com.pulumi.keycloak.openid.ClientArgs Maven / Gradle / Ivy
// *** WARNING: this file was generated by pulumi-java-gen. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
package com.pulumi.keycloak.openid;
import com.pulumi.core.Output;
import com.pulumi.core.annotations.Import;
import com.pulumi.exceptions.MissingRequiredPropertyException;
import com.pulumi.keycloak.openid.inputs.ClientAuthenticationFlowBindingOverridesArgs;
import com.pulumi.keycloak.openid.inputs.ClientAuthorizationArgs;
import java.lang.Boolean;
import java.lang.String;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nullable;
public final class ClientArgs extends com.pulumi.resources.ResourceArgs {
public static final ClientArgs Empty = new ClientArgs();
/**
* The amount of time in seconds before an access token expires. This will override the default for the realm.
*
*/
@Import(name="accessTokenLifespan")
private @Nullable Output accessTokenLifespan;
/**
* @return The amount of time in seconds before an access token expires. This will override the default for the realm.
*
*/
public Optional> accessTokenLifespan() {
return Optional.ofNullable(this.accessTokenLifespan);
}
/**
* Specifies the type of client, which can be one of the following:
* - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.
* This client should be used for applications using the Authorization Code or Client Credentials grant flows.
* - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect
* URIs for security. This client should be used for applications using the Implicit grant flow.
* - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
*
*/
@Import(name="accessType", required=true)
private Output accessType;
/**
* @return Specifies the type of client, which can be one of the following:
* - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.
* This client should be used for applications using the Authorization Code or Client Credentials grant flows.
* - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect
* URIs for security. This client should be used for applications using the Implicit grant flow.
* - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
*
*/
public Output accessType() {
return this.accessType;
}
/**
* URL to the admin interface of the client.
*
*/
@Import(name="adminUrl")
private @Nullable Output adminUrl;
/**
* @return URL to the admin interface of the client.
*
*/
public Optional> adminUrl() {
return Optional.ofNullable(this.adminUrl);
}
/**
* Override realm authentication flow bindings
*
*/
@Import(name="authenticationFlowBindingOverrides")
private @Nullable Output authenticationFlowBindingOverrides;
/**
* @return Override realm authentication flow bindings
*
*/
public Optional> authenticationFlowBindingOverrides() {
return Optional.ofNullable(this.authenticationFlowBindingOverrides);
}
/**
* When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:
*
*/
@Import(name="authorization")
private @Nullable Output authorization;
/**
* @return When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:
*
*/
public Optional> authorization() {
return Optional.ofNullable(this.authorization);
}
/**
* Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
*
*/
@Import(name="backchannelLogoutRevokeOfflineSessions")
private @Nullable Output backchannelLogoutRevokeOfflineSessions;
/**
* @return Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
*
*/
public Optional> backchannelLogoutRevokeOfflineSessions() {
return Optional.ofNullable(this.backchannelLogoutRevokeOfflineSessions);
}
/**
* When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
*
*/
@Import(name="backchannelLogoutSessionRequired")
private @Nullable Output backchannelLogoutSessionRequired;
/**
* @return When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
*
*/
public Optional> backchannelLogoutSessionRequired() {
return Optional.ofNullable(this.backchannelLogoutSessionRequired);
}
/**
* The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
*
*/
@Import(name="backchannelLogoutUrl")
private @Nullable Output backchannelLogoutUrl;
/**
* @return The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
*
*/
public Optional> backchannelLogoutUrl() {
return Optional.ofNullable(this.backchannelLogoutUrl);
}
/**
* Default URL to use when the auth server needs to redirect or link back to the client.
*
*/
@Import(name="baseUrl")
private @Nullable Output baseUrl;
/**
* @return Default URL to use when the auth server needs to redirect or link back to the client.
*
*/
public Optional> baseUrl() {
return Optional.ofNullable(this.baseUrl);
}
/**
* Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
* - `client-secret` (Default) Use client id and client secret to authenticate client.
* - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
* - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>`
* - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
*
*/
@Import(name="clientAuthenticatorType")
private @Nullable Output clientAuthenticatorType;
/**
* @return Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
* - `client-secret` (Default) Use client id and client secret to authenticate client.
* - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
* - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>`
* - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
*
*/
public Optional> clientAuthenticatorType() {
return Optional.ofNullable(this.clientAuthenticatorType);
}
/**
* The Client ID for this client, referenced in the URI during authentication and in issued tokens.
*
*/
@Import(name="clientId", required=true)
private Output clientId;
/**
* @return The Client ID for this client, referenced in the URI during authentication and in issued tokens.
*
*/
public Output clientId() {
return this.clientId;
}
/**
* Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
*
*/
@Import(name="clientOfflineSessionIdleTimeout")
private @Nullable Output clientOfflineSessionIdleTimeout;
/**
* @return Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
*
*/
public Optional> clientOfflineSessionIdleTimeout() {
return Optional.ofNullable(this.clientOfflineSessionIdleTimeout);
}
/**
* Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
*
*/
@Import(name="clientOfflineSessionMaxLifespan")
private @Nullable Output clientOfflineSessionMaxLifespan;
/**
* @return Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
*
*/
public Optional> clientOfflineSessionMaxLifespan() {
return Optional.ofNullable(this.clientOfflineSessionMaxLifespan);
}
/**
* The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
*
*/
@Import(name="clientSecret")
private @Nullable Output clientSecret;
/**
* @return The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
*
*/
public Optional> clientSecret() {
return Optional.ofNullable(this.clientSecret);
}
/**
* Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
*
*/
@Import(name="clientSessionIdleTimeout")
private @Nullable Output clientSessionIdleTimeout;
/**
* @return Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
*
*/
public Optional> clientSessionIdleTimeout() {
return Optional.ofNullable(this.clientSessionIdleTimeout);
}
/**
* Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
*
*/
@Import(name="clientSessionMaxLifespan")
private @Nullable Output clientSessionMaxLifespan;
/**
* @return Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
*
*/
public Optional> clientSessionMaxLifespan() {
return Optional.ofNullable(this.clientSessionMaxLifespan);
}
/**
* When `true`, users have to consent to client access. Defaults to `false`.
*
*/
@Import(name="consentRequired")
private @Nullable Output consentRequired;
/**
* @return When `true`, users have to consent to client access. Defaults to `false`.
*
*/
public Optional> consentRequired() {
return Optional.ofNullable(this.consentRequired);
}
/**
* The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.
*
*/
@Import(name="consentScreenText")
private @Nullable Output consentScreenText;
/**
* @return The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.
*
*/
public Optional> consentScreenText() {
return Optional.ofNullable(this.consentScreenText);
}
/**
* The description of this client in the GUI.
*
*/
@Import(name="description")
private @Nullable Output description;
/**
* @return The description of this client in the GUI.
*
*/
public Optional> description() {
return Optional.ofNullable(this.description);
}
/**
* When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
*
*/
@Import(name="directAccessGrantsEnabled")
private @Nullable Output directAccessGrantsEnabled;
/**
* @return When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
*
*/
public Optional> directAccessGrantsEnabled() {
return Optional.ofNullable(this.directAccessGrantsEnabled);
}
/**
* When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.
*
*/
@Import(name="displayOnConsentScreen")
private @Nullable Output displayOnConsentScreen;
/**
* @return When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.
*
*/
public Optional> displayOnConsentScreen() {
return Optional.ofNullable(this.displayOnConsentScreen);
}
/**
* When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
*
*/
@Import(name="enabled")
private @Nullable Output enabled;
/**
* @return When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
*
*/
public Optional> enabled() {
return Optional.ofNullable(this.enabled);
}
/**
* When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.
*
*/
@Import(name="excludeSessionStateFromAuthResponse")
private @Nullable Output excludeSessionStateFromAuthResponse;
/**
* @return When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.
*
*/
public Optional> excludeSessionStateFromAuthResponse() {
return Optional.ofNullable(this.excludeSessionStateFromAuthResponse);
}
@Import(name="extraConfig")
private @Nullable Output> extraConfig;
public Optional>> extraConfig() {
return Optional.ofNullable(this.extraConfig);
}
/**
* When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.
*
*/
@Import(name="frontchannelLogoutEnabled")
private @Nullable Output frontchannelLogoutEnabled;
/**
* @return When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.
*
*/
public Optional> frontchannelLogoutEnabled() {
return Optional.ofNullable(this.frontchannelLogoutEnabled);
}
/**
* The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.
*
*/
@Import(name="frontchannelLogoutUrl")
private @Nullable Output frontchannelLogoutUrl;
/**
* @return The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.
*
*/
public Optional> frontchannelLogoutUrl() {
return Optional.ofNullable(this.frontchannelLogoutUrl);
}
/**
* Allow to include all roles mappings in the access token.
*
*/
@Import(name="fullScopeAllowed")
private @Nullable Output fullScopeAllowed;
/**
* @return Allow to include all roles mappings in the access token.
*
*/
public Optional> fullScopeAllowed() {
return Optional.ofNullable(this.fullScopeAllowed);
}
/**
* When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
*
*/
@Import(name="implicitFlowEnabled")
private @Nullable Output implicitFlowEnabled;
/**
* @return When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
*
*/
public Optional> implicitFlowEnabled() {
return Optional.ofNullable(this.implicitFlowEnabled);
}
/**
* When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
*
*/
@Import(name="import")
private @Nullable Output import_;
/**
* @return When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
*
*/
public Optional> import_() {
return Optional.ofNullable(this.import_);
}
/**
* The client login theme. This will override the default theme for the realm.
*
*/
@Import(name="loginTheme")
private @Nullable Output loginTheme;
/**
* @return The client login theme. This will override the default theme for the realm.
*
*/
public Optional> loginTheme() {
return Optional.ofNullable(this.loginTheme);
}
/**
* The display name of this client in the GUI.
*
*/
@Import(name="name")
private @Nullable Output name;
/**
* @return The display name of this client in the GUI.
*
*/
public Optional> name() {
return Optional.ofNullable(this.name);
}
/**
* Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
*
*/
@Import(name="oauth2DeviceAuthorizationGrantEnabled")
private @Nullable Output oauth2DeviceAuthorizationGrantEnabled;
/**
* @return Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
*
*/
public Optional> oauth2DeviceAuthorizationGrantEnabled() {
return Optional.ofNullable(this.oauth2DeviceAuthorizationGrantEnabled);
}
/**
* The maximum amount of time a client has to finish the device code flow before it expires.
*
*/
@Import(name="oauth2DeviceCodeLifespan")
private @Nullable Output oauth2DeviceCodeLifespan;
/**
* @return The maximum amount of time a client has to finish the device code flow before it expires.
*
*/
public Optional> oauth2DeviceCodeLifespan() {
return Optional.ofNullable(this.oauth2DeviceCodeLifespan);
}
/**
* The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
*
*/
@Import(name="oauth2DevicePollingInterval")
private @Nullable Output oauth2DevicePollingInterval;
/**
* @return The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
*
*/
public Optional> oauth2DevicePollingInterval() {
return Optional.ofNullable(this.oauth2DevicePollingInterval);
}
/**
* The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
*
*/
@Import(name="pkceCodeChallengeMethod")
private @Nullable Output pkceCodeChallengeMethod;
/**
* @return The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
*
*/
public Optional> pkceCodeChallengeMethod() {
return Optional.ofNullable(this.pkceCodeChallengeMethod);
}
/**
* The realm this client is attached to.
*
*/
@Import(name="realmId", required=true)
private Output realmId;
/**
* @return The realm this client is attached to.
*
*/
public Output realmId() {
return this.realmId;
}
/**
* When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.
*
*/
@Import(name="rootUrl")
private @Nullable Output rootUrl;
/**
* @return When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.
*
*/
public Optional> rootUrl() {
return Optional.ofNullable(this.rootUrl);
}
/**
* When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
*
*/
@Import(name="serviceAccountsEnabled")
private @Nullable Output serviceAccountsEnabled;
/**
* @return When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
*
*/
public Optional> serviceAccountsEnabled() {
return Optional.ofNullable(this.serviceAccountsEnabled);
}
/**
* When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
*
*/
@Import(name="standardFlowEnabled")
private @Nullable Output standardFlowEnabled;
/**
* @return When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
*
*/
public Optional> standardFlowEnabled() {
return Optional.ofNullable(this.standardFlowEnabled);
}
/**
* If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.
*
*/
@Import(name="useRefreshTokens")
private @Nullable Output useRefreshTokens;
/**
* @return If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.
*
*/
public Optional> useRefreshTokens() {
return Optional.ofNullable(this.useRefreshTokens);
}
/**
* If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
*
*/
@Import(name="useRefreshTokensClientCredentials")
private @Nullable Output useRefreshTokensClientCredentials;
/**
* @return If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
*
*/
public Optional> useRefreshTokensClientCredentials() {
return Optional.ofNullable(this.useRefreshTokensClientCredentials);
}
/**
* A list of valid URIs a browser is permitted to redirect to after a successful logout.
*
*/
@Import(name="validPostLogoutRedirectUris")
private @Nullable Output> validPostLogoutRedirectUris;
/**
* @return A list of valid URIs a browser is permitted to redirect to after a successful logout.
*
*/
public Optional>> validPostLogoutRedirectUris() {
return Optional.ofNullable(this.validPostLogoutRedirectUris);
}
/**
* A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
* wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
* is set to `true`.
*
*/
@Import(name="validRedirectUris")
private @Nullable Output> validRedirectUris;
/**
* @return A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
* wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
* is set to `true`.
*
*/
public Optional>> validRedirectUris() {
return Optional.ofNullable(this.validRedirectUris);
}
/**
* A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
*
*/
@Import(name="webOrigins")
private @Nullable Output> webOrigins;
/**
* @return A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
*
*/
public Optional>> webOrigins() {
return Optional.ofNullable(this.webOrigins);
}
private ClientArgs() {}
private ClientArgs(ClientArgs $) {
this.accessTokenLifespan = $.accessTokenLifespan;
this.accessType = $.accessType;
this.adminUrl = $.adminUrl;
this.authenticationFlowBindingOverrides = $.authenticationFlowBindingOverrides;
this.authorization = $.authorization;
this.backchannelLogoutRevokeOfflineSessions = $.backchannelLogoutRevokeOfflineSessions;
this.backchannelLogoutSessionRequired = $.backchannelLogoutSessionRequired;
this.backchannelLogoutUrl = $.backchannelLogoutUrl;
this.baseUrl = $.baseUrl;
this.clientAuthenticatorType = $.clientAuthenticatorType;
this.clientId = $.clientId;
this.clientOfflineSessionIdleTimeout = $.clientOfflineSessionIdleTimeout;
this.clientOfflineSessionMaxLifespan = $.clientOfflineSessionMaxLifespan;
this.clientSecret = $.clientSecret;
this.clientSessionIdleTimeout = $.clientSessionIdleTimeout;
this.clientSessionMaxLifespan = $.clientSessionMaxLifespan;
this.consentRequired = $.consentRequired;
this.consentScreenText = $.consentScreenText;
this.description = $.description;
this.directAccessGrantsEnabled = $.directAccessGrantsEnabled;
this.displayOnConsentScreen = $.displayOnConsentScreen;
this.enabled = $.enabled;
this.excludeSessionStateFromAuthResponse = $.excludeSessionStateFromAuthResponse;
this.extraConfig = $.extraConfig;
this.frontchannelLogoutEnabled = $.frontchannelLogoutEnabled;
this.frontchannelLogoutUrl = $.frontchannelLogoutUrl;
this.fullScopeAllowed = $.fullScopeAllowed;
this.implicitFlowEnabled = $.implicitFlowEnabled;
this.import_ = $.import_;
this.loginTheme = $.loginTheme;
this.name = $.name;
this.oauth2DeviceAuthorizationGrantEnabled = $.oauth2DeviceAuthorizationGrantEnabled;
this.oauth2DeviceCodeLifespan = $.oauth2DeviceCodeLifespan;
this.oauth2DevicePollingInterval = $.oauth2DevicePollingInterval;
this.pkceCodeChallengeMethod = $.pkceCodeChallengeMethod;
this.realmId = $.realmId;
this.rootUrl = $.rootUrl;
this.serviceAccountsEnabled = $.serviceAccountsEnabled;
this.standardFlowEnabled = $.standardFlowEnabled;
this.useRefreshTokens = $.useRefreshTokens;
this.useRefreshTokensClientCredentials = $.useRefreshTokensClientCredentials;
this.validPostLogoutRedirectUris = $.validPostLogoutRedirectUris;
this.validRedirectUris = $.validRedirectUris;
this.webOrigins = $.webOrigins;
}
public static Builder builder() {
return new Builder();
}
public static Builder builder(ClientArgs defaults) {
return new Builder(defaults);
}
public static final class Builder {
private ClientArgs $;
public Builder() {
$ = new ClientArgs();
}
public Builder(ClientArgs defaults) {
$ = new ClientArgs(Objects.requireNonNull(defaults));
}
/**
* @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm.
*
* @return builder
*
*/
public Builder accessTokenLifespan(@Nullable Output accessTokenLifespan) {
$.accessTokenLifespan = accessTokenLifespan;
return this;
}
/**
* @param accessTokenLifespan The amount of time in seconds before an access token expires. This will override the default for the realm.
*
* @return builder
*
*/
public Builder accessTokenLifespan(String accessTokenLifespan) {
return accessTokenLifespan(Output.of(accessTokenLifespan));
}
/**
* @param accessType Specifies the type of client, which can be one of the following:
* - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.
* This client should be used for applications using the Authorization Code or Client Credentials grant flows.
* - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect
* URIs for security. This client should be used for applications using the Implicit grant flow.
* - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
*
* @return builder
*
*/
public Builder accessType(Output accessType) {
$.accessType = accessType;
return this;
}
/**
* @param accessType Specifies the type of client, which can be one of the following:
* - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.
* This client should be used for applications using the Authorization Code or Client Credentials grant flows.
* - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect
* URIs for security. This client should be used for applications using the Implicit grant flow.
* - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
*
* @return builder
*
*/
public Builder accessType(String accessType) {
return accessType(Output.of(accessType));
}
/**
* @param adminUrl URL to the admin interface of the client.
*
* @return builder
*
*/
public Builder adminUrl(@Nullable Output adminUrl) {
$.adminUrl = adminUrl;
return this;
}
/**
* @param adminUrl URL to the admin interface of the client.
*
* @return builder
*
*/
public Builder adminUrl(String adminUrl) {
return adminUrl(Output.of(adminUrl));
}
/**
* @param authenticationFlowBindingOverrides Override realm authentication flow bindings
*
* @return builder
*
*/
public Builder authenticationFlowBindingOverrides(@Nullable Output authenticationFlowBindingOverrides) {
$.authenticationFlowBindingOverrides = authenticationFlowBindingOverrides;
return this;
}
/**
* @param authenticationFlowBindingOverrides Override realm authentication flow bindings
*
* @return builder
*
*/
public Builder authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs authenticationFlowBindingOverrides) {
return authenticationFlowBindingOverrides(Output.of(authenticationFlowBindingOverrides));
}
/**
* @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:
*
* @return builder
*
*/
public Builder authorization(@Nullable Output authorization) {
$.authorization = authorization;
return this;
}
/**
* @param authorization When this block is present, fine-grained authorization will be enabled for this client. The client's `access_type` must be `CONFIDENTIAL`, and `service_accounts_enabled` must be `true`. This block has the following arguments:
*
* @return builder
*
*/
public Builder authorization(ClientAuthorizationArgs authorization) {
return authorization(Output.of(authorization));
}
/**
* @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
*
* @return builder
*
*/
public Builder backchannelLogoutRevokeOfflineSessions(@Nullable Output backchannelLogoutRevokeOfflineSessions) {
$.backchannelLogoutRevokeOfflineSessions = backchannelLogoutRevokeOfflineSessions;
return this;
}
/**
* @param backchannelLogoutRevokeOfflineSessions Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
*
* @return builder
*
*/
public Builder backchannelLogoutRevokeOfflineSessions(Boolean backchannelLogoutRevokeOfflineSessions) {
return backchannelLogoutRevokeOfflineSessions(Output.of(backchannelLogoutRevokeOfflineSessions));
}
/**
* @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
*
* @return builder
*
*/
public Builder backchannelLogoutSessionRequired(@Nullable Output backchannelLogoutSessionRequired) {
$.backchannelLogoutSessionRequired = backchannelLogoutSessionRequired;
return this;
}
/**
* @param backchannelLogoutSessionRequired When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
*
* @return builder
*
*/
public Builder backchannelLogoutSessionRequired(Boolean backchannelLogoutSessionRequired) {
return backchannelLogoutSessionRequired(Output.of(backchannelLogoutSessionRequired));
}
/**
* @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
*
* @return builder
*
*/
public Builder backchannelLogoutUrl(@Nullable Output backchannelLogoutUrl) {
$.backchannelLogoutUrl = backchannelLogoutUrl;
return this;
}
/**
* @param backchannelLogoutUrl The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
*
* @return builder
*
*/
public Builder backchannelLogoutUrl(String backchannelLogoutUrl) {
return backchannelLogoutUrl(Output.of(backchannelLogoutUrl));
}
/**
* @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client.
*
* @return builder
*
*/
public Builder baseUrl(@Nullable Output baseUrl) {
$.baseUrl = baseUrl;
return this;
}
/**
* @param baseUrl Default URL to use when the auth server needs to redirect or link back to the client.
*
* @return builder
*
*/
public Builder baseUrl(String baseUrl) {
return baseUrl(Output.of(baseUrl));
}
/**
* @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
* - `client-secret` (Default) Use client id and client secret to authenticate client.
* - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
* - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>`
* - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
*
* @return builder
*
*/
public Builder clientAuthenticatorType(@Nullable Output clientAuthenticatorType) {
$.clientAuthenticatorType = clientAuthenticatorType;
return this;
}
/**
* @param clientAuthenticatorType Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
* - `client-secret` (Default) Use client id and client secret to authenticate client.
* - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
* - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>`
* - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
*
* @return builder
*
*/
public Builder clientAuthenticatorType(String clientAuthenticatorType) {
return clientAuthenticatorType(Output.of(clientAuthenticatorType));
}
/**
* @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens.
*
* @return builder
*
*/
public Builder clientId(Output clientId) {
$.clientId = clientId;
return this;
}
/**
* @param clientId The Client ID for this client, referenced in the URI during authentication and in issued tokens.
*
* @return builder
*
*/
public Builder clientId(String clientId) {
return clientId(Output.of(clientId));
}
/**
* @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
*
* @return builder
*
*/
public Builder clientOfflineSessionIdleTimeout(@Nullable Output clientOfflineSessionIdleTimeout) {
$.clientOfflineSessionIdleTimeout = clientOfflineSessionIdleTimeout;
return this;
}
/**
* @param clientOfflineSessionIdleTimeout Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
*
* @return builder
*
*/
public Builder clientOfflineSessionIdleTimeout(String clientOfflineSessionIdleTimeout) {
return clientOfflineSessionIdleTimeout(Output.of(clientOfflineSessionIdleTimeout));
}
/**
* @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
*
* @return builder
*
*/
public Builder clientOfflineSessionMaxLifespan(@Nullable Output clientOfflineSessionMaxLifespan) {
$.clientOfflineSessionMaxLifespan = clientOfflineSessionMaxLifespan;
return this;
}
/**
* @param clientOfflineSessionMaxLifespan Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
*
* @return builder
*
*/
public Builder clientOfflineSessionMaxLifespan(String clientOfflineSessionMaxLifespan) {
return clientOfflineSessionMaxLifespan(Output.of(clientOfflineSessionMaxLifespan));
}
/**
* @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
*
* @return builder
*
*/
public Builder clientSecret(@Nullable Output clientSecret) {
$.clientSecret = clientSecret;
return this;
}
/**
* @param clientSecret The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
*
* @return builder
*
*/
public Builder clientSecret(String clientSecret) {
return clientSecret(Output.of(clientSecret));
}
/**
* @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
*
* @return builder
*
*/
public Builder clientSessionIdleTimeout(@Nullable Output clientSessionIdleTimeout) {
$.clientSessionIdleTimeout = clientSessionIdleTimeout;
return this;
}
/**
* @param clientSessionIdleTimeout Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
*
* @return builder
*
*/
public Builder clientSessionIdleTimeout(String clientSessionIdleTimeout) {
return clientSessionIdleTimeout(Output.of(clientSessionIdleTimeout));
}
/**
* @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
*
* @return builder
*
*/
public Builder clientSessionMaxLifespan(@Nullable Output clientSessionMaxLifespan) {
$.clientSessionMaxLifespan = clientSessionMaxLifespan;
return this;
}
/**
* @param clientSessionMaxLifespan Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
*
* @return builder
*
*/
public Builder clientSessionMaxLifespan(String clientSessionMaxLifespan) {
return clientSessionMaxLifespan(Output.of(clientSessionMaxLifespan));
}
/**
* @param consentRequired When `true`, users have to consent to client access. Defaults to `false`.
*
* @return builder
*
*/
public Builder consentRequired(@Nullable Output consentRequired) {
$.consentRequired = consentRequired;
return this;
}
/**
* @param consentRequired When `true`, users have to consent to client access. Defaults to `false`.
*
* @return builder
*
*/
public Builder consentRequired(Boolean consentRequired) {
return consentRequired(Output.of(consentRequired));
}
/**
* @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.
*
* @return builder
*
*/
public Builder consentScreenText(@Nullable Output consentScreenText) {
$.consentScreenText = consentScreenText;
return this;
}
/**
* @param consentScreenText The text to display on the consent screen about permissions specific to this client. This is applicable only when `display_on_consent_screen` is `true`.
*
* @return builder
*
*/
public Builder consentScreenText(String consentScreenText) {
return consentScreenText(Output.of(consentScreenText));
}
/**
* @param description The description of this client in the GUI.
*
* @return builder
*
*/
public Builder description(@Nullable Output description) {
$.description = description;
return this;
}
/**
* @param description The description of this client in the GUI.
*
* @return builder
*
*/
public Builder description(String description) {
return description(Output.of(description));
}
/**
* @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder directAccessGrantsEnabled(@Nullable Output directAccessGrantsEnabled) {
$.directAccessGrantsEnabled = directAccessGrantsEnabled;
return this;
}
/**
* @param directAccessGrantsEnabled When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder directAccessGrantsEnabled(Boolean directAccessGrantsEnabled) {
return directAccessGrantsEnabled(Output.of(directAccessGrantsEnabled));
}
/**
* @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.
*
* @return builder
*
*/
public Builder displayOnConsentScreen(@Nullable Output displayOnConsentScreen) {
$.displayOnConsentScreen = displayOnConsentScreen;
return this;
}
/**
* @param displayOnConsentScreen When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consent_required` is `true`.
*
* @return builder
*
*/
public Builder displayOnConsentScreen(Boolean displayOnConsentScreen) {
return displayOnConsentScreen(Output.of(displayOnConsentScreen));
}
/**
* @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
*
* @return builder
*
*/
public Builder enabled(@Nullable Output enabled) {
$.enabled = enabled;
return this;
}
/**
* @param enabled When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
*
* @return builder
*
*/
public Builder enabled(Boolean enabled) {
return enabled(Output.of(enabled));
}
/**
* @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.
*
* @return builder
*
*/
public Builder excludeSessionStateFromAuthResponse(@Nullable Output excludeSessionStateFromAuthResponse) {
$.excludeSessionStateFromAuthResponse = excludeSessionStateFromAuthResponse;
return this;
}
/**
* @param excludeSessionStateFromAuthResponse When `true`, the parameter `session_state` will not be included in OpenID Connect Authentication Response.
*
* @return builder
*
*/
public Builder excludeSessionStateFromAuthResponse(Boolean excludeSessionStateFromAuthResponse) {
return excludeSessionStateFromAuthResponse(Output.of(excludeSessionStateFromAuthResponse));
}
public Builder extraConfig(@Nullable Output> extraConfig) {
$.extraConfig = extraConfig;
return this;
}
public Builder extraConfig(Map extraConfig) {
return extraConfig(Output.of(extraConfig));
}
/**
* @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.
*
* @return builder
*
*/
public Builder frontchannelLogoutEnabled(@Nullable Output frontchannelLogoutEnabled) {
$.frontchannelLogoutEnabled = frontchannelLogoutEnabled;
return this;
}
/**
* @param frontchannelLogoutEnabled When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannel_logout_url`. Defaults to `false`.
*
* @return builder
*
*/
public Builder frontchannelLogoutEnabled(Boolean frontchannelLogoutEnabled) {
return frontchannelLogoutEnabled(Output.of(frontchannelLogoutEnabled));
}
/**
* @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.
*
* @return builder
*
*/
public Builder frontchannelLogoutUrl(@Nullable Output frontchannelLogoutUrl) {
$.frontchannelLogoutUrl = frontchannelLogoutUrl;
return this;
}
/**
* @param frontchannelLogoutUrl The frontchannel logout url. This is applicable only when `frontchannel_logout_enabled` is `true`.
*
* @return builder
*
*/
public Builder frontchannelLogoutUrl(String frontchannelLogoutUrl) {
return frontchannelLogoutUrl(Output.of(frontchannelLogoutUrl));
}
/**
* @param fullScopeAllowed Allow to include all roles mappings in the access token.
*
* @return builder
*
*/
public Builder fullScopeAllowed(@Nullable Output fullScopeAllowed) {
$.fullScopeAllowed = fullScopeAllowed;
return this;
}
/**
* @param fullScopeAllowed Allow to include all roles mappings in the access token.
*
* @return builder
*
*/
public Builder fullScopeAllowed(Boolean fullScopeAllowed) {
return fullScopeAllowed(Output.of(fullScopeAllowed));
}
/**
* @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder implicitFlowEnabled(@Nullable Output implicitFlowEnabled) {
$.implicitFlowEnabled = implicitFlowEnabled;
return this;
}
/**
* @param implicitFlowEnabled When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder implicitFlowEnabled(Boolean implicitFlowEnabled) {
return implicitFlowEnabled(Output.of(implicitFlowEnabled));
}
/**
* @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
*
* @return builder
*
*/
public Builder import_(@Nullable Output import_) {
$.import_ = import_;
return this;
}
/**
* @param import_ When `true`, the client with the specified `client_id` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
*
* @return builder
*
*/
public Builder import_(Boolean import_) {
return import_(Output.of(import_));
}
/**
* @param loginTheme The client login theme. This will override the default theme for the realm.
*
* @return builder
*
*/
public Builder loginTheme(@Nullable Output loginTheme) {
$.loginTheme = loginTheme;
return this;
}
/**
* @param loginTheme The client login theme. This will override the default theme for the realm.
*
* @return builder
*
*/
public Builder loginTheme(String loginTheme) {
return loginTheme(Output.of(loginTheme));
}
/**
* @param name The display name of this client in the GUI.
*
* @return builder
*
*/
public Builder name(@Nullable Output name) {
$.name = name;
return this;
}
/**
* @param name The display name of this client in the GUI.
*
* @return builder
*
*/
public Builder name(String name) {
return name(Output.of(name));
}
/**
* @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
*
* @return builder
*
*/
public Builder oauth2DeviceAuthorizationGrantEnabled(@Nullable Output oauth2DeviceAuthorizationGrantEnabled) {
$.oauth2DeviceAuthorizationGrantEnabled = oauth2DeviceAuthorizationGrantEnabled;
return this;
}
/**
* @param oauth2DeviceAuthorizationGrantEnabled Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
*
* @return builder
*
*/
public Builder oauth2DeviceAuthorizationGrantEnabled(Boolean oauth2DeviceAuthorizationGrantEnabled) {
return oauth2DeviceAuthorizationGrantEnabled(Output.of(oauth2DeviceAuthorizationGrantEnabled));
}
/**
* @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires.
*
* @return builder
*
*/
public Builder oauth2DeviceCodeLifespan(@Nullable Output oauth2DeviceCodeLifespan) {
$.oauth2DeviceCodeLifespan = oauth2DeviceCodeLifespan;
return this;
}
/**
* @param oauth2DeviceCodeLifespan The maximum amount of time a client has to finish the device code flow before it expires.
*
* @return builder
*
*/
public Builder oauth2DeviceCodeLifespan(String oauth2DeviceCodeLifespan) {
return oauth2DeviceCodeLifespan(Output.of(oauth2DeviceCodeLifespan));
}
/**
* @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
*
* @return builder
*
*/
public Builder oauth2DevicePollingInterval(@Nullable Output oauth2DevicePollingInterval) {
$.oauth2DevicePollingInterval = oauth2DevicePollingInterval;
return this;
}
/**
* @param oauth2DevicePollingInterval The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
*
* @return builder
*
*/
public Builder oauth2DevicePollingInterval(String oauth2DevicePollingInterval) {
return oauth2DevicePollingInterval(Output.of(oauth2DevicePollingInterval));
}
/**
* @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
*
* @return builder
*
*/
public Builder pkceCodeChallengeMethod(@Nullable Output pkceCodeChallengeMethod) {
$.pkceCodeChallengeMethod = pkceCodeChallengeMethod;
return this;
}
/**
* @param pkceCodeChallengeMethod The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
*
* @return builder
*
*/
public Builder pkceCodeChallengeMethod(String pkceCodeChallengeMethod) {
return pkceCodeChallengeMethod(Output.of(pkceCodeChallengeMethod));
}
/**
* @param realmId The realm this client is attached to.
*
* @return builder
*
*/
public Builder realmId(Output realmId) {
$.realmId = realmId;
return this;
}
/**
* @param realmId The realm this client is attached to.
*
* @return builder
*
*/
public Builder realmId(String realmId) {
return realmId(Output.of(realmId));
}
/**
* @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.
*
* @return builder
*
*/
public Builder rootUrl(@Nullable Output rootUrl) {
$.rootUrl = rootUrl;
return this;
}
/**
* @param rootUrl When specified, this URL is prepended to any relative URLs found within `valid_redirect_uris`, `web_origins`, and `admin_url`. NOTE: Due to limitations in the Keycloak API, when the `root_url` attribute is used, the `valid_redirect_uris`, `web_origins`, and `admin_url` attributes will be required.
*
* @return builder
*
*/
public Builder rootUrl(String rootUrl) {
return rootUrl(Output.of(rootUrl));
}
/**
* @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder serviceAccountsEnabled(@Nullable Output serviceAccountsEnabled) {
$.serviceAccountsEnabled = serviceAccountsEnabled;
return this;
}
/**
* @param serviceAccountsEnabled When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder serviceAccountsEnabled(Boolean serviceAccountsEnabled) {
return serviceAccountsEnabled(Output.of(serviceAccountsEnabled));
}
/**
* @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder standardFlowEnabled(@Nullable Output standardFlowEnabled) {
$.standardFlowEnabled = standardFlowEnabled;
return this;
}
/**
* @param standardFlowEnabled When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
*
* @return builder
*
*/
public Builder standardFlowEnabled(Boolean standardFlowEnabled) {
return standardFlowEnabled(Output.of(standardFlowEnabled));
}
/**
* @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.
*
* @return builder
*
*/
public Builder useRefreshTokens(@Nullable Output useRefreshTokens) {
$.useRefreshTokens = useRefreshTokens;
return this;
}
/**
* @param useRefreshTokens If this is `true`, a refresh_token will be created and added to the token response. If this is `false` then no refresh_token will be generated. Defaults to `true`.
*
* @return builder
*
*/
public Builder useRefreshTokens(Boolean useRefreshTokens) {
return useRefreshTokens(Output.of(useRefreshTokens));
}
/**
* @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
*
* @return builder
*
*/
public Builder useRefreshTokensClientCredentials(@Nullable Output useRefreshTokensClientCredentials) {
$.useRefreshTokensClientCredentials = useRefreshTokensClientCredentials;
return this;
}
/**
* @param useRefreshTokensClientCredentials If this is `true`, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is `false` then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
*
* @return builder
*
*/
public Builder useRefreshTokensClientCredentials(Boolean useRefreshTokensClientCredentials) {
return useRefreshTokensClientCredentials(Output.of(useRefreshTokensClientCredentials));
}
/**
* @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout.
*
* @return builder
*
*/
public Builder validPostLogoutRedirectUris(@Nullable Output> validPostLogoutRedirectUris) {
$.validPostLogoutRedirectUris = validPostLogoutRedirectUris;
return this;
}
/**
* @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout.
*
* @return builder
*
*/
public Builder validPostLogoutRedirectUris(List validPostLogoutRedirectUris) {
return validPostLogoutRedirectUris(Output.of(validPostLogoutRedirectUris));
}
/**
* @param validPostLogoutRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful logout.
*
* @return builder
*
*/
public Builder validPostLogoutRedirectUris(String... validPostLogoutRedirectUris) {
return validPostLogoutRedirectUris(List.of(validPostLogoutRedirectUris));
}
/**
* @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
* wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
* is set to `true`.
*
* @return builder
*
*/
public Builder validRedirectUris(@Nullable Output> validRedirectUris) {
$.validRedirectUris = validRedirectUris;
return this;
}
/**
* @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
* wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
* is set to `true`.
*
* @return builder
*
*/
public Builder validRedirectUris(List validRedirectUris) {
return validRedirectUris(Output.of(validRedirectUris));
}
/**
* @param validRedirectUris A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
* wildcards in the form of an asterisk can be used here. This attribute must be set if either `standard_flow_enabled` or `implicit_flow_enabled`
* is set to `true`.
*
* @return builder
*
*/
public Builder validRedirectUris(String... validRedirectUris) {
return validRedirectUris(List.of(validRedirectUris));
}
/**
* @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
*
* @return builder
*
*/
public Builder webOrigins(@Nullable Output> webOrigins) {
$.webOrigins = webOrigins;
return this;
}
/**
* @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
*
* @return builder
*
*/
public Builder webOrigins(List webOrigins) {
return webOrigins(Output.of(webOrigins));
}
/**
* @param webOrigins A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
*
* @return builder
*
*/
public Builder webOrigins(String... webOrigins) {
return webOrigins(List.of(webOrigins));
}
public ClientArgs build() {
if ($.accessType == null) {
throw new MissingRequiredPropertyException("ClientArgs", "accessType");
}
if ($.clientId == null) {
throw new MissingRequiredPropertyException("ClientArgs", "clientId");
}
if ($.realmId == null) {
throw new MissingRequiredPropertyException("ClientArgs", "realmId");
}
return $;
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy