{ "description": "KeycloakClient is the Schema for the keycloak clients API.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "KeycloakClientSpec defines the desired state of KeycloakClient.", "properties": { "adminFineGrainedPermissionsEnabled": { "description": "AdminFineGrainedPermissionsEnabled enable/disable fine-grained admin permissions for a client.", "type": "boolean" }, "adminUrl": { "description": "AdminUrl is client admin url.\nIf empty - WebUrl will be used.", "type": "string" }, "advancedProtocolMappers": { "description": "AdvancedProtocolMappers is a flag to enable advanced protocol mappers.", "type": "boolean" }, "attributes": { "additionalProperties": { "type": "string" }, "default": { "post.logout.redirect.uris": "+" }, "description": "Attributes is a map of client attributes.", "nullable": true, "type": "object" }, "authenticationFlowBindingOverrides": { "description": "AuthenticationFlowBindingOverrides client auth flow overrides", "properties": { "browser": { "type": "string" }, "directGrant": { "type": "string" } }, "type": "object", "additionalProperties": false }, "authorization": { "description": "Authorization is a client authorization configuration.", "nullable": true, "properties": { "permissions": { "items": { "properties": { "decisionStrategy": { "default": "UNANIMOUS", "description": "DecisionStrategy is a permission decision strategy.", "enum": [ "UNANIMOUS", "AFFIRMATIVE", "CONSENSUS" ], "type": "string" }, "description": { "description": "Description is a permission description.", "type": "string" }, "logic": { "default": "POSITIVE", "description": "Logic is a permission logic.", "enum": [ "POSITIVE", "NEGATIVE" ], "type": "string" }, "name": { "description": "Name is a permission name.", "type": "string" }, "policies": { "description": "Policies is a list of policies names.\nSpecifies all the policies that must be applied to the scopes defined by this policy or permission.", "example": [ "policy1", "policy2" ], "items": { "type": "string" }, "nullable": true, "type": "array" }, "resources": { "description": "Resources is a list of resources names.\nSpecifies that this permission must be applied to all resource instances of a given type.", "example": [ "resource1", "resource2" ], "items": { "type": "string" }, "nullable": true, "type": "array" }, "scopes": { "description": "Scopes is a list of authorization scopes names.\nSpecifies that this permission must be applied to one or more scopes.", "example": [ "scope1", "scope2" ], "items": { "type": "string" }, "nullable": true, "type": "array" }, "type": { "description": "Type is a permission type.", "enum": [ "resource", "scope" ], "type": "string" } }, "required": [ "name", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "policies": { "items": { "description": "Policy represents a client authorization policy.", "properties": { "aggregatedPolicy": { "description": "AggregatedPolicy is an aggregated policy settings.", "properties": { "policies": { "description": "Policies is a list of aggregated policies names.\nSpecifies all the policies that must be applied to the scopes defined by this policy or permission.", "example": { "policies": [ "policy1", "policy2" ] }, "items": { "type": "string" }, "type": "array" } }, "required": [ "policies" ], "type": "object", "additionalProperties": false }, "clientPolicy": { "description": "ClientPolicy is a client policy settings.", "properties": { "clients": { "description": "Clients is a list of client names. Specifies which client(s) are allowed by this policy.", "example": [ "clients1", "clients2" ], "items": { "type": "string" }, "type": "array" } }, "required": [ "clients" ], "type": "object", "additionalProperties": false }, "decisionStrategy": { "default": "UNANIMOUS", "description": "DecisionStrategy is a policy decision strategy.", "enum": [ "UNANIMOUS", "AFFIRMATIVE", "CONSENSUS" ], "type": "string" }, "description": { "description": "Description is a policy description.", "type": "string" }, "groupPolicy": { "description": "GroupPolicy is a group policy settings.", "properties": { "groups": { "description": "Groups is a list of group names. Specifies which group(s) are allowed by this policy.", "example": "{\"groups\":[{\"name\":\"group1\",\"extendChildren\":true},{\"name\":\"group2\"}]}", "items": { "description": "GroupDefinition represents a group in a GroupPolicyData.", "properties": { "extendChildren": { "description": "ExtendChildren is a flag that specifies whether to extend children.", "type": "boolean" }, "name": { "description": "Name is a group name.", "example": "group1", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "groupsClaim": { "description": "GroupsClaim is a group claim.\nIf defined, the policy will fetch user's groups from the given claim\nwithin an access token or ID token representing the identity asking permissions.\nIf not defined, user's groups are obtained from your realm configuration.", "type": "string" } }, "required": [ "groups" ], "type": "object", "additionalProperties": false }, "logic": { "default": "POSITIVE", "description": "Logic is a policy logic.", "enum": [ "POSITIVE", "NEGATIVE" ], "type": "string" }, "name": { "description": "Name is a policy name.", "type": "string" }, "rolePolicy": { "description": "RolePolicy is a role policy settings.", "properties": { "roles": { "description": "Roles is a list of role.", "example": { "roles": [ { "name": "role1", "required": true }, { "name": "role2" } ] }, "items": { "description": "RoleDefinition represents a role in a RolePolicyData.", "properties": { "name": { "description": "Name is a role name.", "example": "role1", "type": "string" }, "required": { "description": "Required is a flag that specifies whether the role is required.", "type": "boolean" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "roles" ], "type": "object", "additionalProperties": false }, "timePolicy": { "description": "ScopePolicy is a scope policy settings.", "properties": { "dayMonth": { "description": "Day defines the month which the policy MUST be granted.\nYou can also provide a range by filling the dayMonthEnd field.\nIn this case, permission is granted only if current month is between or equal to the two values you provided.", "example": "1", "type": "string" }, "dayMonthEnd": { "example": "2", "type": "string" }, "hour": { "description": "Hour defines the hour when the policy MUST be granted.\nYou can also provide a range by filling the hourEnd.\nIn this case, permission is granted only if current hour is between or equal to the two values you provided.", "example": "1", "type": "string" }, "hourEnd": { "example": "2", "type": "string" }, "minute": { "description": "Minute defines the minute when the policy MUST be granted.\nYou can also provide a range by filling the minuteEnd field.\nIn this case, permission is granted only if current minute is between or equal to the two values you provided.", "example": "1", "type": "string" }, "minuteEnd": { "example": "2", "type": "string" }, "month": { "description": "Month defines the month which the policy MUST be granted.\nYou can also provide a range by filling the monthEnd.\nIn this case, permission is granted only if current month is between or equal to the two values you provided.", "example": "1", "type": "string" }, "monthEnd": { "example": "2", "type": "string" }, "notBefore": { "description": "NotBefore defines the time before which the policy MUST NOT be granted.\nOnly granted if current date/time is after or equal to this value.", "example": "2024-03-03 00:00:00", "type": "string" }, "notOnOrAfter": { "description": "NotOnOrAfter defines the time after which the policy MUST NOT be granted.\nOnly granted if current date/time is before or equal to this value.", "example": "2024-04-04 00:00:00", "type": "string" } }, "required": [ "notBefore", "notOnOrAfter" ], "type": "object", "additionalProperties": false }, "type": { "description": "Type is a policy type.", "enum": [ "aggregate", "client", "group", "role", "time", "user" ], "type": "string" }, "userPolicy": { "description": "UserPolicy is a user policy settings.", "properties": { "users": { "description": "Users is a list of usernames. Specifies which user(s) are allowed by this policy.", "example": [ "users1", "users2" ], "items": { "type": "string" }, "type": "array" } }, "required": [ "users" ], "type": "object", "additionalProperties": false } }, "required": [ "name", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "properties": { "attributes": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Attributes is a map of resource attributes.", "nullable": true, "type": "object" }, "displayName": { "description": "DisplayName for Identity Providers.", "type": "string" }, "iconUri": { "description": "IconURI pointing to an icon.", "type": "string" }, "name": { "description": "Name is unique resource name.", "type": "string" }, "ownerManagedAccess": { "description": "OwnerManagedAccess if enabled, the access to this resource can be managed by the resource owner.", "type": "boolean" }, "scopes": { "description": "Scopes requested or assigned in advance to the client to determine whether the policy is applied to this client.\nCondition is evaluated during OpenID Connect authorization request and/or token request.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "type": { "description": "Type of this resource. It can be used to group different resource instances with the same type.", "type": "string" }, "uris": { "description": "URIs which are protected by resource.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "required": [ "displayName", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "scopes": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "authorizationServicesEnabled": { "description": "AuthorizationServicesEnabled enable/disable fine-grained authorization support for a client.", "type": "boolean" }, "bearerOnly": { "description": "BearerOnly is a flag to enable bearer-only.", "type": "boolean" }, "clientAuthenticatorType": { "default": "client-secret", "description": "ClientAuthenticatorType is a client authenticator type.", "type": "string" }, "clientId": { "description": "ClientId is a unique keycloak client ID referenced in URI and tokens.", "type": "string" }, "clientRoles": { "description": "ClientRoles is a list of client roles names assigned to client.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "consentRequired": { "description": "ConsentRequired is a flag to enable consent.", "type": "boolean" }, "defaultClientScopes": { "description": "DefaultClientScopes is a list of default client scopes assigned to client.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "description": { "description": "Description is a client description.", "type": "string" }, "directAccess": { "description": "DirectAccess is a flag to set client as direct access.", "type": "boolean" }, "enabled": { "default": true, "description": "Enabled is a flag to enable client.", "type": "boolean" }, "frontChannelLogout": { "description": "FrontChannelLogout is a flag to enable front channel logout.", "type": "boolean" }, "fullScopeAllowed": { "default": true, "description": "FullScopeAllowed is a flag to enable full scope.", "type": "boolean" }, "homeUrl": { "description": "HomeUrl is a client home url.", "type": "string" }, "implicitFlowEnabled": { "description": "ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code.", "type": "boolean" }, "name": { "description": "Name is a client name.", "type": "string" }, "optionalClientScopes": { "description": "OptionalClientScopes is a list of optional client scopes assigned to client.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "permission": { "description": "Permission is a client permissions configuration", "nullable": true, "properties": { "scopePermissions": { "description": "ScopePermissions mapping of scope and the policies attached", "items": { "properties": { "name": { "type": "string" }, "policies": { "items": { "type": "string" }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "protocol": { "description": "Protocol is a client protocol.", "nullable": true, "type": "string" }, "protocolMappers": { "description": "ProtocolMappers is a list of protocol mappers assigned to client.", "items": { "properties": { "config": { "additionalProperties": { "type": "string" }, "description": "Config is a map of protocol mapper configuration.", "nullable": true, "type": "object" }, "name": { "description": "Name is a protocol mapper name.", "type": "string" }, "protocol": { "description": "Protocol is a protocol name.", "type": "string" }, "protocolMapper": { "description": "ProtocolMapper is a protocol mapper name.", "type": "string" } }, "type": "object", "additionalProperties": false }, "nullable": true, "type": "array" }, "public": { "description": "Public is a flag to set client as public.", "type": "boolean" }, "realmRef": { "description": "RealmRef is reference to Realm custom resource.", "properties": { "kind": { "default": "KeycloakRealm", "description": "Kind specifies the kind of the Keycloak resource.", "enum": [ "KeycloakRealm", "ClusterKeycloakRealm" ], "type": "string" }, "name": { "description": "Name specifies the name of the Keycloak resource.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "realmRoles": { "description": "RealmRoles is a list of realm roles assigned to client.", "items": { "properties": { "composite": { "description": "Composite is a realm composite role name.", "type": "string" }, "name": { "description": "Name is a realm role name.", "type": "string" } }, "required": [ "composite" ], "type": "object", "additionalProperties": false }, "nullable": true, "type": "array" }, "reconciliationStrategy": { "description": "ReconciliationStrategy is a strategy to reconcile client.", "enum": [ "full", "addOnly" ], "type": "string" }, "redirectUris": { "description": "RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.\nSimple wildcards are allowed such as 'https://example.com/*'.\nRelative path can be specified too, such as /my/relative/path/*. Relative paths are relative to the client root URL.\nIf not specified, spec.webUrl + \"/*\" will be used.", "example": [ "https://example.com/*", "/my/relative/path/*" ], "items": { "type": "string" }, "nullable": true, "type": "array" }, "secret": { "description": "Secret is kubernetes secret name where the client's secret will be stored.\nSecret should have the following format: $secretName:secretKey.\nIf not specified, a client secret will be generated and stored in a secret with the name keycloak-client-{metadata.name}-secret.\nIf keycloak client is public, secret property will be ignored.", "example": "$keycloak-secret:client_secret", "type": "string" }, "serviceAccount": { "description": "ServiceAccount is a service account configuration.", "nullable": true, "properties": { "attributes": { "additionalProperties": { "type": "string" }, "description": "Attributes is a map of service account attributes.", "nullable": true, "type": "object" }, "clientRoles": { "description": "ClientRoles is a list of client roles assigned to service account.", "items": { "properties": { "clientId": { "description": "ClientID is a client ID.", "type": "string" }, "roles": { "description": "Roles is a list of client roles names assigned to service account.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "required": [ "clientId" ], "type": "object", "additionalProperties": false }, "nullable": true, "type": "array" }, "enabled": { "description": "Enabled is a flag to enable service account.", "type": "boolean" }, "groups": { "description": "Groups is a list of groups assigned to service account", "items": { "type": "string" }, "nullable": true, "type": "array" }, "realmRoles": { "description": "RealmRoles is a list of realm roles assigned to service account.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false }, "standardFlowEnabled": { "default": true, "description": "StandardFlowEnabled is a flag to enable standard flow.", "type": "boolean" }, "surrogateAuthRequired": { "description": "SurrogateAuthRequired is a flag to enable surrogate auth.", "type": "boolean" }, "webOrigins": { "description": "WebOrigins is a list of allowed CORS origins.\nTo permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though.\nTo permit all origins, explicitly add '*'.\nIf not specified, the value from `WebUrl` is used", "example": [ "https://example.com/*" ], "items": { "type": "string" }, "nullable": true, "type": "array" }, "webUrl": { "description": "WebUrl is a client web url.", "type": "string" } }, "required": [ "clientId", "realmRef" ], "type": "object", "additionalProperties": false }, "status": { "description": "KeycloakClientStatus defines the observed state of KeycloakClient.", "properties": { "clientId": { "type": "string" }, "failureCount": { "format": "int64", "type": "integer" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }