their email address after registration and after email address changes.
- web
Authn Property MapPasswordless Policy - Configuration for WebAuthn Passwordless Policy authentication.
- web
Authn Property MapPolicy - Configuration for WebAuthn Policy authentication.
Supporting Types
RealmInternationalization, RealmInternationalizationArgs
- Default
Locale string - The locale to use by default. This locale code must be present within the
supported_localeslist. - Supported
Locales List<string> - A list of ISO 639-1 locale codes that the realm should support.
- Default
Locale string - The locale to use by default. This locale code must be present within the
supported_localeslist. - Supported
Locales []string - A list of ISO 639-1 locale codes that the realm should support.
- default
Locale String - The locale to use by default. This locale code must be present within the
supported_localeslist. - supported
Locales List<String> - A list of ISO 639-1 locale codes that the realm should support.
- default
Locale string - The locale to use by default. This locale code must be present within the
supported_localeslist. - supported
Locales string[] - A list of ISO 639-1 locale codes that the realm should support.
- default_
locale str - The locale to use by default. This locale code must be present within the
supported_localeslist. - supported_
locales Sequence[str] - A list of ISO 639-1 locale codes that the realm should support.
- default
Locale String - The locale to use by default. This locale code must be present within the
supported_localeslist. - supported
Locales List<String> - A list of ISO 639-1 locale codes that the realm should support.
RealmOtpPolicy, RealmOtpPolicyArgs
- Algorithm string
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - Digits int
- How many digits the OTP have. Defaults to
6. - Initial
Counter int - What should the initial counter value be. Defaults to
2. - Look
Ahead intWindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - Period int
- How many seconds should an OTP token be valid. Defaults to
30. - Type string
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
- Algorithm string
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - Digits int
- How many digits the OTP have. Defaults to
6. - Initial
Counter int - What should the initial counter value be. Defaults to
2. - Look
Ahead intWindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - Period int
- How many seconds should an OTP token be valid. Defaults to
30. - Type string
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
- algorithm String
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - digits Integer
- How many digits the OTP have. Defaults to
6. - initial
Counter Integer - What should the initial counter value be. Defaults to
2. - look
Ahead IntegerWindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - period Integer
- How many seconds should an OTP token be valid. Defaults to
30. - type String
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
- algorithm string
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - digits number
- How many digits the OTP have. Defaults to
6. - initial
Counter number - What should the initial counter value be. Defaults to
2. - look
Ahead numberWindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - period number
- How many seconds should an OTP token be valid. Defaults to
30. - type string
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
- algorithm str
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - digits int
- How many digits the OTP have. Defaults to
6. - initial_
counter int - What should the initial counter value be. Defaults to
2. - look_
ahead_ intwindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - period int
- How many seconds should an OTP token be valid. Defaults to
30. - type str
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
- algorithm String
- What hashing algorithm should be used to generate the OTP, Valid options are
HmacSHA1,HmacSHA256andHmacSHA512. Defaults toHmacSHA1. - digits Number
- How many digits the OTP have. Defaults to
6. - initial
Counter Number - What should the initial counter value be. Defaults to
2. - look
Ahead NumberWindow - How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to
1. - period Number
- How many seconds should an OTP token be valid. Defaults to
30. - type String
- One Time Password Type, supported Values are
totpfor Time-Based One Time Password andhotpfor Counter Based. Defaults tototp.
RealmSecurityDefenses, RealmSecurityDefensesArgs
RealmSecurityDefensesBruteForceDetection, RealmSecurityDefensesBruteForceDetectionArgs
- Failure
Reset intTime Seconds - When will failure count be reset?
- Max
Failure intWait Seconds - Max
Login intFailures - How many failures before wait is triggered.
- Minimum
Quick intLogin Wait Seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- Permanent
Lockout bool - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - Quick
Login intCheck Milli Seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- Wait
Increment intSeconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
- Failure
Reset intTime Seconds - When will failure count be reset?
- Max
Failure intWait Seconds - Max
Login intFailures - How many failures before wait is triggered.
- Minimum
Quick intLogin Wait Seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- Permanent
Lockout bool - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - Quick
Login intCheck Milli Seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- Wait
Increment intSeconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset IntegerTime Seconds - When will failure count be reset?
- max
Failure IntegerWait Seconds - max
Login IntegerFailures - How many failures before wait is triggered.
- minimum
Quick IntegerLogin Wait Seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- permanent
Lockout Boolean - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - quick
Login IntegerCheck Milli Seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment IntegerSeconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset numberTime Seconds - When will failure count be reset?
- max
Failure numberWait Seconds - max
Login numberFailures - How many failures before wait is triggered.
- minimum
Quick numberLogin Wait Seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- permanent
Lockout boolean - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - quick
Login numberCheck Milli Seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment numberSeconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure_
reset_ inttime_ seconds - When will failure count be reset?
- max_
failure_ intwait_ seconds - max_
login_ intfailures - How many failures before wait is triggered.
- minimum_
quick_ intlogin_ wait_ seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- permanent_
lockout bool - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - quick_
login_ intcheck_ milli_ seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait_
increment_ intseconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
- failure
Reset NumberTime Seconds - When will failure count be reset?
- max
Failure NumberWait Seconds - max
Login NumberFailures - How many failures before wait is triggered.
- minimum
Quick NumberLogin Wait Seconds - How long to wait after a quick login failure.
max_failure_wait_seconds- (Optional) Max. time a user will be locked out.
- permanent
Lockout Boolean - When
true, this will lock the user permanently when the user exceeds the maximum login failures. - quick
Login NumberCheck Milli Seconds - Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.
- wait
Increment NumberSeconds - This represents the amount of time a user should be locked out when the login failure threshold has been met.
RealmSecurityDefensesHeaders, RealmSecurityDefensesHeadersArgs
- Content
Security stringPolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- Content
Security stringPolicy Report Only - Used for testing Content Security Policies.
- Strict
Transport stringSecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- XContent
Type stringOptions - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- XFrame
Options string - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- XRobots
Tag string - Prevent pages from appearing in search engines.
- XXss
Protection string - This header configures the Cross-site scripting (XSS) filter in your browser.
- Content
Security stringPolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- Content
Security stringPolicy Report Only - Used for testing Content Security Policies.
- Strict
Transport stringSecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- XContent
Type stringOptions - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- XFrame
Options string - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- XRobots
Tag string - Prevent pages from appearing in search engines.
- XXss
Protection string - This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security StringPolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security StringPolicy Report Only - Used for testing Content Security Policies.
- strict
Transport StringSecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content StringType Options - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame StringOptions - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots StringTag - Prevent pages from appearing in search engines.
- x
Xss StringProtection - This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security stringPolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security stringPolicy Report Only - Used for testing Content Security Policies.
- strict
Transport stringSecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content stringType Options - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame stringOptions - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots stringTag - Prevent pages from appearing in search engines.
- x
Xss stringProtection - This header configures the Cross-site scripting (XSS) filter in your browser.
- content_
security_ strpolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content_
security_ strpolicy_ report_ only - Used for testing Content Security Policies.
- strict_
transport_ strsecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x_
content_ strtype_ options - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x_
frame_ stroptions - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x_
robots_ strtag - Prevent pages from appearing in search engines.
- x_
xss_ strprotection - This header configures the Cross-site scripting (XSS) filter in your browser.
- content
Security StringPolicy - Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
- content
Security StringPolicy Report Only - Used for testing Content Security Policies.
- strict
Transport StringSecurity - The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
- x
Content StringType Options - Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
- x
Frame StringOptions - Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
- x
Robots StringTag - Prevent pages from appearing in search engines.
- x
Xss StringProtection - This header configures the Cross-site scripting (XSS) filter in your browser.
RealmSmtpServer, RealmSmtpServerArgs
- From string
- The email address for the sender.
- Host string
- The host of the SMTP server.
- Auth
Realm
Smtp Server Auth - Enables authentication to the SMTP server. This block supports the following arguments:
- Envelope
From string - The email address uses for bounces.
- From
Display stringName - The display name of the sender email address.
- Port string
- The port of the SMTP server (defaults to 25).
- Reply
To string - The "reply to" email address.
- Reply
To stringDisplay Name - The display name of the "reply to" email address.
- Ssl bool
- When
true, enables SSL. Defaults tofalse. - Starttls bool
- When
true, enables StartTLS. Defaults tofalse.
- From string
- The email address for the sender.
- Host string
- The host of the SMTP server.
- Auth
Realm
Smtp Server Auth - Enables authentication to the SMTP server. This block supports the following arguments:
- Envelope
From string - The email address uses for bounces.
- From
Display stringName - The display name of the sender email address.
- Port string
- The port of the SMTP server (defaults to 25).
- Reply
To string - The "reply to" email address.
- Reply
To stringDisplay Name - The display name of the "reply to" email address.
- Ssl bool
- When
true, enables SSL. Defaults tofalse. - Starttls bool
- When
true, enables StartTLS. Defaults tofalse.
- from String
- The email address for the sender.
- host String
- The host of the SMTP server.
- auth
Realm
Smtp Server Auth - Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From String - The email address uses for bounces.
- from
Display StringName - The display name of the sender email address.
- port String
- The port of the SMTP server (defaults to 25).
- reply
To String - The "reply to" email address.
- reply
To StringDisplay Name - The display name of the "reply to" email address.
- ssl Boolean
- When
true, enables SSL. Defaults tofalse. - starttls Boolean
- When
true, enables StartTLS. Defaults tofalse.
- from string
- The email address for the sender.
- host string
- The host of the SMTP server.
- auth
Realm
Smtp Server Auth - Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From string - The email address uses for bounces.
- from
Display stringName - The display name of the sender email address.
- port string
- The port of the SMTP server (defaults to 25).
- reply
To string - The "reply to" email address.
- reply
To stringDisplay Name - The display name of the "reply to" email address.
- ssl boolean
- When
true, enables SSL. Defaults tofalse. - starttls boolean
- When
true, enables StartTLS. Defaults tofalse.
- from_ str
- The email address for the sender.
- host str
- The host of the SMTP server.
- auth
Realm
Smtp Server Auth - Enables authentication to the SMTP server. This block supports the following arguments:
- envelope_
from str - The email address uses for bounces.
- from_
display_ strname - The display name of the sender email address.
- port str
- The port of the SMTP server (defaults to 25).
- reply_
to str - The "reply to" email address.
- reply_
to_ strdisplay_ name - The display name of the "reply to" email address.
- ssl bool
- When
true, enables SSL. Defaults tofalse. - starttls bool
- When
true, enables StartTLS. Defaults tofalse.
- from String
- The email address for the sender.
- host String
- The host of the SMTP server.
- auth Property Map
- Enables authentication to the SMTP server. This block supports the following arguments:
- envelope
From String - The email address uses for bounces.
- from
Display StringName - The display name of the sender email address.
- port String
- The port of the SMTP server (defaults to 25).
- reply
To String - The "reply to" email address.
- reply
To StringDisplay Name - The display name of the "reply to" email address.
- ssl Boolean
- When
true, enables SSL. Defaults tofalse. - starttls Boolean
- When
true, enables StartTLS. Defaults tofalse.
RealmSmtpServerAuth, RealmSmtpServerAuthArgs
RealmWebAuthnPasswordlessPolicy, RealmWebAuthnPasswordlessPolicyArgs
- Acceptable
Aaguids List<string> - A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - Authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - Avoid
Same boolAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - Create
Timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - Relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - Relying
Party stringId - The WebAuthn relying party ID.
- Require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - Signature
Algorithms List<string> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - User
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- Acceptable
Aaguids []string - A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - Authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - Avoid
Same boolAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - Create
Timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - Relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - Relying
Party stringId - The WebAuthn relying party ID.
- Require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - Signature
Algorithms []string - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - User
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids List<String> - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment String - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same BooleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout Integer - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party StringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party StringId - The WebAuthn relying party ID.
- require
Resident StringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms List<String> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification StringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids string[] - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same booleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout number - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party stringId - The WebAuthn relying party ID.
- require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms string[] - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable_
aaguids Sequence[str] - A set of AAGUIDs for which an authenticator can be registered.
- attestation_
conveyance_ strpreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator_
attachment str - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid_
same_ boolauthenticator_ register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create_
timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying_
party_ strentity_ name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying_
party_ strid - The WebAuthn relying party ID.
- require_
resident_ strkey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature_
algorithms Sequence[str] - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user_
verification_ strrequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids List<String> - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment String - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same BooleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout Number - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party StringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party StringId - The WebAuthn relying party ID.
- require
Resident StringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms List<String> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification StringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
RealmWebAuthnPolicy, RealmWebAuthnPolicyArgs
- Acceptable
Aaguids List<string> - A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - Authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - Avoid
Same boolAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - Create
Timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - Relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - Relying
Party stringId - The WebAuthn relying party ID.
- Require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - Signature
Algorithms List<string> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - User
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- Acceptable
Aaguids []string - A set of AAGUIDs for which an authenticator can be registered.
- Attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - Authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - Avoid
Same boolAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - Create
Timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - Relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - Relying
Party stringId - The WebAuthn relying party ID.
- Require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - Signature
Algorithms []string - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - User
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids List<String> - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment String - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same BooleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout Integer - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party StringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party StringId - The WebAuthn relying party ID.
- require
Resident StringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms List<String> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification StringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids string[] - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance stringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment string - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same booleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout number - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party stringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party stringId - The WebAuthn relying party ID.
- require
Resident stringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms string[] - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification stringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable_
aaguids Sequence[str] - A set of AAGUIDs for which an authenticator can be registered.
- attestation_
conveyance_ strpreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator_
attachment str - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid_
same_ boolauthenticator_ register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create_
timeout int - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying_
party_ strentity_ name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying_
party_ strid - The WebAuthn relying party ID.
- require_
resident_ strkey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature_
algorithms Sequence[str] - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user_
verification_ strrequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
- acceptable
Aaguids List<String> - A set of AAGUIDs for which an authenticator can be registered.
- attestation
Conveyance StringPreference - The preference of how to generate a WebAuthn attestation statement. Valid options are
not specified,none,indirect,direct, orenterprise. Defaults tonot specified. - authenticator
Attachment String - The acceptable attachment pattern for the WebAuthn authenticator. Valid options are
not specified,platform, orcross-platform. Defaults tonot specified. - avoid
Same BooleanAuthenticator Register - When
true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults tofalse. - create
Timeout Number - The timeout value for creating a user's public key credential in seconds. When set to
0, this timeout option is not adapted. Defaults to0. - relying
Party StringEntity Name - A human readable server name for the WebAuthn Relying Party. Defaults to
keycloak. - relying
Party StringId - The WebAuthn relying party ID.
- require
Resident StringKey - Specifies whether or not a public key should be created to represent the resident key. Valid options are
not specified,Yes, orNo. Defaults tonot specified. - signature
Algorithms List<String> - A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are
ES256,ES384,ES512,RS256,RS384,RS512, andRS1. - user
Verification StringRequirement - Specifies the policy for verifying a user logging in via WebAuthn. Valid options are
not specified,required,preferred, ordiscouraged. Defaults tonot specified.
Import
Realms can be imported using their name. Examplebash
$ pulumi import keycloak:index/realm:Realm realm my-realm
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
Viewing docs for Keycloak v4.11.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi
published on Monday, Mar 9, 2026 by Pulumi
