Keycloak v6.7.0 published on Tuesday, Jul 29, 2025 by Pulumi
keycloak.openid.getClientAuthorizationPolicy
Start a Neo task
Explain and create a keycloak.openid.getClientAuthorizationPolicy resource
This data source can be used to fetch policy and permission information for an OpenID client that has authorization enabled.
Example Usage
In this example, we’ll create a new OpenID client with authorization enabled. This will cause Keycloak to create a default
permission for this client called “Default Permission”. We’ll use the keycloak.openid.getClientAuthorizationPolicy data
source to fetch information about this permission, so we can use it to create a new resource-based authorization permission.
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const clientWithAuthz = new keycloak.openid.Client("client_with_authz", {
clientId: "client-with-authz",
name: "client-with-authz",
realmId: realm.id,
accessType: "CONFIDENTIAL",
serviceAccountsEnabled: true,
authorization: {
policyEnforcementMode: "ENFORCING",
},
});
const defaultPermission = keycloak.openid.getClientAuthorizationPolicyOutput({
realmId: realm.id,
resourceServerId: clientWithAuthz.resourceServerId,
name: "Default Permission",
});
const resource = new keycloak.openid.ClientAuthorizationResource("resource", {
resourceServerId: clientWithAuthz.resourceServerId,
name: "authorization-resource",
realmId: realm.id,
uris: ["/endpoint/*"],
attributes: {
foo: "bar",
},
});
const permission = new keycloak.openid.ClientAuthorizationPermission("permission", {
resourceServerId: clientWithAuthz.resourceServerId,
realmId: realm.id,
name: "authorization-permission",
policies: [defaultPermission.apply(defaultPermission => defaultPermission.id)],
resources: [resource.id],
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
client_with_authz = keycloak.openid.Client("client_with_authz",
client_id="client-with-authz",
name="client-with-authz",
realm_id=realm.id,
access_type="CONFIDENTIAL",
service_accounts_enabled=True,
authorization={
"policy_enforcement_mode": "ENFORCING",
})
default_permission = keycloak.openid.get_client_authorization_policy_output(realm_id=realm.id,
resource_server_id=client_with_authz.resource_server_id,
name="Default Permission")
resource = keycloak.openid.ClientAuthorizationResource("resource",
resource_server_id=client_with_authz.resource_server_id,
name="authorization-resource",
realm_id=realm.id,
uris=["/endpoint/*"],
attributes={
"foo": "bar",
})
permission = keycloak.openid.ClientAuthorizationPermission("permission",
resource_server_id=client_with_authz.resource_server_id,
realm_id=realm.id,
name="authorization-permission",
policies=[default_permission.id],
resources=[resource.id])
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
clientWithAuthz, err := openid.NewClient(ctx, "client_with_authz", &openid.ClientArgs{
ClientId: pulumi.String("client-with-authz"),
Name: pulumi.String("client-with-authz"),
RealmId: realm.ID(),
AccessType: pulumi.String("CONFIDENTIAL"),
ServiceAccountsEnabled: pulumi.Bool(true),
Authorization: &openid.ClientAuthorizationArgs{
PolicyEnforcementMode: pulumi.String("ENFORCING"),
},
})
if err != nil {
return err
}
defaultPermission := openid.GetClientAuthorizationPolicyOutput(ctx, openid.GetClientAuthorizationPolicyOutputArgs{
RealmId: realm.ID(),
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("Default Permission"),
}, nil)
resource, err := openid.NewClientAuthorizationResource(ctx, "resource", &openid.ClientAuthorizationResourceArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
Name: pulumi.String("authorization-resource"),
RealmId: realm.ID(),
Uris: pulumi.StringArray{
pulumi.String("/endpoint/*"),
},
Attributes: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
_, err = openid.NewClientAuthorizationPermission(ctx, "permission", &openid.ClientAuthorizationPermissionArgs{
ResourceServerId: clientWithAuthz.ResourceServerId,
RealmId: realm.ID(),
Name: pulumi.String("authorization-permission"),
Policies: pulumi.StringArray{
pulumi.String(defaultPermission.ApplyT(func(defaultPermission openid.GetClientAuthorizationPolicyResult) (*string, error) {
return &defaultPermission.Id, nil
}).(pulumi.StringPtrOutput)),
},
Resources: pulumi.StringArray{
resource.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var clientWithAuthz = new Keycloak.OpenId.Client("client_with_authz", new()
{
ClientId = "client-with-authz",
Name = "client-with-authz",
RealmId = realm.Id,
AccessType = "CONFIDENTIAL",
ServiceAccountsEnabled = true,
Authorization = new Keycloak.OpenId.Inputs.ClientAuthorizationArgs
{
PolicyEnforcementMode = "ENFORCING",
},
});
var defaultPermission = Keycloak.OpenId.GetClientAuthorizationPolicy.Invoke(new()
{
RealmId = realm.Id,
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "Default Permission",
});
var resource = new Keycloak.OpenId.ClientAuthorizationResource("resource", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
Name = "authorization-resource",
RealmId = realm.Id,
Uris = new[]
{
"/endpoint/*",
},
Attributes =
{
{ "foo", "bar" },
},
});
var permission = new Keycloak.OpenId.ClientAuthorizationPermission("permission", new()
{
ResourceServerId = clientWithAuthz.ResourceServerId,
RealmId = realm.Id,
Name = "authorization-permission",
Policies = new[]
{
defaultPermission.Apply(getClientAuthorizationPolicyResult => getClientAuthorizationPolicyResult.Id),
},
Resources = new[]
{
resource.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.Client;
import com.pulumi.keycloak.openid.ClientArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientAuthorizationPolicyArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationResource;
import com.pulumi.keycloak.openid.ClientAuthorizationResourceArgs;
import com.pulumi.keycloak.openid.ClientAuthorizationPermission;
import com.pulumi.keycloak.openid.ClientAuthorizationPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var clientWithAuthz = new Client("clientWithAuthz", ClientArgs.builder()
.clientId("client-with-authz")
.name("client-with-authz")
.realmId(realm.id())
.accessType("CONFIDENTIAL")
.serviceAccountsEnabled(true)
.authorization(ClientAuthorizationArgs.builder()
.policyEnforcementMode("ENFORCING")
.build())
.build());
final var defaultPermission = OpenidFunctions.getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs.builder()
.realmId(realm.id())
.resourceServerId(clientWithAuthz.resourceServerId())
.name("Default Permission")
.build());
var resource = new ClientAuthorizationResource("resource", ClientAuthorizationResourceArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.name("authorization-resource")
.realmId(realm.id())
.uris("/endpoint/*")
.attributes(Map.of("foo", "bar"))
.build());
var permission = new ClientAuthorizationPermission("permission", ClientAuthorizationPermissionArgs.builder()
.resourceServerId(clientWithAuthz.resourceServerId())
.realmId(realm.id())
.name("authorization-permission")
.policies(defaultPermission.applyValue(_defaultPermission -> _defaultPermission.id()))
.resources(resource.id())
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
clientWithAuthz:
type: keycloak:openid:Client
name: client_with_authz
properties:
clientId: client-with-authz
name: client-with-authz
realmId: ${realm.id}
accessType: CONFIDENTIAL
serviceAccountsEnabled: true
authorization:
policyEnforcementMode: ENFORCING
resource:
type: keycloak:openid:ClientAuthorizationResource
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
name: authorization-resource
realmId: ${realm.id}
uris:
- /endpoint/*
attributes:
foo: bar
permission:
type: keycloak:openid:ClientAuthorizationPermission
properties:
resourceServerId: ${clientWithAuthz.resourceServerId}
realmId: ${realm.id}
name: authorization-permission
policies:
- ${defaultPermission.id}
resources:
- ${resource.id}
variables:
defaultPermission:
fn::invoke:
function: keycloak:openid:getClientAuthorizationPolicy
arguments:
realmId: ${realm.id}
resourceServerId: ${clientWithAuthz.resourceServerId}
name: Default Permission
Using getClientAuthorizationPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getClientAuthorizationPolicy(args: GetClientAuthorizationPolicyArgs, opts?: InvokeOptions): Promise<GetClientAuthorizationPolicyResult>
function getClientAuthorizationPolicyOutput(args: GetClientAuthorizationPolicyOutputArgs, opts?: InvokeOptions): Output<GetClientAuthorizationPolicyResult>def get_client_authorization_policy(name: Optional[str] = None,
realm_id: Optional[str] = None,
resource_server_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetClientAuthorizationPolicyResult
def get_client_authorization_policy_output(name: Optional[pulumi.Input[str]] = None,
realm_id: Optional[pulumi.Input[str]] = None,
resource_server_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetClientAuthorizationPolicyResult]func GetClientAuthorizationPolicy(ctx *Context, args *GetClientAuthorizationPolicyArgs, opts ...InvokeOption) (*GetClientAuthorizationPolicyResult, error)
func GetClientAuthorizationPolicyOutput(ctx *Context, args *GetClientAuthorizationPolicyOutputArgs, opts ...InvokeOption) GetClientAuthorizationPolicyResultOutput> Note: This function is named GetClientAuthorizationPolicy in the Go SDK.
public static class GetClientAuthorizationPolicy
{
public static Task<GetClientAuthorizationPolicyResult> InvokeAsync(GetClientAuthorizationPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetClientAuthorizationPolicyResult> Invoke(GetClientAuthorizationPolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
public static Output<GetClientAuthorizationPolicyResult> getClientAuthorizationPolicy(GetClientAuthorizationPolicyArgs args, InvokeOptions options)
fn::invoke:
function: keycloak:openid/getClientAuthorizationPolicy:getClientAuthorizationPolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
- The name of the authorization policy.
- Realm
Id string - The realm this authorization policy exists within.
- Resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- Name string
- The name of the authorization policy.
- Realm
Id string - The realm this authorization policy exists within.
- Resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- name String
- The name of the authorization policy.
- realm
Id String - The realm this authorization policy exists within.
- resource
Server StringId - The ID of the resource server this authorization policy is attached to.
- name string
- The name of the authorization policy.
- realm
Id string - The realm this authorization policy exists within.
- resource
Server stringId - The ID of the resource server this authorization policy is attached to.
- name str
- The name of the authorization policy.
- realm_
id str - The realm this authorization policy exists within.
- resource_
server_ strid - The ID of the resource server this authorization policy is attached to.
- name String
- The name of the authorization policy.
- realm
Id String - The realm this authorization policy exists within.
- resource
Server StringId - The ID of the resource server this authorization policy is attached to.
getClientAuthorizationPolicy Result
The following output properties are available:
- Decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - Id string
- The provider-assigned unique ID for this managed resource.
- Logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - Name string
- Owner string
- (Computed) The ID of the owning resource. Applies to resources.
- Policies List<string>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources List<string>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes List<string>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- Decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - Id string
- The provider-assigned unique ID for this managed resource.
- Logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - Name string
- Owner string
- (Computed) The ID of the owning resource. Applies to resources.
- Policies []string
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- Realm
Id string - Resource
Server stringId - Resources []string
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- Scopes []string
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- Type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy String - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id String
- The provider-assigned unique ID for this managed resource.
- logic String
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name String
- owner String
- (Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy string - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id string
- The provider-assigned unique ID for this managed resource.
- logic string
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name string
- owner string
- (Computed) The ID of the owning resource. Applies to resources.
- policies string[]
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id string - resource
Server stringId - resources string[]
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes string[]
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type string
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision_
strategy str - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id str
- The provider-assigned unique ID for this managed resource.
- logic str
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name str
- owner str
- (Computed) The ID of the owning resource. Applies to resources.
- policies Sequence[str]
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm_
id str - resource_
server_ strid - resources Sequence[str]
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes Sequence[str]
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type str
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
- decision
Strategy String - (Computed) Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of
AFFIRMATIVE,CONSENSUS, orUNANIMOUS. Applies to permissions. - id String
- The provider-assigned unique ID for this managed resource.
- logic String
- (Computed) Dictates how the policy decision should be made. Can be either
POSITIVEorNEGATIVE. Applies to policies. - name String
- owner String
- (Computed) The ID of the owning resource. Applies to resources.
- policies List<String>
- (Computed) The IDs of the policies that must be applied to scopes/resources for this policy/permission. Applies to policies and permissions.
- realm
Id String - resource
Server StringId - resources List<String>
- (Computed) The IDs of the resources that this permission applies to. Applies to resource-based permissions.
- scopes List<String>
- (Computed) The IDs of the scopes that this permission applies to. Applies to scope-based permissions.
- type String
- (Computed) The type of this policy / permission. For permissions, this could be
resourceorscope. For policies, this could be any type of authorization policy, such asjs.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.
