1. Packages
  2. Keycloak
  3. API Docs
  4. openid
  5. getClientAuthorizationPolicy
Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi

keycloak.openid.getClientAuthorizationPolicy

Explore with Pulumi AI

keycloak logo
Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi

    This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.

    Example Usage

    In this example, we’ll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default permission for this client called “Default Permission”. We’ll use the keycloak.openid.getClientAuthorizationPolicy data source to fetch information about this permission, so we can use it to create a new resource-based authorization permission.

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const clientWithAuthz = new keycloak.openid.Client("client_with_authz", {
        clientId: "client-with-authz",
        name: "client-with-authz",
        realmId: realm.id,
        accessType: "CONFIDENTIAL",
        serviceAccountsEnabled: true,
        authorization: {
            policyEnforcementMode: "ENFORCING",
        },
    });
    const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
        realmId: realm.id,
        resourceServerId: clientWithAuthz.resourceServerId,
        name: "Default Permission",
    });
    const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
        resourceServerId: clientWithAuthz.resourceServerId,
        name: "authorization-resource",
        realmId: realm.id,
        uris: ["/endpoint/*"],
        attributes: {
            foo: "bar",
        },
    });
    const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
        resourceServerId: clientWithAuthz.resourceServerId,
        realmId: realm.id,
        name: "authorization-permission",
        policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
        resources: [resource.id],
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    client_with_authz = keycloak.openid.Client("client_with_authz",
        client_id="client-with-authz",
        name="client-with-authz",
        realm_id=realm.id,
        access_type="CONFIDENTIAL",
        service_accounts_enabled=True,
        authorization=keycloak.openid.ClientAuthorizationArgs(
            policy_enforcement_mode="ENFORCING",
        ))
    default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
        resource_server_id=client_with_authz.resource_server_id,
        name="Default Permission")
    resource = keycloak.openid.ClientAuthorizationResource("resource",
        resource_server_id=client_with_authz.resource_server_id,
        name="authorization-resource",
        realm_id=realm.id,
        uris=["/endpoint/*"],
        attributes={
            "foo": "bar",
        })
    permission = keycloak.openid.ClientAuthorizationPermission("permission",
        resource_server_id=client_with_authz.resource_server_id,
        realm_id=realm.id,
        name="authorization-permission",
        policies=[default_permission.id],
        resources=[resource.id])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/openid"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		clientWithAuthz, err := openid.NewClient(ctx, "client_with_authz", &openid.ClientArgs{
    			ClientId:               pulumi.String("client-with-authz"),
    			Name:                   pulumi.String("client-with-authz"),
    			RealmId:                realm.ID(),
    			AccessType:             pulumi.String("CONFIDENTIAL"),
    			ServiceAccountsEnabled: pulumi.Bool(true),
    			Authorization: &openid.ClientAuthorizationArgs{
    				PolicyEnforcementMode: pulumi.String("ENFORCING"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
    			RealmId:          realm.ID(),
    			ResourceServerId: clientWithAuthz.ResourceServerId,
    			Name:             pulumi.String("Default Permission"),
    		}, nil)
    		resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
    			ResourceServerId: clientWithAuthz.ResourceServerId,
    			Name:             pulumi.String("authorization-resource"),
    			RealmId:          realm.ID(),
    			Uris: pulumi.StringArray{
    				pulumi.String("/endpoint/*"),
    			},
    			Attributes: pulumi.Map{
    				"foo": pulumi.Any("bar"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
    			ResourceServerId: clientWithAuthz.ResourceServerId,
    			RealmId:          realm.ID(),
    			Name:             pulumi.String("authorization-permission"),
    			Policies: pulumi.StringArray{
    				defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (*string, error) {
    					return &defaultPermission.Id, nil
    				}).(pulumi.StringPtrOutput),
    			},
    			Resources: pulumi.StringArray{
    				resource.ID(),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var clientWithAuthz = new Keycloak.OpenId.Client("client_with_authz", new()
        {
            ClientId = "client-with-authz",
            Name = "client-with-authz",
            RealmId = realm.Id,
            AccessType = "CONFIDENTIAL",
            ServiceAccountsEnabled = true,
            Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
            {
                PolicyEnforcementMode = "ENFORCING",
            },
        });
    
        var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()
        {
            RealmId = realm.Id,
            ResourceServerId = clientWithAuthz.ResourceServerId,
            Name = "Default Permission",
        });
    
        var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new()
        {
            ResourceServerId = clientWithAuthz.ResourceServerId,
            Name = "authorization-resource",
            RealmId = realm.Id,
            Uris = new[]
            {
                "/endpoint/*",
            },
            Attributes = 
            {
                { "foo", "bar" },
            },
        });
    
        var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new()
        {
            ResourceServerId = clientWithAuthz.ResourceServerId,
            RealmId = realm.Id,
            Name = "authorization-permission",
            Policies = new[]
            {
                defaultPermission.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id),
            },
            Resources = new[]
            {
                resource.Id,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.openid.Client;
    import com.pulumi.keycloak.openid.ClientArgs;
    import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
    import com.pulumi.keycloak.openid.OpenidFunctions;
    import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
    import com.pulumi.keycloak.openid.ClientAuthorizationResource;
    import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
    import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
    import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()        
                .clientId("client-with-authz")
                .name("client-with-authz")
                .realmId(realm.id())
                .accessType("CONFIDENTIAL")
                .serviceAccountsEnabled(true)
                .authorization(ClientAuthorizationArgs.builder()
                    .policyEnforcementMode("ENFORCING")
                    .build())
                .build());
    
            final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
                .realmId(realm.id())
                .resourceServerId(clientWithAuthz.resourceServerId())
                .name("Default Permission")
                .build());
    
            var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()        
                .resourceServerId(clientWithAuthz.resourceServerId())
                .name("authorization-resource")
                .realmId(realm.id())
                .uris("/endpoint/*")
                .attributes(Map.of("foo", "bar"))
                .build());
    
            var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()        
                .resourceServerId(clientWithAuthz.resourceServerId())
                .realmId(realm.id())
                .name("authorization-permission")
                .policies(defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult).applyValue(defaultPermission -> defaultPermission.applyValue(getClientAuthorizationPolicyResult -> getClientAuthorizationPolicyResult.id())))
                .resources(resource.id())
                .build());
    
        }
    }
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      clientWithAuthz:
        type: keycloak:openid:Client
        name: client_with_authz
        properties:
          clientId: client-with-authz
          name: client-with-authz
          realmId: ${realm.id}
          accessType: CONFIDENTIAL
          serviceAccountsEnabled: true
          authorization:
            policyEnforcementMode: ENFORCING
      resource:
        type: keycloak:openid:ClientAuthorizationResource
        properties:
          resourceServerId: ${clientWithAuthz.resourceServerId}
          name: authorization-resource
          realmId: ${realm.id}
          uris:
            - /endpoint/*
          attributes:
            foo: bar
      permission:
        type: keycloak:openid:ClientAuthorizationPermission
        properties:
          resourceServerId: ${clientWithAuthz.resourceServerId}
          realmId: ${realm.id}
          name: authorization-permission
          policies:
            - ${defaultPermission.id}
          resources:
            - ${resource.id}
    variables:
      defaultPermission:
        fn::invoke:
          Function: keycloak:openid:getClientAuthorizationPolicy
          Arguments:
            realmId: ${realm.id}
            resourceServerId: ${clientWithAuthz.resourceServerId}
            name: Default Permission
    

    Using getClientAuthorizationPolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
    function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>
    def get_client_authorization_policy(name: Optional[str] = None,
                                        realm_id: Optional[str] = None,
                                        resource_server_id: Optional[str] = None,
                                        opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
    def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
                                        realm_id: Optional[pulumi.Input[str]] = None,
                                        resource_server_id: Optional[pulumi.Input[str]] = None,
                                        opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]
    func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
    func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput

    > Note: This function is named GetClientAuthorizationPolicy in the Go SDK.

    public static class GetClientAuthorizationPolicy 
    {
        public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
        public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
      arguments:
        # arguments dictionary

    The following arguments are supported:

    Name string
    The name of the authorization policy.
    RealmId string
    The realm this authorization policy exists within.
    ResourceServerId string
    The ID of the resource server this authorization policy is attached to.
    Name string
    The name of the authorization policy.
    RealmId string
    The realm this authorization policy exists within.
    ResourceServerId string
    The ID of the resource server this authorization policy is attached to.
    name String
    The name of the authorization policy.
    realmId String
    The realm this authorization policy exists within.
    resourceServerId String
    The ID of the resource server this authorization policy is attached to.
    name string
    The name of the authorization policy.
    realmId string
    The realm this authorization policy exists within.
    resourceServerId string
    The ID of the resource server this authorization policy is attached to.
    name str
    The name of the authorization policy.
    realm_id str
    The realm this authorization policy exists within.
    resource_server_id str
    The ID of the resource server this authorization policy is attached to.
    name String
    The name of the authorization policy.
    realmId String
    The realm this authorization policy exists within.
    resourceServerId String
    The ID of the resource server this authorization policy is attached to.

    getClientAuthorizationPolicy Result

    The following output properties are available:

    DecisionStrategy string
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Logic string
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    Name string
    Owner string
    (Computed) The ID of the owning resource. Applies to resources.
    Policies List<string>
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    RealmId string
    ResourceServerId string
    Resources List<string>
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    Scopes List<string>
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    Type string
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
    DecisionStrategy string
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    Id string
    The provider-assigned unique ID for this managed resource.
    Logic string
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    Name string
    Owner string
    (Computed) The ID of the owning resource. Applies to resources.
    Policies []string
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    RealmId string
    ResourceServerId string
    Resources []string
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    Scopes []string
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    Type string
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
    decisionStrategy String
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    logic String
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    name String
    owner String
    (Computed) The ID of the owning resource. Applies to resources.
    policies List<String>
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    realmId String
    resourceServerId String
    resources List<String>
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    scopes List<String>
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    type String
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
    decisionStrategy string
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    id string
    The provider-assigned unique ID for this managed resource.
    logic string
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    name string
    owner string
    (Computed) The ID of the owning resource. Applies to resources.
    policies string[]
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    realmId string
    resourceServerId string
    resources string[]
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    scopes string[]
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    type string
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
    decision_strategy str
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    id str
    The provider-assigned unique ID for this managed resource.
    logic str
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    name str
    owner str
    (Computed) The ID of the owning resource. Applies to resources.
    policies Sequence[str]
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    realm_id str
    resource_server_id str
    resources Sequence[str]
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    scopes Sequence[str]
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    type str
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
    decisionStrategy String
    (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
    id String
    The provider-assigned unique ID for this managed resource.
    logic String
    (Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
    name String
    owner String
    (Computed) The ID of the owning resource. Applies to resources.
    policies List<String>
    (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
    realmId String
    resourceServerId String
    resources List<String>
    (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
    scopes List<String>
    (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
    type String
    (Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi