Client

# keycloak.openid.Client

Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "my-realm",
});
const openidClient = new keycloak.openid.Client("openid_client", {
    accessType: "CONFIDENTIAL",
    clientId: "test-client",
    enabled: true,
    realmId: realm.id,
    validRedirectUris: ["http://localhost:8080/openid-callback"],
});

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="my-realm")
openid_client = keycloak.openid.Client("openidClient",
    access_type="CONFIDENTIAL",
    client_id="test-client",
    enabled=True,
    realm_id=realm.id,
    valid_redirect_uris=["http://localhost:8080/openid-callback"])

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            Enabled = true,
            Realm = "my-realm",
        });
        var openidClient = new Keycloak.OpenId.Client("openidClient", new Keycloak.OpenId.ClientArgs
        {
            AccessType = "CONFIDENTIAL",
            ClientId = "test-client",
            Enabled = true,
            RealmId = realm.Id,
            ValidRedirectUris = 
            {
                "http://localhost:8080/openid-callback",
            },
        });
    }

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm this client is attached to.
client_id - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.
name - (Optional) The display name of this client in the GUI.
enabled - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
description - (Optional) The description of this client in the GUI.
access_type - (Required) Specifies the type of client, which can be one of the following:
- CONFIDENTIAL - Used for server-side clients that require both client ID and secret when authenticating. This client should be used for applications using the Authorization Code or Client Credentials grant flows.
- PUBLIC - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect URIs for security. This client should be used for applications using the Implicit grant flow.
- BEARER-ONLY - Used for services that never initiate a login. This client will only allow bearer token requests.
client_secret - (Optional) The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute.
standard_flow_enabled - (Optional) When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false.
implicit_flow_enabled - (Optional) When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false.
direct_access_grants_enabled - (Optional) When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false.
service_accounts_enabled - (Optional) When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false.
valid_redirect_uris - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled is set to true.
web_origins - (Optional) A list of allowed CORS origins. + can be used to permit all valid redirect URIs, and * can be used to permit all origins.
admin_url - (Optional) URL to the admin interface of the client.
base_url - (Optional) Default URL to use when the auth server needs to redirect or link back to the client.
pkce_code_challenge_method - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value ``.
full_scope_allowed - (Optional) - Allow to include all roles mappings in the access token.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

service_account_user_id - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.

Create a Client Resource

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);

def Client(resource_name, opts=None, access_token_lifespan=None, access_type=None, admin_url=None, authentication_flow_binding_overrides=None, authorization=None, base_url=None, client_id=None, client_secret=None, consent_required=None, description=None, direct_access_grants_enabled=None, enabled=None, exclude_session_state_from_auth_response=None, full_scope_allowed=None, implicit_flow_enabled=None, login_theme=None, name=None, pkce_code_challenge_method=None, realm_id=None, root_url=None, service_accounts_enabled=None, standard_flow_enabled=None, valid_redirect_uris=None, web_origins=None, __props__=None);

func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)

public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Client resource accepts the following input properties:

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
ResourceServerId string
ServiceAccountUserId string

Id string: The provider-assigned unique ID for this managed resource.
ResourceServerId string
ServiceAccountUserId string

id string: The provider-assigned unique ID for this managed resource.
resourceServerId string
serviceAccountUserId string

id str: The provider-assigned unique ID for this managed resource.
resource_server_id str
service_account_user_id str

Look up an Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client

static get(resource_name, id, opts=None, access_token_lifespan=None, access_type=None, admin_url=None, authentication_flow_binding_overrides=None, authorization=None, base_url=None, client_id=None, client_secret=None, consent_required=None, description=None, direct_access_grants_enabled=None, enabled=None, exclude_session_state_from_auth_response=None, full_scope_allowed=None, implicit_flow_enabled=None, login_theme=None, name=None, pkce_code_challenge_method=None, realm_id=None, resource_server_id=None, root_url=None, service_account_user_id=None, service_accounts_enabled=None, standard_flow_enabled=None, valid_redirect_uris=None, web_origins=None, __props__=None);

func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)

public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Supporting Types

ClientAuthenticationFlowBindingOverrides

See the input and output API doc for this type.

BrowserId string
DirectGrantId string

BrowserId string
DirectGrantId string

browserId string
directGrantId string

browserId str
directGrantId str

ClientAuthorization

See the input and output API doc for this type.

PolicyEnforcementMode string
AllowRemoteResourceManagement bool
KeepDefaults bool

PolicyEnforcementMode string
AllowRemoteResourceManagement bool
KeepDefaults bool

policyEnforcementMode string
allowRemoteResourceManagement boolean
keepDefaults boolean

policyEnforcementMode str
allowRemoteResourceManagement bool
keepDefaults bool

Package Details

Repository: https://github.com/pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud