1. Packages
  2. Keycloak Provider
  3. API Docs
  4. openid
  5. getClientAuthorizationPolicy
Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

keycloak.openid.getClientAuthorizationPolicy

Explore with Pulumi AI

This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.

Example Usage

In this example, we’ll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default permission for this client called “Default Permission”. We’ll use the keycloak.openid.getClientAuthorizationPolicy data source to fetch information about this permission, so we can use it to create a new resource-based authorization permission.

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("client_with_authz", {
    clientId: "client-with-authz",
    name: "client-with-authz",
    realmId: realm.id,
    accessType: "CONFIDENTIAL",
    serviceAccountsEnabled: true,
    authorization: {
        policyEnforcementMode: "ENFORCING",
    },
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
    realmId: realm.id,
    resourceServerId: clientWithAuthz.resourceServerId,
    name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
    resourceServerId: clientWithAuthz.resourceServerId,
    name: "authorization-resource",
    realmId: realm.id,
    uris: ["/endpoint/*"],
    attributes: {
        foo: "bar",
    },
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
    resourceServerId: clientWithAuthz.resourceServerId,
    realmId: realm.id,
    name: "authorization-permission",
    policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
    resources: [resource.id],
});
Copy
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
client_with_authz = keycloak.openid.Client("client_with_authz",
    client_id="client-with-authz",
    name="client-with-authz",
    realm_id=realm.id,
    access_type="CONFIDENTIAL",
    service_accounts_enabled=True,
    authorization={
        "policy_enforcement_mode": "ENFORCING",
    })
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
    resource_server_id=client_with_authz.resource_server_id,
    name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
    resource_server_id=client_with_authz.resource_server_id,
    name="authorization-resource",
    realm_id=realm.id,
    uris=["/endpoint/*"],
    attributes={
        "foo": "bar",
    })
permission = keycloak.openid.ClientAuthorizationPermission("permission",
    resource_server_id=client_with_authz.resource_server_id,
    realm_id=realm.id,
    name="authorization-permission",
    policies=[default_permission.id],
    resources=[resource.id])
Copy
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		clientWithAuthz, err := openid.NewClient(ctx, "client_with_authz", &openid.ClientArgs{
			ClientId:               pulumi.String("client-with-authz"),
			Name:                   pulumi.String("client-with-authz"),
			RealmId:                realm.ID(),
			AccessType:             pulumi.String("CONFIDENTIAL"),
			ServiceAccountsEnabled: pulumi.Bool(true),
			Authorization: &openid.ClientAuthorizationArgs{
				PolicyEnforcementMode: pulumi.String("ENFORCING"),
			},
		})
		if err != nil {
			return err
		}
		defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
			RealmId:          realm.ID(),
			ResourceServerId: clientWithAuthz.ResourceServerId,
			Name:             pulumi.String("Default Permission"),
		}, nil)
		resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
			ResourceServerId: clientWithAuthz.ResourceServerId,
			Name:             pulumi.String("authorization-resource"),
			RealmId:          realm.ID(),
			Uris: pulumi.StringArray{
				pulumi.String("/endpoint/*"),
			},
			Attributes: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
		})
		if err != nil {
			return err
		}
		_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
			ResourceServerId: clientWithAuthz.ResourceServerId,
			RealmId:          realm.ID(),
			Name:             pulumi.String("authorization-permission"),
			Policies: pulumi.StringArray{
				pulumi.String(defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (*string, error) {
					return &defaultPermission.Id, nil
				}).(pulumi.StringPtrOutput)),
			},
			Resources: pulumi.StringArray{
				resource.ID(),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var clientWithAuthz = new Keycloak.OpenId.Client("client_with_authz", new()
    {
        ClientId = "client-with-authz",
        Name = "client-with-authz",
        RealmId = realm.Id,
        AccessType = "CONFIDENTIAL",
        ServiceAccountsEnabled = true,
        Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
        {
            PolicyEnforcementMode = "ENFORCING",
        },
    });

    var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()
    {
        RealmId = realm.Id,
        ResourceServerId = clientWithAuthz.ResourceServerId,
        Name = "Default Permission",
    });

    var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new()
    {
        ResourceServerId = clientWithAuthz.ResourceServerId,
        Name = "authorization-resource",
        RealmId = realm.Id,
        Uris = new[]
        {
            "/endpoint/*",
        },
        Attributes = 
        {
            { "foo", "bar" },
        },
    });

    var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new()
    {
        ResourceServerId = clientWithAuthz.ResourceServerId,
        RealmId = realm.Id,
        Name = "authorization-permission",
        Policies = new[]
        {
            defaultPermission.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id),
        },
        Resources = new[]
        {
            resource.Id,
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()
            .clientId("client-with-authz")
            .name("client-with-authz")
            .realmId(realm.id())
            .accessType("CONFIDENTIAL")
            .serviceAccountsEnabled(true)
            .authorization(ClientAuthorizationArgs.builder()
                .policyEnforcementMode("ENFORCING")
                .build())
            .build());

        final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
            .realmId(realm.id())
            .resourceServerId(clientWithAuthz.resourceServerId())
            .name("Default Permission")
            .build());

        var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()
            .resourceServerId(clientWithAuthz.resourceServerId())
            .name("authorization-resource")
            .realmId(realm.id())
            .uris("/endpoint/*")
            .attributes(Map.of("foo", "bar"))
            .build());

        var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()
            .resourceServerId(clientWithAuthz.resourceServerId())
            .realmId(realm.id())
            .name("authorization-permission")
            .policies(defaultPermission.applyValue(_defaultPermission -> _defaultPermission.id()))
            .resources(resource.id())
            .build());

    }
}
Copy
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  clientWithAuthz:
    type: keycloak:openid:Client
    name: client_with_authz
    properties:
      clientId: client-with-authz
      name: client-with-authz
      realmId: ${realm.id}
      accessType: CONFIDENTIAL
      serviceAccountsEnabled: true
      authorization:
        policyEnforcementMode: ENFORCING
  resource:
    type: keycloak:openid:ClientAuthorizationResource
    properties:
      resourceServerId: ${clientWithAuthz.resourceServerId}
      name: authorization-resource
      realmId: ${realm.id}
      uris:
        - /endpoint/*
      attributes:
        foo: bar
  permission:
    type: keycloak:openid:ClientAuthorizationPermission
    properties:
      resourceServerId: ${clientWithAuthz.resourceServerId}
      realmId: ${realm.id}
      name: authorization-permission
      policies:
        - ${defaultPermission.id}
      resources:
        - ${resource.id}
variables:
  defaultPermission:
    fn::invoke:
      function: keycloak:openid:getClientAuthorizationPolicy
      arguments:
        realmId: ${realm.id}
        resourceServerId: ${clientWithAuthz.resourceServerId}
        name: Default Permission
Copy

Using getClientAuthorizationPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>
Copy
def get_client_authorization_policy(name: Optional[str] = None,
                                    realm_id: Optional[str] = None,
                                    resource_server_id: Optional[str] = None,
                                    opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
                                    realm_id: Optional[pulumi.Input[str]] = None,
                                    resource_server_id: Optional[pulumi.Input[str]] = None,
                                    opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]
Copy
func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput
Copy

> Note: This function is named GetClientAuthorizationPolicy in the Go SDK.

public static class GetClientAuthorizationPolicy 
{
    public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
public static Output<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Name This property is required. string
The name of the authorization policy.
RealmId This property is required. string
The realm this authorization policy exists within.
ResourceServerId This property is required. string
The ID of the resource server this authorization policy is attached to.
Name This property is required. string
The name of the authorization policy.
RealmId This property is required. string
The realm this authorization policy exists within.
ResourceServerId This property is required. string
The ID of the resource server this authorization policy is attached to.
name This property is required. String
The name of the authorization policy.
realmId This property is required. String
The realm this authorization policy exists within.
resourceServerId This property is required. String
The ID of the resource server this authorization policy is attached to.
name This property is required. string
The name of the authorization policy.
realmId This property is required. string
The realm this authorization policy exists within.
resourceServerId This property is required. string
The ID of the resource server this authorization policy is attached to.
name This property is required. str
The name of the authorization policy.
realm_id This property is required. str
The realm this authorization policy exists within.
resource_server_id This property is required. str
The ID of the resource server this authorization policy is attached to.
name This property is required. String
The name of the authorization policy.
realmId This property is required. String
The realm this authorization policy exists within.
resourceServerId This property is required. String
The ID of the resource server this authorization policy is attached to.

getClientAuthorizationPolicy Result

The following output properties are available:

DecisionStrategy string
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
Id string
The provider-assigned unique ID for this managed resource.
Logic string
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
Name string
Owner string
(Computed) The ID of the owning resource. Applies to resources.
Policies List<string>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
RealmId string
ResourceServerId string
Resources List<string>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
Scopes List<string>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
Type string
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
DecisionStrategy string
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
Id string
The provider-assigned unique ID for this managed resource.
Logic string
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
Name string
Owner string
(Computed) The ID of the owning resource. Applies to resources.
Policies []string
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
RealmId string
ResourceServerId string
Resources []string
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
Scopes []string
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
Type string
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
decisionStrategy String
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id String
The provider-assigned unique ID for this managed resource.
logic String
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name String
owner String
(Computed) The ID of the owning resource. Applies to resources.
policies List<String>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId String
resourceServerId String
resources List<String>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes List<String>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type String
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
decisionStrategy string
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id string
The provider-assigned unique ID for this managed resource.
logic string
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name string
owner string
(Computed) The ID of the owning resource. Applies to resources.
policies string[]
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId string
resourceServerId string
resources string[]
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes string[]
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type string
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
decision_strategy str
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id str
The provider-assigned unique ID for this managed resource.
logic str
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name str
owner str
(Computed) The ID of the owning resource. Applies to resources.
policies Sequence[str]
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realm_id str
resource_server_id str
resources Sequence[str]
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes Sequence[str]
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type str
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.
decisionStrategy String
(Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions.
id String
The provider-assigned unique ID for this managed resource.
logic String
(Computed) Dictates how the policy decision should be made. Can be either POSITIVE or NEGATIVE. Applies to policies.
name String
owner String
(Computed) The ID of the owning resource. Applies to resources.
policies List<String>
(Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
realmId String
resourceServerId String
resources List<String>
(Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
scopes List<String>
(Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
type String
(Computed) The type of this policy / permission. For permissions, this could be resource or scope. For policies, this could be any type of authorization policy, such as js.

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes
This Pulumi package is based on the keycloak Terraform Provider.