Namespace Pulumi.Keycloak.OpenId
Classes
AudienceProtocolMapper
# keycloak.openid.AudienceProtocolMapper
Allows for creating and managing audience protocol mappers within Keycloak. This mapper was added in Keycloak v4.6.0.Final.
Audience protocol mappers allow you add audiences to the aud claim
within issued tokens. The audience can be a custom string, or it can be
mapped to the ID of a pre-existing client.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper("audienceMapper", new Keycloak.OpenId.AudienceProtocolMapperArgs
{
ClientId = openidClient.Id,
IncludedCustomAudience = "foo",
RealmId = realm.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var audienceMapper = new Keycloak.OpenId.AudienceProtocolMapper("audienceMapper", new Keycloak.OpenId.AudienceProtocolMapperArgs
{
ClientScopeId = clientScope.Id,
IncludedCustomAudience = "foo",
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.included_client_audience- (Required ifincluded_custom_audienceis not specified) A client ID to include within the token'saudclaim.included_custom_audience- (Required ifincluded_client_audienceis not specified) A custom audience to include within the token'saudclaim.add_to_id_token- (Optional) Indicates if the audience should be included in theaudclaim for the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the audience should be included in theaudclaim for the id token. Defaults totrue.
AudienceProtocolMapperArgs
AudienceProtocolMapperState
Client
# keycloak.openid.Client
Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.
Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.
Example Usage
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this client is attached to.client_id- (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.name- (Optional) The display name of this client in the GUI.enabled- (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults totrue.description- (Optional) The description of this client in the GUI.access_type- (Required) Specifies the type of client, which can be one of the following:CONFIDENTIAL- Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.PUBLIC- Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.BEARER-ONLY- Used for services that never initiate a login. This client will only allow bearer token requests.client_secret- (Optional) The secret for clients with anaccess_typeofCONFIDENTIALorBEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute.standard_flow_enabled- (Optional) Whentrue, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults tofalse.implicit_flow_enabled- (Optional) Whentrue, the OAuth2 Implicit Grant will be enabled for this client. Defaults tofalse.direct_access_grants_enabled- (Optional) Whentrue, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults tofalse.service_accounts_enabled- (Optional) Whentrue, the OAuth2 Client Credentials grant will be enabled for this client. Defaults tofalse.valid_redirect_uris- (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if eitherstandard_flow_enabledorimplicit_flow_enabledis set totrue.web_origins- (Optional) A list of allowed CORS origins.+can be used to permit all valid redirect URIs, and*can be used to permit all origins.admin_url- (Optional) URL to the admin interface of the client.base_url- (Optional) Default URL to use when the auth server needs to redirect or link back to the client.pkce_code_challenge_method- (Optional) The challenge method to use for Proof Key for Code Exchange. Can be eitherplainorS256or set to empty value ``.full_scope_allowed- (Optional) - Allow to include all roles mappings in the access token.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
service_account_user_id- When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
ClientAggregatePolicy
ClientAggregatePolicyArgs
ClientAggregatePolicyState
ClientArgs
ClientAuthorizationPermission
ClientAuthorizationPermissionArgs
ClientAuthorizationPermissionState
ClientAuthorizationResource
ClientAuthorizationResourceArgs
ClientAuthorizationResourceState
ClientAuthorizationScope
ClientAuthorizationScopeArgs
ClientAuthorizationScopeState
ClientDefaultScopes
ClientDefaultScopesArgs
ClientDefaultScopesState
ClientGroupPolicy
ClientGroupPolicyArgs
ClientGroupPolicyState
ClientJsPolicy
ClientJsPolicyArgs
ClientJsPolicyState
ClientOptionalScopes
ClientOptionalScopesArgs
ClientOptionalScopesState
ClientPolicy
ClientPolicyArgs
ClientPolicyState
ClientRolePolicy
ClientRolePolicyArgs
ClientRolePolicyState
ClientScope
# keycloak.openid.ClientScope
Allows for creating and managing Keycloak client scopes that can be attached to clients that use the OpenID Connect protocol.
Client Scopes can be used to share common protocol and role mappings between multiple
clients within a realm. They can also be used by clients to conditionally request
claims or roles for a user based on the OAuth 2.0 scope parameter.
Example Usage
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClientScope = new Keycloak.OpenId.ClientScope("openidClientScope", new Keycloak.OpenId.ClientScopeArgs
{
Description = "When requested, this scope will map a user's group memberships to a claim",
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this client scope belongs to.name- (Required) The display name of this client scope in the GUI.description- (Optional) The description of this client scope in the GUI.consent_screen_text- (Optional) When set, a consent screen will be displayed to users authenticating to clients with this scope attached. The consent screen will display the string value of this attribute.
ClientScopeArgs
ClientScopeState
ClientServiceAccountRealmRole
ClientServiceAccountRealmRoleArgs
ClientServiceAccountRealmRoleState
ClientServiceAccountRole
ClientServiceAccountRoleArgs
ClientServiceAccountRoleState
ClientState
ClientTimePolicy
ClientTimePolicyArgs
ClientTimePolicyState
ClientUserPolicy
ClientUserPolicyArgs
ClientUserPolicyState
FullNameProtocolMapper
# keycloak.openid.FullNameProtocolMapper
Allows for creating and managing full name protocol mappers within Keycloak.
Full name protocol mappers allow you to map a user's first and last name
to the OpenID Connect name claim in a token. Protocol mappers can be defined
for a single client, or they can be defined for a client scope which can
be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper("fullNameMapper", new Keycloak.OpenId.FullNameProtocolMapperArgs
{
ClientId = openidClient.Id,
RealmId = realm.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var fullNameMapper = new Keycloak.OpenId.FullNameProtocolMapper("fullNameMapper", new Keycloak.OpenId.FullNameProtocolMapperArgs
{
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.add_to_id_token- (Optional) Indicates if the user's full name should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the user's full name should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the user's full name should be added as a claim to the UserInfo response body. Defaults totrue.
FullNameProtocolMapperArgs
FullNameProtocolMapperState
GetClient
GetClientArgs
GetClientAuthorizationPolicy
GetClientAuthorizationPolicyArgs
GetClientAuthorizationPolicyResult
GetClientResult
GetClientServiceAccountUser
GetClientServiceAccountUserArgs
GetClientServiceAccountUserResult
GroupMembershipProtocolMapper
# keycloak.openid.GroupMembershipProtocolMapper
Allows for creating and managing group membership protocol mappers within Keycloak.
Group membership protocol mappers allow you to map a user's group memberships to a claim in a token. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper("groupMembershipMapper", new Keycloak.OpenId.GroupMembershipProtocolMapperArgs
{
ClaimName = "groups",
ClientId = openidClient.Id,
RealmId = realm.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var groupMembershipMapper = new Keycloak.OpenId.GroupMembershipProtocolMapper("groupMembershipMapper", new Keycloak.OpenId.GroupMembershipProtocolMapperArgs
{
ClaimName = "groups",
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.claim_name- (Required) The name of the claim to insert into a token.full_path- (Optional) Indicates whether the full path of the group including its parents will be used. Defaults totrue.add_to_id_token- (Optional) Indicates if the property should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the property should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults totrue.
GroupMembershipProtocolMapperArgs
GroupMembershipProtocolMapperState
HardcodedClaimProtocolMapper
# keycloak.openid.HardcodedClaimProtocolMapper
Allows for creating and managing hardcoded claim protocol mappers within Keycloak.
Hardcoded claim protocol mappers allow you to define a claim with a hardcoded value. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper("hardcodedClaimMapper", new Keycloak.OpenId.HardcodedClaimProtocolMapperArgs
{
ClaimName = "foo",
ClaimValue = "bar",
ClientId = openidClient.Id,
RealmId = realm.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var hardcodedClaimMapper = new Keycloak.OpenId.HardcodedClaimProtocolMapper("hardcodedClaimMapper", new Keycloak.OpenId.HardcodedClaimProtocolMapperArgs
{
ClaimName = "foo",
ClaimValue = "bar",
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.claim_name- (Required) The name of the claim to insert into a token.claim_value- (Required) The hardcoded value of the claim.claim_value_type- (Optional) The claim type used when serializing JSON tokens. Can be one ofString,long,int, orboolean. Defaults toString.add_to_id_token- (Optional) Indicates if the property should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the property should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults totrue.
HardcodedClaimProtocolMapperArgs
HardcodedClaimProtocolMapperState
HardcodedRoleProtocolMapper
# keycloak.openid.HardcodedRoleProtocolMapper
Allows for creating and managing hardcoded role protocol mappers within Keycloak.
Hardcoded role protocol mappers allow you to specify a single role to always map to an access token for a client. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var role = new Keycloak.Role("role", new Keycloak.RoleArgs
{
RealmId = realm.Id,
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper("hardcodedRoleMapper", new Keycloak.OpenId.HardcodedRoleProtocolMapperArgs
{
ClientId = openidClient.Id,
RealmId = realm.Id,
RoleId = role.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var role = new Keycloak.Role("role", new Keycloak.RoleArgs
{
RealmId = realm.Id,
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var hardcodedRoleMapper = new Keycloak.OpenId.HardcodedRoleProtocolMapper("hardcodedRoleMapper", new Keycloak.OpenId.HardcodedRoleProtocolMapperArgs
{
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
RoleId = role.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.role_id- (Required) The ID of the role to map to an access token.
HardcodedRoleProtocolMapperArgs
HardcodedRoleProtocolMapperState
UserAttributeProtocolMapper
# keycloak.openid.UserAttributeProtocolMapper
Allows for creating and managing user attribute protocol mappers within Keycloak.
User attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to a claim in a token. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper("userAttributeMapper", new Keycloak.OpenId.UserAttributeProtocolMapperArgs
{
ClaimName = "bar",
ClientId = openidClient.Id,
RealmId = realm.Id,
UserAttribute = "foo",
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var userAttributeMapper = new Keycloak.OpenId.UserAttributeProtocolMapper("userAttributeMapper", new Keycloak.OpenId.UserAttributeProtocolMapperArgs
{
ClaimName = "bar",
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
UserAttribute = "foo",
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.user_attribute- (Required) The custom user attribute to map a claim for.claim_name- (Required) The name of the claim to insert into a token.claim_value_type- (Optional) The claim type used when serializing JSON tokens. Can be one ofString,long,int, orboolean. Defaults toString.multivalued- (Optional) Indicates whether this attribute is a single value or an array of values. Defaults tofalse.add_to_id_token- (Optional) Indicates if the attribute should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the attribute should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the attribute should be added as a claim to the UserInfo response body. Defaults totrue.
UserAttributeProtocolMapperArgs
UserAttributeProtocolMapperState
UserPropertyProtocolMapper
# keycloak.openid.UserPropertyProtocolMapper
Allows for creating and managing user property protocol mappers within Keycloak.
User property protocol mappers allow you to map built in properties defined on the Keycloak user interface to a claim in a token. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper("userPropertyMapper", new Keycloak.OpenId.UserPropertyProtocolMapperArgs
{
ClaimName = "email",
ClientId = openidClient.Id,
RealmId = realm.Id,
UserProperty = "email",
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var userPropertyMapper = new Keycloak.OpenId.UserPropertyProtocolMapper("userPropertyMapper", new Keycloak.OpenId.UserPropertyProtocolMapperArgs
{
ClaimName = "email",
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
UserProperty = "email",
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.user_property- (Required) The built in user property (such as email) to map a claim for.claim_name- (Required) The name of the claim to insert into a token.claim_value_type- (Optional) The claim type used when serializing JSON tokens. Can be one ofString,long,int, orboolean. Defaults toString.add_to_id_token- (Optional) Indicates if the property should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the property should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults totrue.
UserPropertyProtocolMapperArgs
UserPropertyProtocolMapperState
UserRealmRoleProtocolMapper
# keycloak.openid.UserRealmRoleProtocolMapper
Allows for creating and managing user realm role protocol mappers within Keycloak.
User realm role protocol mappers allow you to define a claim containing the list of the realm roles. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
{
AccessType = "CONFIDENTIAL",
ClientId = "test-client",
Enabled = true,
RealmId = realm.Id,
ValidRedirectUris =
{
"http://localhost:8080/openid-callback",
},
});
var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper("userRealmRoleMapper", new Keycloak.OpenId.UserRealmRoleProtocolMapperArgs
{
ClaimName = "foo",
ClientId = openidClient.Id,
RealmId = realm.Id,
});
}
}
Example Usage (Client Scope)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var clientScope = new Keycloak.OpenId.ClientScope("clientScope", new Keycloak.OpenId.ClientScopeArgs
{
RealmId = realm.Id,
});
var userRealmRoleMapper = new Keycloak.OpenId.UserRealmRoleProtocolMapper("userRealmRoleMapper", new Keycloak.OpenId.UserRealmRoleProtocolMapperArgs
{
ClaimName = "foo",
ClientScopeId = clientScope.Id,
RealmId = realm.Id,
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.claim_name- (Required) The name of the claim to insert into a token.claim_value_type- (Optional) The claim type used when serializing JSON tokens. Can be one ofString,long,int, orboolean. Defaults toString.multivalued- (Optional) Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim. Defaults totrue.realm_role_prefix- (Optional) A prefix for each Realm Role.add_to_id_token- (Optional) Indicates if the property should be added as a claim to the id token. Defaults totrue.add_to_access_token- (Optional) Indicates if the property should be added as a claim to the access token. Defaults totrue.add_to_userinfo- (Optional) Indicates if the property should be added as a claim to the UserInfo response body. Defaults totrue.