@pulumi/keycloak 5.3.0 → 5.3.2

package/openid/client.d.ts

@@ -2,13 +2,15 @@ import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
 import * as outputs from "../types/output";
 /**
+ * ## # keycloak.openid.Client
+ *
  * Allows for creating and managing Keycloak clients that use the OpenID Connect protocol.
  *
  * Clients are entities that can use Keycloak for user authentication. Typically,
  * clients are applications that redirect users to Keycloak for authentication
  * in order to take advantage of Keycloak's user sessions for SSO.
  *
- * ## Example Usage
+ * ### Example Usage
  *
  * ```typescript
  * import * as pulumi from "@pulumi/pulumi";
@@ -18,27 +20,58 @@ import * as outputs from "../types/output";
  *     realm: "my-realm",
  *     enabled: true,
  * });
- * const openidClient = new keycloak.openid.Client("openidClient", {
+ * const openidClient = new keycloak.openid.Client("openid_client", {
  *     realmId: realm.id,
  *     clientId: "test-client",
+ *     name: "test client",
  *     enabled: true,
  *     accessType: "CONFIDENTIAL",
  *     validRedirectUris: ["http://localhost:8080/openid-callback"],
- *     loginTheme: "keycloak",
- *     extraConfig: {
- *         key1: "value1",
- *         key2: "value2",
- *     },
  * });
  * ```
  *
- * ## Import
+ * ### Argument Reference
  *
- * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `client_keycloak_id` is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash
+ * The following arguments are supported:
  *
- * ```sh
- *  $ pulumi import keycloak:openid/client:Client openid_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352
- * ```
+ * - `realmId` - (Required) The realm this client is attached to.
+ * - `clientId` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.
+ * - `name` - (Optional) The display name of this client in the GUI.
+ * - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
+ * - `description` - (Optional) The description of this client in the GUI.
+ * - `accessType` - (Required) Specifies the type of client, which can be one of the following:
+ *     - `CONFIDENTIAL` - Used for server-side clients that require both client ID and secret when authenticating.
+ *       This client should be used for applications using the Authorization Code or Client Credentials grant flows.
+ *     - `PUBLIC` - Used for browser-only applications that do not require a client secret, and instead rely only on authorized redirect
+ *       URIs for security. This client should be used for applications using the Implicit grant flow.
+ *     - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
+ * - `clientSecret` - (Optional) The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and
+ *   should be treated with the same care as a password. If omitted, Keycloak will generate a GUID for this attribute.
+ * - `standardFlowEnabled` - (Optional) When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
+ * - `implicitFlowEnabled` - (Optional) When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
+ * - `directAccessGrantsEnabled` - (Optional) When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
+ * - `serviceAccountsEnabled` - (Optional) When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
+ * - `validRedirectUris` - (Optional) A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
+ *   wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled`
+ *   is set to `true`.
+ * - `webOrigins` - (Optional) A list of allowed CORS origins. `+` can be used to permit all valid redirect URIs, and `*` can be used to permit all origins.
+ * - `adminUrl` - (Optional) URL to the admin interface of the client.
+ * - `baseUrl` - (Optional) Default URL to use when the auth server needs to redirect or link back to the client.
+ * - `pkceCodeChallengeMethod` - (Optional) The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
+ * - `fullScopeAllowed` - (Optional) - Allow to include all roles mappings in the access token.
+ *
+ * ### Attributes Reference
+ *
+ * In addition to the arguments listed above, the following computed attributes are exported:
+ *
+ * - `serviceAccountUserId` - When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
+ *
+ * ### Import
+ *
+ * Clients can be imported using the format `{{realm_id}}/{{client_keycloak_id}}`, where `clientKeycloakId` is the unique ID that Keycloak
+ * assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.
+ *
+ * Example:
  */
 export declare class Client extends pulumi.CustomResource {
     /**
@@ -56,194 +89,53 @@ export declare class Client extends pulumi.CustomResource {
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is Client;
-    /**
-     * The amount of time in seconds before an access token expires. This will override the default for the realm.
-     */
     readonly accessTokenLifespan: pulumi.Output<string>;
-    /**
-     * Specifies the type of client, which can be one of the following:
-     */
     readonly accessType: pulumi.Output<string>;
-    /**
-     * URL to the admin interface of the client.
-     */
     readonly adminUrl: pulumi.Output<string>;
-    /**
-     * Override realm authentication flow bindings
-     */
     readonly authenticationFlowBindingOverrides: pulumi.Output<outputs.openid.ClientAuthenticationFlowBindingOverrides | undefined>;
-    /**
-     * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments:
-     */
     readonly authorization: pulumi.Output<outputs.openid.ClientAuthorization | undefined>;
-    /**
-     * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
-     */
     readonly backchannelLogoutRevokeOfflineSessions: pulumi.Output<boolean | undefined>;
-    /**
-     * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
-     */
     readonly backchannelLogoutSessionRequired: pulumi.Output<boolean | undefined>;
-    /**
-     * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
-     */
     readonly backchannelLogoutUrl: pulumi.Output<string | undefined>;
-    /**
-     * Default URL to use when the auth server needs to redirect or link back to the client.
-     */
     readonly baseUrl: pulumi.Output<string>;
-    /**
-     * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
-     * - `client-secret` (Default) Use client id and client secret to authenticate client.
-     * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = <subjectDn>`
-     * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     */
     readonly clientAuthenticatorType: pulumi.Output<string | undefined>;
-    /**
-     * The Client ID for this client, referenced in the URI during authentication and in issued tokens.
-     */
     readonly clientId: pulumi.Output<string>;
-    /**
-     * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
-     */
     readonly clientOfflineSessionIdleTimeout: pulumi.Output<string>;
-    /**
-     * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
-     */
     readonly clientOfflineSessionMaxLifespan: pulumi.Output<string>;
-    /**
-     * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
-     */
     readonly clientSecret: pulumi.Output<string>;
-    /**
-     * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
-     */
     readonly clientSessionIdleTimeout: pulumi.Output<string>;
-    /**
-     * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
-     */
     readonly clientSessionMaxLifespan: pulumi.Output<string>;
-    /**
-     * When `true`, users have to consent to client access. Defaults to `false`.
-     */
     readonly consentRequired: pulumi.Output<boolean>;
-    /**
-     * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`.
-     */
     readonly consentScreenText: pulumi.Output<string>;
-    /**
-     * The description of this client in the GUI.
-     */
     readonly description: pulumi.Output<string>;
-    /**
-     * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
-     */
     readonly directAccessGrantsEnabled: pulumi.Output<boolean>;
-    /**
-     * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`.
-     */
     readonly displayOnConsentScreen: pulumi.Output<boolean>;
-    /**
-     * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
-     */
     readonly enabled: pulumi.Output<boolean | undefined>;
-    /**
-     * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response.
-     */
     readonly excludeSessionStateFromAuthResponse: pulumi.Output<boolean>;
     readonly extraConfig: pulumi.Output<{
         [key: string]: any;
     } | undefined>;
-    /**
-     * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`.
-     */
     readonly frontchannelLogoutEnabled: pulumi.Output<boolean>;
-    /**
-     * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`.
-     */
     readonly frontchannelLogoutUrl: pulumi.Output<string | undefined>;
-    /**
-     * Allow to include all roles mappings in the access token.
-     */
     readonly fullScopeAllowed: pulumi.Output<boolean | undefined>;
-    /**
-     * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
-     */
     readonly implicitFlowEnabled: pulumi.Output<boolean>;
-    /**
-     * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
-     */
     readonly import: pulumi.Output<boolean | undefined>;
-    /**
-     * The client login theme. This will override the default theme for the realm.
-     */
     readonly loginTheme: pulumi.Output<string | undefined>;
-    /**
-     * The display name of this client in the GUI.
-     */
     readonly name: pulumi.Output<string>;
-    /**
-     * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
-     */
     readonly oauth2DeviceAuthorizationGrantEnabled: pulumi.Output<boolean | undefined>;
-    /**
-     * The maximum amount of time a client has to finish the device code flow before it expires.
-     */
     readonly oauth2DeviceCodeLifespan: pulumi.Output<string | undefined>;
-    /**
-     * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
-     */
     readonly oauth2DevicePollingInterval: pulumi.Output<string | undefined>;
-    /**
-     * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
-     */
     readonly pkceCodeChallengeMethod: pulumi.Output<string | undefined>;
-    /**
-     * The realm this client is attached to.
-     */
     readonly realmId: pulumi.Output<string>;
-    /**
-     * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute).
-     */
     readonly resourceServerId: pulumi.Output<string>;
-    /**
-     * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required.
-     */
     readonly rootUrl: pulumi.Output<string>;
-    /**
-     * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
-     */
     readonly serviceAccountUserId: pulumi.Output<string>;
-    /**
-     * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
-     */
     readonly serviceAccountsEnabled: pulumi.Output<boolean>;
-    /**
-     * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
-     */
     readonly standardFlowEnabled: pulumi.Output<boolean>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated.  Defaults to `true`.
-     */
     readonly useRefreshTokens: pulumi.Output<boolean | undefined>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
-     */
     readonly useRefreshTokensClientCredentials: pulumi.Output<boolean | undefined>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful logout.
-     */
     readonly validPostLogoutRedirectUris: pulumi.Output<string[]>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
-     * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled`
-     * is set to `true`.
-     */
     readonly validRedirectUris: pulumi.Output<string[]>;
-    /**
-     * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
-     */
     readonly webOrigins: pulumi.Output<string[]>;
     /**
      * Create a Client resource with the given unique name, arguments, and options.
@@ -258,379 +150,103 @@ export declare class Client extends pulumi.CustomResource {
  * Input properties used for looking up and filtering Client resources.
  */
 export interface ClientState {
-    /**
-     * The amount of time in seconds before an access token expires. This will override the default for the realm.
-     */
     accessTokenLifespan?: pulumi.Input<string>;
-    /**
-     * Specifies the type of client, which can be one of the following:
-     */
     accessType?: pulumi.Input<string>;
-    /**
-     * URL to the admin interface of the client.
-     */
     adminUrl?: pulumi.Input<string>;
-    /**
-     * Override realm authentication flow bindings
-     */
     authenticationFlowBindingOverrides?: pulumi.Input<inputs.openid.ClientAuthenticationFlowBindingOverrides>;
-    /**
-     * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments:
-     */
     authorization?: pulumi.Input<inputs.openid.ClientAuthorization>;
-    /**
-     * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
-     */
     backchannelLogoutRevokeOfflineSessions?: pulumi.Input<boolean>;
-    /**
-     * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
-     */
     backchannelLogoutSessionRequired?: pulumi.Input<boolean>;
-    /**
-     * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
-     */
     backchannelLogoutUrl?: pulumi.Input<string>;
-    /**
-     * Default URL to use when the auth server needs to redirect or link back to the client.
-     */
     baseUrl?: pulumi.Input<string>;
-    /**
-     * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
-     * - `client-secret` (Default) Use client id and client secret to authenticate client.
-     * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = <subjectDn>`
-     * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     */
     clientAuthenticatorType?: pulumi.Input<string>;
-    /**
-     * The Client ID for this client, referenced in the URI during authentication and in issued tokens.
-     */
     clientId?: pulumi.Input<string>;
-    /**
-     * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
-     */
     clientOfflineSessionIdleTimeout?: pulumi.Input<string>;
-    /**
-     * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
-     */
     clientOfflineSessionMaxLifespan?: pulumi.Input<string>;
-    /**
-     * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
-     */
     clientSecret?: pulumi.Input<string>;
-    /**
-     * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
-     */
     clientSessionIdleTimeout?: pulumi.Input<string>;
-    /**
-     * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
-     */
     clientSessionMaxLifespan?: pulumi.Input<string>;
-    /**
-     * When `true`, users have to consent to client access. Defaults to `false`.
-     */
     consentRequired?: pulumi.Input<boolean>;
-    /**
-     * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`.
-     */
     consentScreenText?: pulumi.Input<string>;
-    /**
-     * The description of this client in the GUI.
-     */
     description?: pulumi.Input<string>;
-    /**
-     * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
-     */
     directAccessGrantsEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`.
-     */
     displayOnConsentScreen?: pulumi.Input<boolean>;
-    /**
-     * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
-     */
     enabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response.
-     */
     excludeSessionStateFromAuthResponse?: pulumi.Input<boolean>;
     extraConfig?: pulumi.Input<{
         [key: string]: any;
     }>;
-    /**
-     * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`.
-     */
     frontchannelLogoutEnabled?: pulumi.Input<boolean>;
-    /**
-     * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`.
-     */
     frontchannelLogoutUrl?: pulumi.Input<string>;
-    /**
-     * Allow to include all roles mappings in the access token.
-     */
     fullScopeAllowed?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
-     */
     implicitFlowEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
-     */
     import?: pulumi.Input<boolean>;
-    /**
-     * The client login theme. This will override the default theme for the realm.
-     */
     loginTheme?: pulumi.Input<string>;
-    /**
-     * The display name of this client in the GUI.
-     */
     name?: pulumi.Input<string>;
-    /**
-     * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
-     */
     oauth2DeviceAuthorizationGrantEnabled?: pulumi.Input<boolean>;
-    /**
-     * The maximum amount of time a client has to finish the device code flow before it expires.
-     */
     oauth2DeviceCodeLifespan?: pulumi.Input<string>;
-    /**
-     * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
-     */
     oauth2DevicePollingInterval?: pulumi.Input<string>;
-    /**
-     * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
-     */
     pkceCodeChallengeMethod?: pulumi.Input<string>;
-    /**
-     * The realm this client is attached to.
-     */
     realmId?: pulumi.Input<string>;
-    /**
-     * (Computed) When authorization is enabled for this client, this attribute is the unique ID for the client (the same value as the `.id` attribute).
-     */
     resourceServerId?: pulumi.Input<string>;
-    /**
-     * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required.
-     */
     rootUrl?: pulumi.Input<string>;
-    /**
-     * (Computed) When service accounts are enabled for this client, this attribute is the unique ID for the Keycloak user that represents this service account.
-     */
     serviceAccountUserId?: pulumi.Input<string>;
-    /**
-     * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
-     */
     serviceAccountsEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
-     */
     standardFlowEnabled?: pulumi.Input<boolean>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated.  Defaults to `true`.
-     */
     useRefreshTokens?: pulumi.Input<boolean>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
-     */
     useRefreshTokensClientCredentials?: pulumi.Input<boolean>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful logout.
-     */
     validPostLogoutRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
-     * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled`
-     * is set to `true`.
-     */
     validRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
-     */
     webOrigins?: pulumi.Input<pulumi.Input<string>[]>;
 }
 /**
  * The set of arguments for constructing a Client resource.
  */
 export interface ClientArgs {
-    /**
-     * The amount of time in seconds before an access token expires. This will override the default for the realm.
-     */
     accessTokenLifespan?: pulumi.Input<string>;
-    /**
-     * Specifies the type of client, which can be one of the following:
-     */
     accessType: pulumi.Input<string>;
-    /**
-     * URL to the admin interface of the client.
-     */
     adminUrl?: pulumi.Input<string>;
-    /**
-     * Override realm authentication flow bindings
-     */
     authenticationFlowBindingOverrides?: pulumi.Input<inputs.openid.ClientAuthenticationFlowBindingOverrides>;
-    /**
-     * When this block is present, fine-grained authorization will be enabled for this client. The client's `accessType` must be `CONFIDENTIAL`, and `serviceAccountsEnabled` must be `true`. This block has the following arguments:
-     */
     authorization?: pulumi.Input<inputs.openid.ClientAuthorization>;
-    /**
-     * Specifying whether a "revokeOfflineAccess" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.
-     */
     backchannelLogoutRevokeOfflineSessions?: pulumi.Input<boolean>;
-    /**
-     * When `true`, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to `true`.
-     */
     backchannelLogoutSessionRequired?: pulumi.Input<boolean>;
-    /**
-     * The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case.
-     */
     backchannelLogoutUrl?: pulumi.Input<string>;
-    /**
-     * Default URL to use when the auth server needs to redirect or link back to the client.
-     */
     baseUrl?: pulumi.Input<string>;
-    /**
-     * Defaults to `client-secret`. The authenticator type for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
-     * - `client-secret` (Default) Use client id and client secret to authenticate client.
-     * - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     * - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extraConfig` with `attributes.x509.subjectdn = <subjectDn>`
-     * - `client-secret-jwt` Use signed JWT with client secret to authenticate client. Set signing algorithm in `extraConfig` with `attributes.token.endpoint.auth.signing.alg = <alg>`
-     */
     clientAuthenticatorType?: pulumi.Input<string>;
-    /**
-     * The Client ID for this client, referenced in the URI during authentication and in issued tokens.
-     */
     clientId: pulumi.Input<string>;
-    /**
-     * Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
-     */
     clientOfflineSessionIdleTimeout?: pulumi.Input<string>;
-    /**
-     * Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
-     */
     clientOfflineSessionMaxLifespan?: pulumi.Input<string>;
-    /**
-     * The secret for clients with an `accessType` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
-     */
     clientSecret?: pulumi.Input<string>;
-    /**
-     * Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value.
-     */
     clientSessionIdleTimeout?: pulumi.Input<string>;
-    /**
-     * Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value.
-     */
     clientSessionMaxLifespan?: pulumi.Input<string>;
-    /**
-     * When `true`, users have to consent to client access. Defaults to `false`.
-     */
     consentRequired?: pulumi.Input<boolean>;
-    /**
-     * The text to display on the consent screen about permissions specific to this client. This is applicable only when `displayOnConsentScreen` is `true`.
-     */
     consentScreenText?: pulumi.Input<string>;
-    /**
-     * The description of this client in the GUI.
-     */
     description?: pulumi.Input<string>;
-    /**
-     * When `true`, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to `false`.
-     */
     directAccessGrantsEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the consent screen will display information about the client itself. Defaults to `false`. This is applicable only when `consentRequired` is `true`.
-     */
     displayOnConsentScreen?: pulumi.Input<boolean>;
-    /**
-     * When `false`, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`.
-     */
     enabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the parameter `sessionState` will not be included in OpenID Connect Authentication Response.
-     */
     excludeSessionStateFromAuthResponse?: pulumi.Input<boolean>;
     extraConfig?: pulumi.Input<{
         [key: string]: any;
     }>;
-    /**
-     * When `true`, frontchannel logout will be enabled for this client. Specify the url with `frontchannelLogoutUrl`. Defaults to `false`.
-     */
     frontchannelLogoutEnabled?: pulumi.Input<boolean>;
-    /**
-     * The frontchannel logout url. This is applicable only when `frontchannelLogoutEnabled` is `true`.
-     */
     frontchannelLogoutUrl?: pulumi.Input<string>;
-    /**
-     * Allow to include all roles mappings in the access token.
-     */
     fullScopeAllowed?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the OAuth2 Implicit Grant will be enabled for this client. Defaults to `false`.
-     */
     implicitFlowEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the client with the specified `clientId` is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as `account` and `admin-cli`. Note, that the client will not be removed during destruction if `import` is `true`.
-     */
     import?: pulumi.Input<boolean>;
-    /**
-     * The client login theme. This will override the default theme for the realm.
-     */
     loginTheme?: pulumi.Input<string>;
-    /**
-     * The display name of this client in the GUI.
-     */
     name?: pulumi.Input<string>;
-    /**
-     * Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.
-     */
     oauth2DeviceAuthorizationGrantEnabled?: pulumi.Input<boolean>;
-    /**
-     * The maximum amount of time a client has to finish the device code flow before it expires.
-     */
     oauth2DeviceCodeLifespan?: pulumi.Input<string>;
-    /**
-     * The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
-     */
     oauth2DevicePollingInterval?: pulumi.Input<string>;
-    /**
-     * The challenge method to use for Proof Key for Code Exchange. Can be either `plain` or `S256` or set to empty value ``.
-     */
     pkceCodeChallengeMethod?: pulumi.Input<string>;
-    /**
-     * The realm this client is attached to.
-     */
     realmId: pulumi.Input<string>;
-    /**
-     * When specified, this URL is prepended to any relative URLs found within `validRedirectUris`, `webOrigins`, and `adminUrl`. NOTE: Due to limitations in the Keycloak API, when the `rootUrl` attribute is used, the `validRedirectUris`, `webOrigins`, and `adminUrl` attributes will be required.
-     */
     rootUrl?: pulumi.Input<string>;
-    /**
-     * When `true`, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to `false`.
-     */
     serviceAccountsEnabled?: pulumi.Input<boolean>;
-    /**
-     * When `true`, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to `false`.
-     */
     standardFlowEnabled?: pulumi.Input<boolean>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response. If this is `false` then no refreshToken will be generated.  Defaults to `true`.
-     */
     useRefreshTokens?: pulumi.Input<boolean>;
-    /**
-     * If this is `true`, a refreshToken will be created and added to the token response if the clientCredentials grant is used and a user session will be created. If this is `false` then no refreshToken will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to `false`.
-     */
     useRefreshTokensClientCredentials?: pulumi.Input<boolean>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful logout.
-     */
     validPostLogoutRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
-     * wildcards in the form of an asterisk can be used here. This attribute must be set if either `standardFlowEnabled` or `implicitFlowEnabled`
-     * is set to `true`.
-     */
     validRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * A list of allowed CORS origins. To permit all valid redirect URIs, add `+`. Note that this will not include the `*` wildcard. To permit all origins, explicitly add `*`."
-     */
     webOrigins?: pulumi.Input<pulumi.Input<string>[]>;
 }