Skip to content

Instantly share code, notes, and snippets.

@Gottox

Gottox/clusterkeycloakrealms.rustcloak.k8s.eboland.de.yaml

Last active March 12, 2025 15:05
Show Gist options
  • Save Gottox/38a7f01e88df484bb9562fd4cc33873b to your computer and use it in GitHub Desktop.
Save Gottox/38a7f01e88df484bb9562fd4cc33873b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
clusterkeycloakrealms.rustcloak.k8s.eboland.de.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterkeycloakrealms.rustcloak.k8s.eboland.de
spec:
group: rustcloak.k8s.eboland.de
names:
categories:
- keycloak
- all
kind: ClusterKeycloakRealm
plural: clusterkeycloakrealms
shortNames:
- ckcrm
singular: clusterkeycloakrealm
scope: Cluster
versions:
- additionalPrinterColumns:
- description: true if the realm is ready
jsonPath: .status.ready
name: Ready
type: boolean
- description: Status String of the resource
jsonPath: .status.status
name: Status
type: string
- description: time since the realm was created
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: resource to define an Realm within a [KeyclaokInstance](./keycloakinstance.md)
properties:
spec:
anyOf:
- required:
- instanceRef
- required:
- clusterInstanceRef
description: the KeycloakRealm resource
properties:
clusterInstanceRef:
description: The name of the cluster instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
definition:
description: |-
RealmRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "accessCodeLifespan": { "title": "Client Login Timeout", "description": "Max time a client has to finish the access token protocol. This should normally be 1 minute.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessCodeLifespanLogin": { "title": "Login timeout", "description": "Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessCodeLifespanUserAction": { "title": "Login action timeout", "description": "Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessTokenLifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessTokenLifespanForImplicitFlow": { "title": "Access Token Lifespan For Implicit Flow", "description": "Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accountTheme": { "title": "Account theme", "description": "Select theme for login, OTP, grant, registration and forgot password pages.", "type": "string" }, "actionTokenGeneratedByAdminLifespan": { "title": "Default Admin-Initiated Action Lifespan", "description": "Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "actionTokenGeneratedByUserLifespan": { "title": "User-Initiated Action Lifespan", "description": "Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "adminEventsDetailsEnabled": { "title": "Include representation", "description": "Include JSON representation for create and update requests.", "type": "boolean" }, "adminEventsEnabled": { "title": "Save events", "description": "If enabled, admin events are saved to the database, which makes events available to the Admin UI.", "type": "boolean" }, "adminPermissionsClient": { "$ref": "#/$defs/ClientRepresentation" }, "adminPermissionsEnabled": { "type": "boolean" }, "adminTheme": { "title": "Admin theme", "type": "string" }, "applicationScopeMappings": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } } }, "applications": { "type": "array", "items": { "$ref": "#/$defs/ApplicationRepresentation" } }, "attributes": { "type": "object", "properties": { "adminEventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "string", "pattern": "^[0-9]*$" }, "cibaAuthRequestedUserHint": { "title": "Authentication Requested User Hint", "description": "The way of identifying the end-user for whom authentication is being requested. Currently only \"login_hint\" is supported.", "type": "string", "enum": [ "login_hint" ] }, "cibaBackchannelTokenDeliveryMode": { "title": "Backchannel Token Delivery Mode", "description": "Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.", "type": "string", "enum": [ "ping", "poll" ] }, "cibaExpiresIn": { "title": "Expires In", "description": "The expiration time of the \"auth_req_id\" in seconds since the authentication request was received.", "type": "string", "pattern": "^[0-9]*$" }, "cibaInterval": { "title": "Interval", "description": "The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.", "type": "string", "pattern": "^[0-9]*$" }, "frontendUrl": { "title": "Frontend URL", "description": "Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authenticationFlows": { "type": "array", "items": { "$ref": "#/$defs/AuthenticationFlowRepresentation" } }, "authenticatorConfig": { "type": "array", "items": { "$ref": "#/$defs/AuthenticatorConfigRepresentation" } }, "browserFlow": { "type": "string" }, "browserSecurityHeaders": { "type": "object", "properties": { "contentSecurityPolicy": { "title": "Content-Security-Policy", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "contentSecurityPolicyReportOnly": { "title": "Content-Security-Policy-Report-Only", "description": "For testing Content Security Policies <1>Learn more</1>", "type": "string" }, "strictTransportSecurity": { "title": "HTTP Strict Transport Security (HSTS)", "description": "The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>", "type": "string" }, "xContentTypeOptions": { "title": "X-Content-Type-Options", "description": "The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>", "type": "string" }, "xFrameOptions": { "title": "X-Frame-Options", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "xRobotsTag": { "title": "X-Robots-Tag", "description": "Prevent pages from appearing in search engines. <1>Learn more</1>", "type": "string" }, "xXSSProtection": { "title": "X-XSS-Protection", "description": "This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>", "type": "string" } }, "additionalProperties": false }, "bruteForceDetection": { "title": "Brute force detection" }, "bruteForceProtected": { "type": "boolean" }, "bruteForceStrategy": { "title": "Strategy to increase wait time", "description": "Multiple means wait time will be increased only when number of failures are multiples of '{{failureFactor}}'. Linear means each new failure starting at '{{failureFactor}}' will increase wait time.", "$ref": "#/$defs/BruteForceStrategy" }, "certificate": { "type": "string" }, "clientAuthenticationFlow": { "type": "string" }, "clientOfflineSessionIdleTimeout": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientOfflineSessionMaxLifespan": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientPolicies": { "$ref": "#/$defs/ClientPoliciesRepresentation" }, "clientProfiles": { "$ref": "#/$defs/ClientProfilesRepresentation" }, "clientScopeMappings": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } } }, "clientScopes": { "type": "array", "items": { "$ref": "#/$defs/ClientScopeRepresentation" } }, "clientSessionIdleTimeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientSessionMaxLifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientTemplates": { "type": "array", "items": { "$ref": "#/$defs/ClientTemplateRepresentation" } }, "clients": { "type": "array", "items": { "$ref": "#/$defs/ClientRepresentation" } }, "codeSecret": { "type": "string" }, "components": { "$ref": "#/$defs/MultivaluedHashMapStringComponentExportRepresentation" }, "defaultDefaultClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultGroups": { "type": "array", "items": { "type": "string" } }, "defaultLocale": { "title": "Default locale", "type": "string" }, "defaultOptionalClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultRole": { "$ref": "#/$defs/RoleRepresentation" }, "defaultRoles": { "type": "array", "items": { "type": "string" } }, "defaultSignatureAlgorithm": { "title": "Default Signature Algorithm", "description": "Default algorithm used to sign tokens for the realm", "type": "string", "enum": [ "EdDSA", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512" ] }, "directGrantFlow": { "type": "string" }, "displayName": { "title": "Display name", "type": "string" }, "displayNameHtml": { "title": "HTML Display name", "type": "string" }, "dockerAuthenticationFlow": { "type": "string" }, "duplicateEmailsAllowed": { "title": "Duplicate emails", "description": "Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses.", "type": "boolean" }, "editUsernameAllowed": { "title": "Edit username", "description": "If enabled, the username field is editable, readonly otherwise.", "type": "boolean" }, "emailTheme": { "title": "Email theme", "description": "Select a theme for emails that are sent by the server.", "type": "string" }, "enabled": { "type": "boolean" }, "enabledEventTypes": { "type": "array", "items": { "type": "string" } }, "eventsEnabled": { "title": "Save events", "description": "If enabled, user events are saved to the database, which makes events available to the admin and account management UIs.", "type": "boolean" }, "eventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "integer", "format": "int64", "maximum": 9.223372036854776e18, "minimum": -9.223372036854776e18 }, "eventsListeners": { "title": "Event listeners", "description": "Configure what listeners receive events for the realm.", "type": "array", "items": { "type": "string" } }, "failureFactor": { "title": "Max login failures", "description": "Max login failures", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "federatedUsers": { "type": "array", "items": { "$ref": "#/$defs/UserRepresentation" } }, "firstBrokerLoginFlow": { "type": "string" }, "groups": { "type": "array", "items": { "$ref": "#/$defs/GroupRepresentation" } }, "id": { "type": "string" }, "identityProviderMappers": { "type": "array", "items": { "$ref": "#/$defs/IdentityProviderMapperRepresentation" } }, "identityProviders": { "type": "array", "items": { "$ref": "#/$defs/IdentityProviderRepresentation" } }, "internationalizationEnabled": { "title": "Internationalization", "description": "If enabled, you can choose which locales you support for this realm and which locale is the default.", "type": "boolean" }, "keycloakVersion": { "type": "string" }, "localizationTexts": { "type": "object", "additionalProperties": { "type": "object", "additionalProperties": { "type": "string" } } }, "loginTheme": { "title": "Login theme", "description": "Select theme for login, OTP, grant, registration and forgot password pages.", "type": "string" }, "loginWithEmailAllowed": { "title": "Login with email", "description": "Allow users to log in with their email address.", "type": "boolean" }, "maxDeltaTimeSeconds": { "title": "Failure reset time", "description": "When will failure count be reset?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "maxFailureWaitSeconds": { "title": "Max wait", "description": "Max time a user will be locked out.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "maxTemporaryLockouts": { "title": "Maximum temporary lockouts", "description": "The number of temporary lockouts permitted before the user is permanently locked out.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "minimumQuickLoginWaitSeconds": { "title": "Minimum quick login wait", "description": "How long to wait after a quick login failure.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "notBefore": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oAuth2DeviceCodeLifespan": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oAuth2DevicePollingInterval": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauth2DeviceCodeLifespan": { "title": "OAuth 2.0 Device Code Lifespan", "description": "Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauth2DevicePollingInterval": { "title": "OAuth 2.0 Device Polling Interval", "description": "The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauthClients": { "type": "array", "items": { "$ref": "#/$defs/OAuthClientRepresentation" } }, "offlineSessionIdleTimeout": { "title": "Offline Session Idle", "description": "Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "offlineSessionMaxLifespan": { "title": "Offline Session Max", "description": "Max time before an offline session is expired regardless of activity.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "offlineSessionMaxLifespanEnabled": { "title": "Offline Session Max Limited", "description": "Enable offline session maximum lifetime", "type": "boolean" }, "organizations": { "type": "array", "items": { "$ref": "#/$defs/OrganizationRepresentation" } }, "organizationsEnabled": { "type": "boolean" }, "otpPolicyAlgorithm": { "title": "OTP hash algorithm", "description": "What hashing algorithm should be used to generate the OTP.", "type": "string" }, "otpPolicyCodeReusable": { "title": "Reusable token", "description": "Possibility to use the same OTP code again after successful authentication.", "type": "boolean" }, "otpPolicyDigits": { "title": "Number of digits", "description": "How many digits should the OTP have?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyInitialCounter": { "title": "Initial counter", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyLookAheadWindow": { "title": "Look around window", "description": "How far around (extra token periods or counts) should the server look just in case the token generator and server are out of time sync or counter sync?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyPeriod": { "title": "OTP Token period", "description": "How many seconds should an OTP token be valid? Defaults to 30 seconds.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyType": { "title": "OTP type", "description": "totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.", "type": "string", "enum": [ "totp", "hotp" ] }, "otpSupportedApplications": { "type": "array", "items": { "type": "string" } }, "passwordCredentialGrantAllowed": { "type": "boolean" }, "passwordPolicy": { "type": "string" }, "permanentLockout": { "title": "Permanent lockout", "type": "boolean" }, "privateKey": { "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicKey": { "type": "string" }, "quickLoginCheckMilliSeconds": { "title": "Quick login check milliseconds", "description": "If a failure happens concurrently too quickly, lock out the user.", "type": "integer", "format": "int64", "maximum": 9.223372036854776e18, "minimum": -9.223372036854776e18 }, "realm": { "title": "Realm ID", "type": "string" }, "realmCacheEnabled": { "type": "boolean" }, "refreshTokenMaxReuse": { "title": "Refresh Token Max Reuse", "description": "Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "registrationAllowed": { "title": "User registration", "description": "Enable/disable the registration page. A link for registration will show on login page too.", "type": "boolean" }, "registrationEmailAsUsername": { "title": "Email as username", "description": "Allow users to set email as username.", "type": "boolean" }, "registrationFlow": { "type": "string" }, "rememberMe": { "title": "Remember me", "description": "Show checkbox on login page to allow user to remain logged in between browser restarts until session expires.", "type": "boolean" }, "requiredActions": { "type": "array", "items": { "$ref": "#/$defs/RequiredActionProviderRepresentation" } }, "requiredCredentials": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resetCredentialsFlow": { "type": "string" }, "resetPasswordAllowed": { "title": "Specifies independent timeout for forgot password.", "description": "Show a link on login page for user to click when they have forgotten their credentials.", "type": "boolean" }, "revokeRefreshToken": { "title": "Revoke Refresh Token", "description": "If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.", "type": "boolean" }, "roles": { "$ref": "#/$defs/RolesRepresentation" }, "scopeMappings": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } }, "smtpServer": { "type": "object", "properties": { "auth": { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] }, "envelopeFrom": { "title": "Envelope from", "description": "An email address used for bounces (optional).", "type": "string" }, "from": { "title": "From", "type": "string" }, "fromDisplayName": { "title": "From display name", "description": "A user-friendly name for the 'From' address (optional).", "type": "string" }, "host": { "title": "Host", "type": "string" }, "password": { "title": "Password", "description": "SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.", "type": "string" }, "port": { "title": "Port", "type": "string" }, "replyTo": { "title": "Reply to", "type": "string" }, "replyToDisplayName": { "title": "Reply to display name", "description": "A user-friendly name for the 'Reply-To' address (optional).", "type": "string" }, "ssl": { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] }, "starttls": { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] }, "user": { "title": "Username", "type": "string" } }, "additionalProperties": false }, "social": { "type": "boolean" }, "socialProviders": { "type": "object", "additionalProperties": { "type": "string" } }, "sslRequired": { "title": "Require SSL", "description": "Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses.", "type": "string", "enum": [ "all", "external", "none" ] }, "ssoSessionIdleTimeout": { "title": "SSO Session Idle", "description": "Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionIdleTimeoutRememberMe": { "title": "SSO Session Idle Remember Me", "description": "Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionMaxLifespan": { "title": "SSO Session Max", "description": "Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionMaxLifespanRememberMe": { "title": "SSO Session Max Remember Me", "description": "Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "supportedLocales": { "title": "Supported locales", "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "updateProfileOnInitialSocialLogin": { "type": "boolean" }, "userCacheEnabled": { "type": "boolean" }, "userFederationMappers": { "type": "array", "items": { "$ref": "#/$defs/UserFederationMapperRepresentation" } }, "userFederationProviders": { "type": "array", "items": { "$ref": "#/$defs/UserFederationProviderRepresentation" } }, "userManagedAccessAllowed": { "title": "User-managed access", "description": "If enabled, users are allowed to manage their resources and permissions using the Account Management UI.", "type": "boolean" }, "users": { "type": "array", "items": { "$ref": "#/$defs/UserRepresentation" } }, "verifiableCredentialsEnabled": { "type": "boolean" }, "verifyEmail": { "title": "Verify email", "description": "Require user to verify their email address after initial login or after address changes are submitted.", "type": "boolean" }, "waitIncrementSeconds": { "title": "Wait increment", "description": "When failure threshold has been met, how much time should the user be locked out?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyAcceptableAaguids": { "title": "Acceptable AAGUIDs", "description": "The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).", "type": "array", "items": { "type": "string" } }, "webAuthnPolicyAttestationConveyancePreference": { "title": "Attestation conveyance preference", "description": "Communicates to an authenticator the preference of how to generate an attestation statement.", "type": "string", "enum": [ "not specified", "none", "indirect", "direct" ] }, "webAuthnPolicyAuthenticatorAttachment": { "title": "Authenticator Attachment", "description": "Communicates to an authenticator an acceptable attachment pattern.", "type": "string", "enum": [ "not specified", "platform", "cross-platform" ] }, "webAuthnPolicyAvoidSameAuthenticatorRegister": { "title": "Avoid same authenticator registration", "description": "Avoid registering an authenticator that has already been registered.", "type": "boolean" }, "webAuthnPolicyCreateTimeout": { "title": "Timeout", "description": "The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyExtraOrigins": { "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessAcceptableAaguids": { "title": "Acceptable AAGUIDs", "description": "The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).", "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessAttestationConveyancePreference": { "title": "Attestation conveyance preference", "description": "Communicates to an authenticator the preference of how to generate an attestation statement.", "type": "string", "enum": [ "not specified", "none", "indirect", "direct" ] }, "webAuthnPolicyPasswordlessAuthenticatorAttachment": { "title": "Authenticator Attachment", "description": "Communicates to an authenticator an acceptable attachment pattern.", "type": "string", "enum": [ "not specified", "platform", "cross-platform" ] }, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": { "title": "Avoid same authenticator registration", "description": "Avoid registering an authenticator that has already been registered.", "type": "boolean" }, "webAuthnPolicyPasswordlessCreateTimeout": { "title": "Timeout", "description": "The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyPasswordlessExtraOrigins": { "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessRequireResidentKey": { "title": "Require discoverable credential", "description": "It tells an authenticator whether to create a public key credential as a Discoverable Credential.", "type": "string", "enum": [ "not specified", "Yes", "No" ] }, "webAuthnPolicyPasswordlessRpEntityName": { "title": "Relying party entity name", "description": "Human-readable server name as WebAuthn Relying Party", "type": "string" }, "webAuthnPolicyPasswordlessRpId": { "title": "Relying party ID", "description": "The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.", "type": "string" }, "webAuthnPolicyPasswordlessSignatureAlgorithms": { "title": "Signature algorithms", "description": "The signature algorithms that should be used for the Authentication Assertion.", "type": "array", "items": { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } }, "webAuthnPolicyPasswordlessUserVerificationRequirement": { "title": "User verification requirement", "description": "Communicates to an authenticator whether to require to verify a user.", "type": "string", "enum": [ "not specified", "required", "preferred", "discouraged" ] }, "webAuthnPolicyRequireResidentKey": { "title": "Require discoverable credential", "description": "It tells an authenticator whether to create a public key credential as a Discoverable Credential.", "type": "string", "enum": [ "not specified", "Yes", "No" ] }, "webAuthnPolicyRpEntityName": { "title": "Relying party entity name", "description": "Human-readable server name as WebAuthn Relying Party", "type": "string" }, "webAuthnPolicyRpId": { "title": "Relying party ID", "description": "The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.", "type": "string" }, "webAuthnPolicySignatureAlgorithms": { "title": "Signature algorithms", "description": "The signature algorithms that should be used for the Authentication Assertion.", "type": "array", "items": { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } }, "webAuthnPolicyUserVerificationRequirement": { "title": "User verification requirement", "description": "Communicates to an authenticator whether to require to verify a user.", "type": "string", "enum": [ "not specified", "required", "preferred", "discouraged" ] } }, "additionalProperties": false } ``` </details>
properties:
accessCodeLifespan:
description: Max time a client has to finish the access token protocol. This should normally be 1 minute.
format: int32
nullable: true
type: integer
accessCodeLifespanLogin:
description: Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.
format: int32
nullable: true
type: integer
accessCodeLifespanUserAction:
description: Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.
format: int32
nullable: true
type: integer
accessTokenLifespan:
description: Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
format: int32
nullable: true
type: integer
accessTokenLifespanForImplicitFlow:
description: Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'.
format: int32
nullable: true
type: integer
accountTheme:
description: Select theme for login, OTP, grant, registration and forgot password pages.
nullable: true
type: string
actionTokenGeneratedByAdminLifespan:
description: Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.
format: int32
nullable: true
type: integer
actionTokenGeneratedByUserLifespan:
description: Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.
format: int32
nullable: true
type: integer
adminEventsDetailsEnabled:
description: Include JSON representation for create and update requests.
nullable: true
type: boolean
adminEventsEnabled:
description: If enabled, admin events are saved to the database, which makes events available to the Admin UI.
nullable: true
type: boolean
adminPermissionsClient:
description: |-
ClientRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "access": { "type": "object", "additionalProperties": { "type": "boolean" } }, "adminUrl": { "title": "Admin URL", "description": "URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.", "type": "string" }, "alwaysDisplayInConsole": { "title": "Always display in UI", "description": "Always list this client in the Account UI, even if the user does not have an active session.", "type": "boolean" }, "attributes": { "type": "object", "properties": { "access.token.lifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "string", "pattern": "^[0-9]*$" }, "access.token.signed.response.alg": { "title": "Access token signature algorithm", "description": "JWA algorithm used for signing access tokens.", "type": "string" }, "authorization.encrypted.response.alg": { "title": "Authorization response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.encrypted.response.enc": { "title": "Authorization response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.signed.response.alg": { "title": "Authorization response signature algorithm", "description": "JWA algorithm used for signing authorization response tokens when the response mode is jwt.", "type": "string" }, "client.offline.session.idle.timeout": { "title": "Client Offline Session Idle", "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.offline.session.max.lifespan": { "title": "Client Offline Session Max", "description": "Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.idle.timeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.max.lifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client_credentials.use_refresh_token": { "title": "Use refresh tokens for client credentials grant", "description": "If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.", "type": "string", "enum": [ "true", "false", "" ] }, "exclude.session.state.from.auth.response": { "title": "Exclude Session State From Authentication Response", "description": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "id.token.encrypted.response.alg": { "title": "ID token encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.encrypted.response.enc": { "title": "ID token encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.signed.response.alg": { "title": "ID token signature algorithm", "description": "JWA algorithm used for signing ID tokens.", "type": "string" }, "logoUri": { "title": "Logo URL", "description": "URL that references a logo for the Client application", "type": "string" }, "pkce.code.challenge.method": { "title": "Proof Key for Code Exchange Code Challenge Method", "description": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.", "type": "string" }, "policyUri": { "title": "Policy URL", "description": "URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used", "type": "string" }, "post.logout.redirect.uris": { "title": "Valid post logout redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "string" }, "request.object.encryption.alg": { "title": "Request object encryption algorithm", "description": "JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.", "type": "string" }, "request.object.encryption.enc": { "title": "Request object content encryption algorithm", "description": "JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.", "type": "string" }, "request.object.required": { "title": "Request object required", "description": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.", "type": "string" }, "request.object.signature.alg": { "title": "Request object signature algorithm", "description": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).", "type": "string" }, "require.pushed.authorization.requests": { "title": "Pushed authorization request required", "description": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.", "type": "string", "enum": [ "true", "false", "" ] }, "tls.client.certificate.bound.access.tokens": { "title": "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled", "description": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.", "type": "string", "enum": [ "true", "false", "" ] }, "token.endpoint.auth.signing.alg": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "token.response.type.bearer.lower-case": { "title": "Use lower-case bearer type in token responses", "description": "If this is on, token responses will be set the with the type \"bearer\" in lower-case. By default, the server sets the type as \"Bearer\" as defined by RFC6750.", "type": "string", "enum": [ "true", "false", "" ] }, "tosUri": { "title": "Terms of service URL", "description": "URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service", "type": "string" }, "use.refresh.tokens": { "title": "Use refresh tokens", "description": "If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.", "type": "string", "enum": [ "true", "false", "" ] }, "user.info.encrypted.response.alg": { "title": "User info response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.", "type": "string" }, "user.info.encrypted.response.enc": { "title": "User info response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.", "type": "string" }, "user.info.response.signature.alg": { "title": "User info signed response algorithm", "description": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.", "type": "string" }, "x509.allow.regex.pattern.comparison": { "title": "Allow regex pattern comparison", "description": "If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.", "type": "string", "enum": [ "true", "false", "" ] }, "x509.subjectdn": { "title": "Subject DN", "description": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authenticationFlowBindingOverrides": { "title": "Authentication flow overrides", "type": "object", "properties": { "browser": { "title": "Browser Flow", "description": "Select the flow you want to use for browser authentication.", "type": "string" }, "direct_grant": { "title": "Direct Grant Flow", "description": "Select the flow you want to use for direct grant authentication.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authorizationServicesEnabled": { "title": "Authorization", "description": "Enable/Disable fine-grained authorization support for a client.", "type": "boolean" }, "authorizationSettings": { "$ref": "#/$defs/ResourceServerRepresentation" }, "baseUrl": { "title": "Home URL", "description": "Default URL to use when the auth server needs to redirect or link back to the client.", "type": "string" }, "bearerOnly": { "description": "This is a special OIDC type. This client only allows bearer token requests and cannot participate in browser logins.", "type": "boolean" }, "clientAuthenticatorType": { "title": "Client Authenticator", "description": "Client Authenticator used for authentication of this client against Keycloak server", "type": "string", "enum": [ "client-jwt", "client-secret", "client-secret-jwt", "client-x509" ] }, "clientId": { "title": "Client ID", "description": "The client identifier registered with the identity provider.", "type": "string" }, "clientTemplate": { "type": "string" }, "consentRequired": { "title": "Consent required", "description": "If enabled, users have to consent to client access.", "type": "boolean" }, "defaultClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultRoles": { "type": "array", "items": { "type": "string" } }, "description": { "title": "Description", "description": "Help text for the description of the new flow", "type": "string" }, "directAccessGrantsEnabled": { "title": "Direct access grants", "description": "This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.", "type": "boolean" }, "directGrantsOnly": { "type": "boolean" }, "enabled": { "title": "Enabled", "description": "Disabled clients cannot initiate a login or have obtained access tokens.", "type": "boolean" }, "frontchannelLogout": { "title": "Front channel logout", "description": "When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.", "type": "boolean" }, "fullScopeAllowed": { "title": "Full scope allowed", "description": "Allows you to disable all restrictions.", "type": "boolean" }, "id": { "type": "string" }, "implicitFlowEnabled": { "title": "Implicit flow", "description": "This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.", "type": "boolean" }, "name": { "title": "Name", "description": "Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}.", "type": "string" }, "nodeReRegistrationTimeout": { "title": "Node Re-registration timeout", "description": "Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "notBefore": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "optionalClientScopes": { "type": "array", "items": { "type": "string" } }, "origin": { "type": "string" }, "protocol": { "title": "Protocol", "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicClient": { "title": "Client authentication", "description": "This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type.", "type": "boolean" }, "redirectUris": { "title": "Valid redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "array", "items": { "type": "string" } }, "registeredNodes": { "type": "object", "additionalProperties": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 } }, "registrationAccessToken": { "title": "Registration access token", "description": "The registration access token provides access for clients to the client registration service.", "type": "string" }, "rootUrl": { "title": "Root URL", "description": "Root URL appended to relative URLs", "type": "string" }, "secret": { "title": "Client Secret", "type": "string" }, "serviceAccountsEnabled": { "title": "Service accounts roles", "description": "Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.", "type": "boolean" }, "standardFlowEnabled": { "title": "Standard flow", "description": "This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.", "type": "boolean" }, "surrogateAuthRequired": { "type": "boolean" }, "type": { "type": "string" }, "useTemplateConfig": { "type": "boolean" }, "useTemplateMappers": { "type": "boolean" }, "useTemplateScope": { "type": "boolean" }, "webOrigins": { "title": "Web origins", "description": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.", "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
access:
additionalProperties:
type: boolean
type: object
adminUrl:
description: URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.
nullable: true
type: string
alwaysDisplayInConsole:
description: Always list this client in the Account UI, even if the user does not have an active session.
nullable: true
type: boolean
attributes:
description: |-
ClientRepresentationAttributes
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "access.token.lifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "string", "pattern": "^[0-9]*$" }, "access.token.signed.response.alg": { "title": "Access token signature algorithm", "description": "JWA algorithm used for signing access tokens.", "type": "string" }, "authorization.encrypted.response.alg": { "title": "Authorization response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.encrypted.response.enc": { "title": "Authorization response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.signed.response.alg": { "title": "Authorization response signature algorithm", "description": "JWA algorithm used for signing authorization response tokens when the response mode is jwt.", "type": "string" }, "client.offline.session.idle.timeout": { "title": "Client Offline Session Idle", "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.offline.session.max.lifespan": { "title": "Client Offline Session Max", "description": "Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.idle.timeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.max.lifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client_credentials.use_refresh_token": { "title": "Use refresh tokens for client credentials grant", "description": "If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.", "type": "string", "enum": [ "true", "false", "" ] }, "exclude.session.state.from.auth.response": { "title": "Exclude Session State From Authentication Response", "description": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "id.token.encrypted.response.alg": { "title": "ID token encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.encrypted.response.enc": { "title": "ID token encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.signed.response.alg": { "title": "ID token signature algorithm", "description": "JWA algorithm used for signing ID tokens.", "type": "string" }, "logoUri": { "title": "Logo URL", "description": "URL that references a logo for the Client application", "type": "string" }, "pkce.code.challenge.method": { "title": "Proof Key for Code Exchange Code Challenge Method", "description": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.", "type": "string" }, "policyUri": { "title": "Policy URL", "description": "URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used", "type": "string" }, "post.logout.redirect.uris": { "title": "Valid post logout redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "string" }, "request.object.encryption.alg": { "title": "Request object encryption algorithm", "description": "JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.", "type": "string" }, "request.object.encryption.enc": { "title": "Request object content encryption algorithm", "description": "JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.", "type": "string" }, "request.object.required": { "title": "Request object required", "description": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.", "type": "string" }, "request.object.signature.alg": { "title": "Request object signature algorithm", "description": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).", "type": "string" }, "require.pushed.authorization.requests": { "title": "Pushed authorization request required", "description": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.", "type": "string", "enum": [ "true", "false", "" ] }, "tls.client.certificate.bound.access.tokens": { "title": "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled", "description": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.", "type": "string", "enum": [ "true", "false", "" ] }, "token.endpoint.auth.signing.alg": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "token.response.type.bearer.lower-case": { "title": "Use lower-case bearer type in token responses", "description": "If this is on, token responses will be set the with the type \"bearer\" in lower-case. By default, the server sets the type as \"Bearer\" as defined by RFC6750.", "type": "string", "enum": [ "true", "false", "" ] }, "tosUri": { "title": "Terms of service URL", "description": "URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service", "type": "string" }, "use.refresh.tokens": { "title": "Use refresh tokens", "description": "If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.", "type": "string", "enum": [ "true", "false", "" ] }, "user.info.encrypted.response.alg": { "title": "User info response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.", "type": "string" }, "user.info.encrypted.response.enc": { "title": "User info response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.", "type": "string" }, "user.info.response.signature.alg": { "title": "User info signed response algorithm", "description": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.", "type": "string" }, "x509.allow.regex.pattern.comparison": { "title": "Allow regex pattern comparison", "description": "If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.", "type": "string", "enum": [ "true", "false", "" ] }, "x509.subjectdn": { "title": "Subject DN", "description": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
access.token.lifespan:
description: Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
nullable: true
type: string
access.token.signed.response.alg:
description: JWA algorithm used for signing access tokens.
nullable: true
type: string
authorization.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.
nullable: true
type: string
authorization.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.
nullable: true
type: string
authorization.signed.response.alg:
description: JWA algorithm used for signing authorization response tokens when the response mode is jwt.
nullable: true
type: string
client.offline.session.idle.timeout:
description: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.
nullable: true
type: string
client.offline.session.max.lifespan:
description: Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.
nullable: true
type: string
client.session.idle.timeout:
description: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.
nullable: true
type: string
client.session.max.lifespan:
description: Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.
nullable: true
type: string
client_credentials.use_refresh_token:
description: If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
exclude.session.state.from.auth.response:
description: If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
id.token.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
nullable: true
type: string
id.token.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
nullable: true
type: string
id.token.signed.response.alg:
description: JWA algorithm used for signing ID tokens.
nullable: true
type: string
logoUri:
description: URL that references a logo for the Client application
nullable: true
type: string
pkce.code.challenge.method:
description: Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.
nullable: true
type: string
policyUri:
description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used
nullable: true
type: string
post.logout.redirect.uris:
description: Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
nullable: true
type: string
request.object.encryption.alg:
description: JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.
nullable: true
type: string
request.object.encryption.enc:
description: JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.
nullable: true
type: string
request.object.required:
description: Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used.
nullable: true
type: string
request.object.signature.alg:
description: JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).
nullable: true
type: string
require.pushed.authorization.requests:
description: Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
tls.client.certificate.bound.access.tokens:
description: This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
token.endpoint.auth.signing.alg:
description: The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.
nullable: true
type: string
token.response.type.bearer.lower-case:
description: If this is on, token responses will be set the with the type "bearer" in lower-case. By default, the server sets the type as "Bearer" as defined by RFC6750.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
tosUri:
description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service
nullable: true
type: string
use.refresh.tokens:
description: If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
user.info.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.
nullable: true
type: string
user.info.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.
nullable: true
type: string
user.info.response.signature.alg:
description: JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.
nullable: true
type: string
x509.allow.regex.pattern.comparison:
description: If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
x509.subjectdn:
description: A regular expression for validating Subject DN in the Client Certificate. Use "(.*?)(?:$)" to match all kind of expressions.
nullable: true
type: string
type: object
authenticationFlowBindingOverrides:
description: |-
AuthenticationFlowOverrides
<details><summary>JSON schema</summary>
```json { "title": "Authentication flow overrides", "type": "object", "properties": { "browser": { "title": "Browser Flow", "description": "Select the flow you want to use for browser authentication.", "type": "string" }, "direct_grant": { "title": "Direct Grant Flow", "description": "Select the flow you want to use for direct grant authentication.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
browser:
description: Select the flow you want to use for browser authentication.
nullable: true
type: string
direct_grant:
description: Select the flow you want to use for direct grant authentication.
nullable: true
type: string
type: object
authorizationServicesEnabled:
description: Enable/Disable fine-grained authorization support for a client.
nullable: true
type: boolean
authorizationSettings:
description: |-
ResourceServerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "allowRemoteResourceManagement": { "type": "boolean" }, "authorizationSchema": { "$ref": "#/$defs/AuthorizationSchema" }, "clientId": { "type": "string" }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "policyEnforcementMode": { "$ref": "#/$defs/PolicyEnforcementMode" }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
allowRemoteResourceManagement:
nullable: true
type: boolean
authorizationSchema:
description: |-
AuthorizationSchema
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "resourceTypes": { "type": "object", "additionalProperties": { "$ref": "#/$defs/ResourceType" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
resourceTypes:
additionalProperties:
description: |-
ResourceType
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
type: object
type: object
clientId:
nullable: true
type: string
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
resourcesData:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopesUma:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
scopesData:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
type: object
type: array
policyEnforcementMode:
description: |-
PolicyEnforcementMode
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "ENFORCING", "PERMISSIVE", "DISABLED" ] } ``` </details>
enum:
- ENFORCING
- PERMISSIVE
- DISABLED
nullable: true
type: string
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopesUma:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
type: array
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
resourcesData:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
type: object
baseUrl:
description: Default URL to use when the auth server needs to redirect or link back to the client.
nullable: true
type: string
bearerOnly:
description: This is a special OIDC type. This client only allows bearer token requests and cannot participate in browser logins.
nullable: true
type: boolean
clientAuthenticatorType:
description: Client Authenticator used for authentication of this client against Keycloak server
enum:
- client-jwt
- client-secret
- client-secret-jwt
- client-x509
nullable: true
type: string
clientId:
description: The client identifier registered with the identity provider.
nullable: true
type: string
clientTemplate:
nullable: true
type: string
consentRequired:
description: If enabled, users have to consent to client access.
nullable: true
type: boolean
defaultClientScopes:
items:
type: string
type: array
defaultRoles:
items:
type: string
type: array
description:
description: Help text for the description of the new flow
nullable: true
type: string
directAccessGrantsEnabled:
description: This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.
nullable: true
type: boolean
directGrantsOnly:
nullable: true
type: boolean
enabled:
description: Disabled clients cannot initiate a login or have obtained access tokens.
nullable: true
type: boolean
frontchannelLogout:
description: When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.
nullable: true
type: boolean
fullScopeAllowed:
description: Allows you to disable all restrictions.
nullable: true
type: boolean
id:
nullable: true
type: string
implicitFlowEnabled:
description: This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.
nullable: true
type: boolean
name:
description: 'Specifies display name of the client. For example ''My Client''. Supports keys for localized values as well. For example: ${my_client}.'
nullable: true
type: string
nodeReRegistrationTimeout:
description: Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak.
format: int32
nullable: true
type: integer
notBefore:
format: int32
nullable: true
type: integer
optionalClientScopes:
items:
type: string
type: array
origin:
nullable: true
type: string
protocol:
nullable: true
type: string
protocolMappers:
items:
description: |-
ProtocolMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "consentRequired": { "type": "boolean" }, "consentText": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "protocol": { "type": "string", "enum": [ "openid-connect", "saml" ] }, "protocolMapper": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
consentRequired:
nullable: true
type: boolean
consentText:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
protocol:
description: |-
ProtocolMapperRepresentationProtocol
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "openid-connect", "saml" ] } ``` </details>
enum:
- openid-connect
- saml
nullable: true
type: string
protocolMapper:
nullable: true
type: string
type: object
type: array
publicClient:
description: This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type.
nullable: true
type: boolean
redirectUris:
description: Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
items:
type: string
type: array
registeredNodes:
additionalProperties:
format: int32
type: integer
type: object
registrationAccessToken:
description: The registration access token provides access for clients to the client registration service.
nullable: true
type: string
rootUrl:
description: Root URL appended to relative URLs
nullable: true
type: string
secret:
nullable: true
type: string
serviceAccountsEnabled:
description: Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.
nullable: true
type: boolean
standardFlowEnabled:
description: This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.
nullable: true
type: boolean
surrogateAuthRequired:
nullable: true
type: boolean
type:
nullable: true
type: string
useTemplateConfig:
nullable: true
type: boolean
useTemplateMappers:
nullable: true
type: boolean
useTemplateScope:
nullable: true
type: boolean
webOrigins:
description: Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.
items:
type: string
type: array
type: object
adminPermissionsEnabled:
nullable: true
type: boolean
adminTheme:
nullable: true
type: string
applicationScopeMappings:
additionalProperties:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
type: object
attributes:
description: |-
RealmRepresentationAttributes
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "adminEventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "string", "pattern": "^[0-9]*$" }, "cibaAuthRequestedUserHint": { "title": "Authentication Requested User Hint", "description": "The way of identifying the end-user for whom authentication is being requested. Currently only \"login_hint\" is supported.", "type": "string", "enum": [ "login_hint" ] }, "cibaBackchannelTokenDeliveryMode": { "title": "Backchannel Token Delivery Mode", "description": "Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.", "type": "string", "enum": [ "ping", "poll" ] }, "cibaExpiresIn": { "title": "Expires In", "description": "The expiration time of the \"auth_req_id\" in seconds since the authentication request was received.", "type": "string", "pattern": "^[0-9]*$" }, "cibaInterval": { "title": "Interval", "description": "The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.", "type": "string", "pattern": "^[0-9]*$" }, "frontendUrl": { "title": "Frontend URL", "description": "Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
adminEventsExpiration:
description: Sets the expiration for events. Expired events are periodically deleted from the database.
nullable: true
type: string
cibaAuthRequestedUserHint:
description: The way of identifying the end-user for whom authentication is being requested. Currently only "login_hint" is supported.
enum:
- login_hint
nullable: true
type: string
cibaBackchannelTokenDeliveryMode:
description: Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.
enum:
- ping
- poll
nullable: true
type: string
cibaExpiresIn:
description: The expiration time of the "auth_req_id" in seconds since the authentication request was received.
nullable: true
type: string
cibaInterval:
description: The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.
nullable: true
type: string
frontendUrl:
description: Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
nullable: true
type: string
type: object
browserFlow:
nullable: true
type: string
browserSecurityHeaders:
description: |-
RealmRepresentationBrowserSecurityHeaders
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "contentSecurityPolicy": { "title": "Content-Security-Policy", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "contentSecurityPolicyReportOnly": { "title": "Content-Security-Policy-Report-Only", "description": "For testing Content Security Policies <1>Learn more</1>", "type": "string" }, "strictTransportSecurity": { "title": "HTTP Strict Transport Security (HSTS)", "description": "The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>", "type": "string" }, "xContentTypeOptions": { "title": "X-Content-Type-Options", "description": "The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>", "type": "string" }, "xFrameOptions": { "title": "X-Frame-Options", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "xRobotsTag": { "title": "X-Robots-Tag", "description": "Prevent pages from appearing in search engines. <1>Learn more</1>", "type": "string" }, "xXSSProtection": { "title": "X-XSS-Protection", "description": "This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>", "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
contentSecurityPolicy:
description: Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>
nullable: true
type: string
contentSecurityPolicyReportOnly:
description: For testing Content Security Policies <1>Learn more</1>
nullable: true
type: string
strictTransportSecurity:
description: The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>
nullable: true
type: string
xContentTypeOptions:
description: The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>
nullable: true
type: string
xFrameOptions:
description: Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>
nullable: true
type: string
xRobotsTag:
description: Prevent pages from appearing in search engines. <1>Learn more</1>
nullable: true
type: string
xXSSProtection:
description: This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>
nullable: true
type: string
type: object
bruteForceProtected:
nullable: true
type: boolean
bruteForceStrategy:
description: Multiple means wait time will be increased only when number of failures are multiples of '{{failureFactor}}'. Linear means each new failure starting at '{{failureFactor}}' will increase wait time.
enum:
- LINEAR
- MULTIPLE
nullable: true
type: string
certificate:
nullable: true
type: string
clientAuthenticationFlow:
nullable: true
type: string
clientOfflineSessionIdleTimeout:
format: int32
nullable: true
type: integer
clientOfflineSessionMaxLifespan:
format: int32
nullable: true
type: integer
clientPolicies:
description: |-
ClientPoliciesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "globalPolicies": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyRepresentation" } }, "policies": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
globalPolicies:
items:
description: |-
ClientPolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "conditions": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyConditionRepresentation" } }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "name": { "type": "string" }, "profiles": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
properties:
conditions:
items:
description: |-
ClientPolicyConditionRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "condition": { "type": "string" }, "configuration": { "type": "object" } }, "additionalProperties": false } ``` </details>
properties:
condition:
nullable: true
type: string
configuration:
additionalProperties: true
type: object
type: object
type: array
description:
nullable: true
type: string
enabled:
nullable: true
type: boolean
name:
nullable: true
type: string
profiles:
items:
type: string
type: array
type: object
type: array
policies:
items:
description: |-
ClientPolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "conditions": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyConditionRepresentation" } }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "name": { "type": "string" }, "profiles": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
properties:
conditions:
items:
description: |-
ClientPolicyConditionRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "condition": { "type": "string" }, "configuration": { "type": "object" } }, "additionalProperties": false } ``` </details>
properties:
condition:
nullable: true
type: string
configuration:
additionalProperties: true
type: object
type: object
type: array
description:
nullable: true
type: string
enabled:
nullable: true
type: boolean
name:
nullable: true
type: string
profiles:
items:
type: string
type: array
type: object
type: array
type: object
clientProfiles:
description: |-
ClientProfilesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "globalProfiles": { "type": "array", "items": { "$ref": "#/$defs/ClientProfileRepresentation" } }, "profiles": { "type": "array", "items": { "$ref": "#/$defs/ClientProfileRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
globalProfiles:
items:
description: |-
ClientProfileRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "description": { "type": "string" }, "executors": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyExecutorRepresentation" } }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
description:
nullable: true
type: string
executors:
items:
description: |-
ClientPolicyExecutorRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "configuration": { "type": "object" }, "executor": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
configuration:
additionalProperties: true
type: object
executor:
nullable: true
type: string
type: object
type: array
name:
nullable: true
type: string
type: object
type: array
profiles:
items:
description: |-
ClientProfileRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "description": { "type": "string" }, "executors": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyExecutorRepresentation" } }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
description:
nullable: true
type: string
executors:
items:
description: |-
ClientPolicyExecutorRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "configuration": { "type": "object" }, "executor": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
configuration:
additionalProperties: true
type: object
executor:
nullable: true
type: string
type: object
type: array
name:
nullable: true
type: string
type: object
type: array
type: object
clientScopeMappings:
additionalProperties:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
type: object
clientSessionIdleTimeout:
description: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.
format: int32
nullable: true
type: integer
clientSessionMaxLifespan:
description: Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.
format: int32
nullable: true
type: integer
clientTemplates:
items:
description: |-
ClientTemplateRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "bearerOnly": { "type": "boolean" }, "consentRequired": { "type": "boolean" }, "description": { "type": "string" }, "directAccessGrantsEnabled": { "type": "boolean" }, "frontchannelLogout": { "type": "boolean" }, "fullScopeAllowed": { "type": "boolean" }, "id": { "type": "string" }, "implicitFlowEnabled": { "type": "boolean" }, "name": { "type": "string" }, "protocol": { "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicClient": { "type": "boolean" }, "serviceAccountsEnabled": { "type": "boolean" }, "standardFlowEnabled": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
type: string
type: object
bearerOnly:
nullable: true
type: boolean
consentRequired:
nullable: true
type: boolean
description:
nullable: true
type: string
directAccessGrantsEnabled:
nullable: true
type: boolean
frontchannelLogout:
nullable: true
type: boolean
fullScopeAllowed:
nullable: true
type: boolean
id:
nullable: true
type: string
implicitFlowEnabled:
nullable: true
type: boolean
name:
nullable: true
type: string
protocol:
nullable: true
type: string
protocolMappers:
items:
description: |-
ProtocolMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "consentRequired": { "type": "boolean" }, "consentText": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "protocol": { "type": "string", "enum": [ "openid-connect", "saml" ] }, "protocolMapper": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
consentRequired:
nullable: true
type: boolean
consentText:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
protocol:
description: |-
ProtocolMapperRepresentationProtocol
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "openid-connect", "saml" ] } ``` </details>
enum:
- openid-connect
- saml
nullable: true
type: string
protocolMapper:
nullable: true
type: string
type: object
type: array
publicClient:
nullable: true
type: boolean
serviceAccountsEnabled:
nullable: true
type: boolean
standardFlowEnabled:
nullable: true
type: boolean
type: object
type: array
codeSecret:
nullable: true
type: string
defaultDefaultClientScopes:
items:
type: string
type: array
defaultGroups:
items:
type: string
type: array
defaultLocale:
nullable: true
type: string
defaultOptionalClientScopes:
items:
type: string
type: array
defaultRole:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
defaultRoles:
items:
type: string
type: array
defaultSignatureAlgorithm:
description: Default algorithm used to sign tokens for the realm
enum:
- EdDSA
- ES256
- ES384
- ES512
- HS256
- HS384
- HS512
- PS256
- PS384
- PS512
- RS256
- RS384
- RS512
nullable: true
type: string
directGrantFlow:
nullable: true
type: string
displayName:
nullable: true
type: string
displayNameHtml:
nullable: true
type: string
dockerAuthenticationFlow:
nullable: true
type: string
duplicateEmailsAllowed:
description: Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses.
nullable: true
type: boolean
editUsernameAllowed:
description: If enabled, the username field is editable, readonly otherwise.
nullable: true
type: boolean
emailTheme:
description: Select a theme for emails that are sent by the server.
nullable: true
type: string
enabled:
nullable: true
type: boolean
enabledEventTypes:
items:
type: string
type: array
eventsEnabled:
description: If enabled, user events are saved to the database, which makes events available to the admin and account management UIs.
nullable: true
type: boolean
eventsExpiration:
description: Sets the expiration for events. Expired events are periodically deleted from the database.
format: int64
nullable: true
type: integer
eventsListeners:
description: Configure what listeners receive events for the realm.
items:
type: string
type: array
failureFactor:
description: Max login failures
format: int32
nullable: true
type: integer
firstBrokerLoginFlow:
nullable: true
type: string
id:
nullable: true
type: string
identityProviderMappers:
items:
description: |-
IdentityProviderMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "properties": { "attribute.friendly.name": { "title": "Friendly name", "description": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.", "type": "string" }, "attribute.name.format": { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] }, "syncMode": { "title": "Sync mode override", "description": "Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper.", "type": "string", "enum": [ "INHERIT", "IMPORT", "LEGACY", "FORCE" ] }, "user.attribute": { "title": "User Attribute Name", "description": "Name of user attribute you want to hardcode", "type": "string" } }, "additionalProperties": { "type": "string" } }, "id": { "type": "string" }, "identityProviderAlias": { "type": "string" }, "identityProviderMapper": { "type": "string" }, "name": { "title": "Name", "description": "Name of the mapper.", "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
description: |-
IdentityProviderMapperRepresentationConfig
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attribute.friendly.name": { "title": "Friendly name", "description": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.", "type": "string" }, "attribute.name.format": { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] }, "syncMode": { "title": "Sync mode override", "description": "Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper.", "type": "string", "enum": [ "INHERIT", "IMPORT", "LEGACY", "FORCE" ] }, "user.attribute": { "title": "User Attribute Name", "description": "Name of user attribute you want to hardcode", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
attribute.friendly.name:
description: Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.
nullable: true
type: string
attribute.name.format:
description: |-
IdentityProviderMapperRepresentationConfigAttributeNameFormat
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] } ``` </details>
enum:
- ATTRIBUTE_FORMAT_BASIC
- ATTRIBUTE_FORMAT_URI
- ATTRIBUTE_FORMAT_UNSPECIFIED
nullable: true
type: string
syncMode:
description: 'Overrides the default sync mode of the IDP for this mapper. Values are: ''legacy'' to keep the behaviour before this option was introduced, ''import'' to only import the user once during first login of the user with this identity provider, ''force'' to always update the user during every login with this identity provider and ''inherit'' to use the sync mode defined in the identity provider for this mapper.'
enum:
- INHERIT
- IMPORT
- LEGACY
- FORCE
nullable: true
type: string
user.attribute:
description: Name of user attribute you want to hardcode
nullable: true
type: string
type: object
id:
nullable: true
type: string
identityProviderAlias:
nullable: true
type: string
identityProviderMapper:
nullable: true
type: string
name:
description: Name of the mapper.
nullable: true
type: string
type: object
type: array
identityProviders:
items:
description: |-
IdentityProviderRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "addReadTokenRoleOnCreate": { "title": "Stored tokens readable", "description": "Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.", "type": "boolean" }, "alias": { "title": "Alias", "description": "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.", "type": "string" }, "authenticateByDefault": { "type": "boolean" }, "config": { "type": "object", "properties": { "allowCreate": { "title": "Allow create", "description": "Allow the external identity provider to create a new identifier to represent the principal.", "type": "string", "enum": [ "true", "false", "" ] }, "allowedClockSkew": { "title": "Allowed clock skew", "description": "Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.", "type": "string", "pattern": "^[0-9]*$" }, "attributeConsumingServiceIndex": { "title": "Attribute Consuming Service Index", "description": "Index of the Attribute Consuming Service profile to request during authentication.", "type": "string", "pattern": "^[0-9]*$" }, "authnContextClassRefs": { "title": "AuthnContext ClassRefs", "description": "Ordered list of requested AuthnContext ClassRefs.", "type": "string" }, "authnContextComparisonType": { "title": "Comparison", "description": "Specifies the comparison method used to evaluate the requested context classes or statements. The default is \"Exact\".", "type": "string", "enum": [ "exact", "minimum", "maximum", "better" ] }, "authnContextDeclRefs": { "title": "AuthnContext DeclRefs", "description": "Ordered list of requested AuthnContext DeclRefs.", "type": "string" }, "backchannelSupported": { "title": "Backchannel logout", "description": "Does the external IDP support backchannel logout?", "type": "string", "enum": [ "true", "false", "" ] }, "encryptionAlgorithm": { "title": "Encryption Algorithm", "description": "Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.", "type": "string" }, "entityId": { "title": "Service provider entity ID", "description": "The Entity ID that will be used to uniquely identify this SAML Service Provider.", "type": "string" }, "forceAuthn": { "title": "Force authentication", "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.", "type": "string", "enum": [ "true", "false", "" ] }, "hideOnLoginPage": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "idpEntityId": { "title": "Identity provider entity ID", "description": "The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.", "type": "string" }, "loginHint": { "title": "Pass subject", "description": "During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.", "type": "string", "enum": [ "true", "false", "" ] }, "nameIDPolicyFormat": { "title": "NameID policy format", "description": "Specifies the URI reference corresponding to a name identifier format.", "type": "string" }, "postBindingAuthnRequest": { "title": "HTTP-POST binding for AuthnRequest", "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingLogout": { "title": "HTTP-POST binding logout", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingResponse": { "title": "HTTP-POST binding response", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "principalAttribute": { "title": "Principal attribute", "description": "Name or Friendly Name of the attribute used to identify external users.", "type": "string" }, "principalType": { "title": "Principal type", "description": "Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.", "type": "string", "enum": [ "SUBJECT", "ATTRIBUTE", "FRIENDLY_ATTRIBUTE" ] }, "signSpMetadata": { "title": "Sign service provider metadata", "description": "Enable/disable signature of the provider SAML metadata.", "type": "string", "enum": [ "true", "false", "" ] }, "signatureAlgorithm": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "signingCertificate": { "title": "Validating X509 certificates", "description": "The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.", "type": "string" }, "singleSignOnServiceUrl": { "title": "Single Sign-On service URL", "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).", "type": "string" }, "syncMode": { "title": "Sync mode", "description": "Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider.", "type": "string", "enum": [ "IMPORT", "LEGACY", "FORCE" ] }, "validateSignature": { "title": "Validate Signatures", "description": "Enable/disable signature validation of external IDP signatures.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsEncrypted": { "title": "Want Assertions encrypted", "description": "Indicates whether this service provider expects an encrypted Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsSigned": { "title": "Want Assertions signed", "description": "Indicates whether this service provider expects a signed Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAuthnRequestsSigned": { "title": "Want AuthnRequests signed", "description": "Indicates whether the identity provider expects a signed AuthnRequest.", "type": "string", "enum": [ "true", "false", "" ] }, "xmlSigKeyInfoKeyNameTransformer": { "title": "SAML signature key name", "description": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "type": "string", "enum": [ "NONE", "KEY_ID", "CERT_SUBJECT" ] } }, "additionalProperties": { "type": "string" } }, "displayName": { "title": "Display name", "description": "Friendly name for Identity Providers.", "type": "string" }, "enabled": { "title": "Enabled", "type": "boolean" }, "firstBrokerLoginFlowAlias": { "title": "First login flow override", "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account.", "type": "string" }, "hideOnLogin": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "boolean" }, "internalId": { "type": "string" }, "linkOnly": { "title": "Account linking only", "description": "If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.", "type": "boolean" }, "organizationId": { "type": "string" }, "postBrokerLoginFlowAlias": { "title": "Post login flow", "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to \"None\" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.", "type": "string" }, "providerId": { "type": "string" }, "storeToken": { "title": "Store tokens", "description": "Enable/disable if tokens must be stored after authenticating users.", "type": "boolean" }, "trustEmail": { "title": "Trust Email", "description": "If enabled, email provided by this provider is not verified even if verification is enabled for the realm.", "type": "boolean" }, "updateProfileFirstLogin": { "type": "boolean" }, "updateProfileFirstLoginMode": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
addReadTokenRoleOnCreate:
description: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
nullable: true
type: boolean
alias:
description: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
nullable: true
type: string
authenticateByDefault:
nullable: true
type: boolean
config:
description: |-
IdentityProviderRepresentationConfig
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "allowCreate": { "title": "Allow create", "description": "Allow the external identity provider to create a new identifier to represent the principal.", "type": "string", "enum": [ "true", "false", "" ] }, "allowedClockSkew": { "title": "Allowed clock skew", "description": "Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.", "type": "string", "pattern": "^[0-9]*$" }, "attributeConsumingServiceIndex": { "title": "Attribute Consuming Service Index", "description": "Index of the Attribute Consuming Service profile to request during authentication.", "type": "string", "pattern": "^[0-9]*$" }, "authnContextClassRefs": { "title": "AuthnContext ClassRefs", "description": "Ordered list of requested AuthnContext ClassRefs.", "type": "string" }, "authnContextComparisonType": { "title": "Comparison", "description": "Specifies the comparison method used to evaluate the requested context classes or statements. The default is \"Exact\".", "type": "string", "enum": [ "exact", "minimum", "maximum", "better" ] }, "authnContextDeclRefs": { "title": "AuthnContext DeclRefs", "description": "Ordered list of requested AuthnContext DeclRefs.", "type": "string" }, "backchannelSupported": { "title": "Backchannel logout", "description": "Does the external IDP support backchannel logout?", "type": "string", "enum": [ "true", "false", "" ] }, "encryptionAlgorithm": { "title": "Encryption Algorithm", "description": "Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.", "type": "string" }, "entityId": { "title": "Service provider entity ID", "description": "The Entity ID that will be used to uniquely identify this SAML Service Provider.", "type": "string" }, "forceAuthn": { "title": "Force authentication", "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.", "type": "string", "enum": [ "true", "false", "" ] }, "hideOnLoginPage": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "idpEntityId": { "title": "Identity provider entity ID", "description": "The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.", "type": "string" }, "loginHint": { "title": "Pass subject", "description": "During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.", "type": "string", "enum": [ "true", "false", "" ] }, "nameIDPolicyFormat": { "title": "NameID policy format", "description": "Specifies the URI reference corresponding to a name identifier format.", "type": "string" }, "postBindingAuthnRequest": { "title": "HTTP-POST binding for AuthnRequest", "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingLogout": { "title": "HTTP-POST binding logout", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingResponse": { "title": "HTTP-POST binding response", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "principalAttribute": { "title": "Principal attribute", "description": "Name or Friendly Name of the attribute used to identify external users.", "type": "string" }, "principalType": { "title": "Principal type", "description": "Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.", "type": "string", "enum": [ "SUBJECT", "ATTRIBUTE", "FRIENDLY_ATTRIBUTE" ] }, "signSpMetadata": { "title": "Sign service provider metadata", "description": "Enable/disable signature of the provider SAML metadata.", "type": "string", "enum": [ "true", "false", "" ] }, "signatureAlgorithm": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "signingCertificate": { "title": "Validating X509 certificates", "description": "The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.", "type": "string" }, "singleSignOnServiceUrl": { "title": "Single Sign-On service URL", "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).", "type": "string" }, "syncMode": { "title": "Sync mode", "description": "Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider.", "type": "string", "enum": [ "IMPORT", "LEGACY", "FORCE" ] }, "validateSignature": { "title": "Validate Signatures", "description": "Enable/disable signature validation of external IDP signatures.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsEncrypted": { "title": "Want Assertions encrypted", "description": "Indicates whether this service provider expects an encrypted Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsSigned": { "title": "Want Assertions signed", "description": "Indicates whether this service provider expects a signed Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAuthnRequestsSigned": { "title": "Want AuthnRequests signed", "description": "Indicates whether the identity provider expects a signed AuthnRequest.", "type": "string", "enum": [ "true", "false", "" ] }, "xmlSigKeyInfoKeyNameTransformer": { "title": "SAML signature key name", "description": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "type": "string", "enum": [ "NONE", "KEY_ID", "CERT_SUBJECT" ] } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
allowCreate:
description: Allow the external identity provider to create a new identifier to represent the principal.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
allowedClockSkew:
description: Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.
nullable: true
type: string
attributeConsumingServiceIndex:
description: Index of the Attribute Consuming Service profile to request during authentication.
nullable: true
type: string
authnContextClassRefs:
description: Ordered list of requested AuthnContext ClassRefs.
nullable: true
type: string
authnContextComparisonType:
description: Specifies the comparison method used to evaluate the requested context classes or statements. The default is "Exact".
enum:
- exact
- minimum
- maximum
- better
nullable: true
type: string
authnContextDeclRefs:
description: Ordered list of requested AuthnContext DeclRefs.
nullable: true
type: string
backchannelSupported:
description: Does the external IDP support backchannel logout?
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
encryptionAlgorithm:
description: Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.
nullable: true
type: string
entityId:
description: The Entity ID that will be used to uniquely identify this SAML Service Provider.
nullable: true
type: string
forceAuthn:
description: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
hideOnLoginPage:
description: If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
idpEntityId:
description: The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.
nullable: true
type: string
loginHint:
description: During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
nameIDPolicyFormat:
description: Specifies the URI reference corresponding to a name identifier format.
nullable: true
type: string
postBindingAuthnRequest:
description: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
postBindingLogout:
description: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
postBindingResponse:
description: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
principalAttribute:
description: Name or Friendly Name of the attribute used to identify external users.
nullable: true
type: string
principalType:
description: Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.
enum:
- SUBJECT
- ATTRIBUTE
- FRIENDLY_ATTRIBUTE
nullable: true
type: string
signSpMetadata:
description: Enable/disable signature of the provider SAML metadata.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
signatureAlgorithm:
description: The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.
nullable: true
type: string
signingCertificate:
description: The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.
nullable: true
type: string
singleSignOnServiceUrl:
description: The Url that must be used to send authentication requests (SAML AuthnRequest).
nullable: true
type: string
syncMode:
description: 'Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: ''legacy'' to keep the behaviour before this option was introduced, ''import'' to only import the user once during first login of the user with this identity provider, ''force'' to always update the user during every login with this identity provider.'
enum:
- IMPORT
- LEGACY
- FORCE
nullable: true
type: string
validateSignature:
description: Enable/disable signature validation of external IDP signatures.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAssertionsEncrypted:
description: Indicates whether this service provider expects an encrypted Assertion.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAssertionsSigned:
description: Indicates whether this service provider expects a signed Assertion.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAuthnRequestsSigned:
description: Indicates whether the identity provider expects a signed AuthnRequest.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
xmlSigKeyInfoKeyNameTransformer:
description: Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.
enum:
- NONE
- KEY_ID
- CERT_SUBJECT
nullable: true
type: string
type: object
displayName:
description: Friendly name for Identity Providers.
nullable: true
type: string
enabled:
nullable: true
type: boolean
firstBrokerLoginFlowAlias:
description: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account.
nullable: true
type: string
hideOnLogin:
description: If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
nullable: true
type: boolean
internalId:
nullable: true
type: string
linkOnly:
description: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
nullable: true
type: boolean
organizationId:
nullable: true
type: string
postBrokerLoginFlowAlias:
description: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to "None" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
nullable: true
type: string
providerId:
nullable: true
type: string
storeToken:
description: Enable/disable if tokens must be stored after authenticating users.
nullable: true
type: boolean
trustEmail:
description: If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
nullable: true
type: boolean
updateProfileFirstLogin:
nullable: true
type: boolean
updateProfileFirstLoginMode:
nullable: true
type: string
type: object
type: array
internationalizationEnabled:
description: If enabled, you can choose which locales you support for this realm and which locale is the default.
nullable: true
type: boolean
keycloakVersion:
nullable: true
type: string
localizationTexts:
additionalProperties:
additionalProperties:
type: string
type: object
type: object
loginTheme:
description: Select theme for login, OTP, grant, registration and forgot password pages.
nullable: true
type: string
loginWithEmailAllowed:
description: Allow users to log in with their email address.
nullable: true
type: boolean
maxDeltaTimeSeconds:
description: When will failure count be reset?
format: int32
nullable: true
type: integer
maxFailureWaitSeconds:
description: Max time a user will be locked out.
format: int32
nullable: true
type: integer
maxTemporaryLockouts:
description: The number of temporary lockouts permitted before the user is permanently locked out.
format: int32
nullable: true
type: integer
minimumQuickLoginWaitSeconds:
description: How long to wait after a quick login failure.
format: int32
nullable: true
type: integer
notBefore:
format: int32
nullable: true
type: integer
oAuth2DeviceCodeLifespan:
format: int32
nullable: true
type: integer
oAuth2DevicePollingInterval:
format: int32
nullable: true
type: integer
oauth2DeviceCodeLifespan:
description: Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing.
format: int32
nullable: true
type: integer
oauth2DevicePollingInterval:
description: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
format: int32
nullable: true
type: integer
offlineSessionIdleTimeout:
description: Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.
format: int32
nullable: true
type: integer
offlineSessionMaxLifespan:
description: Max time before an offline session is expired regardless of activity.
format: int32
nullable: true
type: integer
offlineSessionMaxLifespanEnabled:
description: Enable offline session maximum lifetime
nullable: true
type: boolean
organizationsEnabled:
nullable: true
type: boolean
otpPolicyAlgorithm:
description: What hashing algorithm should be used to generate the OTP.
nullable: true
type: string
otpPolicyCodeReusable:
description: Possibility to use the same OTP code again after successful authentication.
nullable: true
type: boolean
otpPolicyDigits:
description: How many digits should the OTP have?
format: int32
nullable: true
type: integer
otpPolicyInitialCounter:
format: int32
nullable: true
type: integer
otpPolicyLookAheadWindow:
description: How far around (extra token periods or counts) should the server look just in case the token generator and server are out of time sync or counter sync?
format: int32
nullable: true
type: integer
otpPolicyPeriod:
description: How many seconds should an OTP token be valid? Defaults to 30 seconds.
format: int32
nullable: true
type: integer
otpPolicyType:
description: totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.
enum:
- totp
- hotp
nullable: true
type: string
otpSupportedApplications:
items:
type: string
type: array
passwordCredentialGrantAllowed:
nullable: true
type: boolean
passwordPolicy:
nullable: true
type: string
permanentLockout:
nullable: true
type: boolean
privateKey:
nullable: true
type: string
publicKey:
nullable: true
type: string
quickLoginCheckMilliSeconds:
description: If a failure happens concurrently too quickly, lock out the user.
format: int64
nullable: true
type: integer
realm:
nullable: true
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
realmCacheEnabled:
nullable: true
type: boolean
refreshTokenMaxReuse:
description: Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.
format: int32
nullable: true
type: integer
registrationAllowed:
description: Enable/disable the registration page. A link for registration will show on login page too.
nullable: true
type: boolean
registrationEmailAsUsername:
description: Allow users to set email as username.
nullable: true
type: boolean
registrationFlow:
nullable: true
type: string
rememberMe:
description: Show checkbox on login page to allow user to remain logged in between browser restarts until session expires.
nullable: true
type: boolean
requiredCredentials:
items:
type: string
nullable: true
type: array
resetCredentialsFlow:
nullable: true
type: string
resetPasswordAllowed:
description: Show a link on login page for user to click when they have forgotten their credentials.
nullable: true
type: boolean
revokeRefreshToken:
description: If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.
nullable: true
type: boolean
roles:
description: |-
RolesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "realm": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
client:
additionalProperties:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
realm:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
scopeMappings:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
smtpServer:
description: |-
RealmRepresentationSmtpServer
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "auth": { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] }, "envelopeFrom": { "title": "Envelope from", "description": "An email address used for bounces (optional).", "type": "string" }, "from": { "title": "From", "type": "string" }, "fromDisplayName": { "title": "From display name", "description": "A user-friendly name for the 'From' address (optional).", "type": "string" }, "host": { "title": "Host", "type": "string" }, "password": { "title": "Password", "description": "SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.", "type": "string" }, "port": { "title": "Port", "type": "string" }, "replyTo": { "title": "Reply to", "type": "string" }, "replyToDisplayName": { "title": "Reply to display name", "description": "A user-friendly name for the 'Reply-To' address (optional).", "type": "string" }, "ssl": { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] }, "starttls": { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] }, "user": { "title": "Username", "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
auth:
description: |-
Authentication
<details><summary>JSON schema</summary>
```json { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
envelopeFrom:
description: An email address used for bounces (optional).
nullable: true
type: string
from:
nullable: true
type: string
fromDisplayName:
description: A user-friendly name for the 'From' address (optional).
nullable: true
type: string
host:
nullable: true
type: string
password:
description: SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.
nullable: true
type: string
port:
nullable: true
type: string
replyTo:
nullable: true
type: string
replyToDisplayName:
description: A user-friendly name for the 'Reply-To' address (optional).
nullable: true
type: string
ssl:
description: |-
EnableSsl
<details><summary>JSON schema</summary>
```json { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
starttls:
description: |-
EnableStartTls
<details><summary>JSON schema</summary>
```json { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
user:
nullable: true
type: string
type: object
social:
nullable: true
type: boolean
socialProviders:
additionalProperties:
type: string
type: object
sslRequired:
description: Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses.
enum:
- all
- external
- none
nullable: true
type: string
ssoSessionIdleTimeout:
description: Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.
format: int32
nullable: true
type: integer
ssoSessionIdleTimeoutRememberMe:
description: Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.
format: int32
nullable: true
type: integer
ssoSessionMaxLifespan:
description: Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.
format: int32
nullable: true
type: integer
ssoSessionMaxLifespanRememberMe:
description: Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.
format: int32
nullable: true
type: integer
supportedLocales:
items:
type: string
nullable: true
type: array
updateProfileOnInitialSocialLogin:
nullable: true
type: boolean
userCacheEnabled:
nullable: true
type: boolean
userFederationMappers:
items:
description: |-
UserFederationMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "federationMapperType": { "type": "string" }, "federationProviderDisplayName": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
federationMapperType:
nullable: true
type: string
federationProviderDisplayName:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
type: array
userFederationProviders:
items:
description: |-
UserFederationProviderRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "changedSyncPeriod": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "config": { "type": "object", "additionalProperties": { "type": "string" } }, "displayName": { "type": "string" }, "fullSyncPeriod": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "id": { "type": "string" }, "lastSync": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "priority": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "providerName": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
changedSyncPeriod:
format: int32
nullable: true
type: integer
config:
additionalProperties:
type: string
type: object
displayName:
nullable: true
type: string
fullSyncPeriod:
format: int32
nullable: true
type: integer
id:
nullable: true
type: string
lastSync:
format: int32
nullable: true
type: integer
priority:
format: int32
nullable: true
type: integer
providerName:
nullable: true
type: string
type: object
type: array
userManagedAccessAllowed:
description: If enabled, users are allowed to manage their resources and permissions using the Account Management UI.
nullable: true
type: boolean
verifiableCredentialsEnabled:
nullable: true
type: boolean
verifyEmail:
description: Require user to verify their email address after initial login or after address changes are submitted.
nullable: true
type: boolean
waitIncrementSeconds:
description: When failure threshold has been met, how much time should the user be locked out?
format: int32
nullable: true
type: integer
webAuthnPolicyAcceptableAaguids:
description: The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).
items:
type: string
type: array
webAuthnPolicyAttestationConveyancePreference:
description: Communicates to an authenticator the preference of how to generate an attestation statement.
enum:
- not specified
- none
- indirect
- direct
nullable: true
type: string
webAuthnPolicyAuthenticatorAttachment:
description: Communicates to an authenticator an acceptable attachment pattern.
enum:
- not specified
- platform
- cross-platform
nullable: true
type: string
webAuthnPolicyAvoidSameAuthenticatorRegister:
description: Avoid registering an authenticator that has already been registered.
nullable: true
type: boolean
webAuthnPolicyCreateTimeout:
description: The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.
format: int32
nullable: true
type: integer
webAuthnPolicyExtraOrigins:
items:
type: string
type: array
webAuthnPolicyPasswordlessAcceptableAaguids:
description: The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).
items:
type: string
type: array
webAuthnPolicyPasswordlessAttestationConveyancePreference:
description: Communicates to an authenticator the preference of how to generate an attestation statement.
enum:
- not specified
- none
- indirect
- direct
nullable: true
type: string
webAuthnPolicyPasswordlessAuthenticatorAttachment:
description: Communicates to an authenticator an acceptable attachment pattern.
enum:
- not specified
- platform
- cross-platform
nullable: true
type: string
webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister:
description: Avoid registering an authenticator that has already been registered.
nullable: true
type: boolean
webAuthnPolicyPasswordlessCreateTimeout:
description: The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.
format: int32
nullable: true
type: integer
webAuthnPolicyPasswordlessExtraOrigins:
items:
type: string
type: array
webAuthnPolicyPasswordlessRequireResidentKey:
description: It tells an authenticator whether to create a public key credential as a Discoverable Credential.
enum:
- not specified
- Yes
- No
nullable: true
type: string
webAuthnPolicyPasswordlessRpEntityName:
description: Human-readable server name as WebAuthn Relying Party
nullable: true
type: string
webAuthnPolicyPasswordlessRpId:
description: The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.
nullable: true
type: string
webAuthnPolicyPasswordlessSignatureAlgorithms:
description: The signature algorithms that should be used for the Authentication Assertion.
items:
description: |-
SignatureAlgorithmsItem
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } ``` </details>
enum:
- Ed25519
- ES256
- ES384
- ES512
- RS256
- RS384
- RS512
- RS1
type: string
type: array
webAuthnPolicyPasswordlessUserVerificationRequirement:
description: Communicates to an authenticator whether to require to verify a user.
enum:
- not specified
- required
- preferred
- discouraged
nullable: true
type: string
webAuthnPolicyRequireResidentKey:
description: It tells an authenticator whether to create a public key credential as a Discoverable Credential.
enum:
- not specified
- Yes
- No
nullable: true
type: string
webAuthnPolicyRpEntityName:
description: Human-readable server name as WebAuthn Relying Party
nullable: true
type: string
webAuthnPolicyRpId:
description: The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.
nullable: true
type: string
webAuthnPolicySignatureAlgorithms:
description: The signature algorithms that should be used for the Authentication Assertion.
items:
description: |-
SignatureAlgorithmsItem
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } ``` </details>
enum:
- Ed25519
- ES256
- ES384
- ES512
- RS256
- RS384
- RS512
- RS1
type: string
type: array
webAuthnPolicyUserVerificationRequirement:
description: Communicates to an authenticator whether to require to verify a user.
enum:
- not specified
- required
- preferred
- discouraged
nullable: true
type: string
type: object
x-kubernetes-validations:
- message: Value is immutable
rule: has(self.realm) == has(oldSelf.realm)
instanceRef:
description: The name of the namespaced instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
options:
description: Options for the request to the Keycloak Admin API.
nullable: true
type: object
patchFrom:
additionalProperties:
description: EnvVarSource represents a source for the value of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
- name
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
- name
type: object
valueAs:
enum:
- auto
- string
- number
- yaml
- json
- bool
nullable: true
type: string
type: object
description: Defines additional values that can be loaded from secrets or configmaps. Field selectors are not supported. For more informations see [the patches documentation](../configuration/patches.md).
type: object
patchFrom2:
items:
description: EnvVarSource represents a source for the value of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
- name
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
path:
type: string
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
- name
type: object
valueAs:
enum:
- auto
- string
- number
- yaml
- json
- bool
nullable: true
type: string
required:
- path
type: object
type: array
required:
- definition
type: object
status:
nullable: true
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
format: date-time
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
instance:
anyOf:
- required:
- instanceRef
- required:
- clusterInstanceRef
properties:
clusterInstanceRef:
description: The name of the cluster instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
instanceRef:
description: The name of the namespaced instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
type: object
message:
type: string
ready:
type: boolean
resourcePath:
type: string
status:
type: string
required:
- ready
type: object
required:
- spec
title: ClusterKeycloakRealm
type: object
served: true
storage: true
subresources:
status: {}
Raw
keycloakrealms.rustcloak.k8s.eboland.de.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: keycloakrealms.rustcloak.k8s.eboland.de
spec:
group: rustcloak.k8s.eboland.de
names:
categories:
- keycloak
- all
kind: KeycloakRealm
plural: keycloakrealms
shortNames:
- kcrm
singular: keycloakrealm
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: true if the realm is ready
jsonPath: .status.ready
name: Ready
type: boolean
- description: Status String of the resource
jsonPath: .status.status
name: Status
type: string
- description: time since the realm was created
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: resource to define an Realm within a [KeyclaokInstance](./keycloakinstance.md)
properties:
spec:
anyOf:
- required:
- instanceRef
- required:
- clusterInstanceRef
description: the KeycloakRealm resource
properties:
clusterInstanceRef:
description: The name of the cluster instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
definition:
description: |-
RealmRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "accessCodeLifespan": { "title": "Client Login Timeout", "description": "Max time a client has to finish the access token protocol. This should normally be 1 minute.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessCodeLifespanLogin": { "title": "Login timeout", "description": "Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessCodeLifespanUserAction": { "title": "Login action timeout", "description": "Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessTokenLifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accessTokenLifespanForImplicitFlow": { "title": "Access Token Lifespan For Implicit Flow", "description": "Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "accountTheme": { "title": "Account theme", "description": "Select theme for login, OTP, grant, registration and forgot password pages.", "type": "string" }, "actionTokenGeneratedByAdminLifespan": { "title": "Default Admin-Initiated Action Lifespan", "description": "Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "actionTokenGeneratedByUserLifespan": { "title": "User-Initiated Action Lifespan", "description": "Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "adminEventsDetailsEnabled": { "title": "Include representation", "description": "Include JSON representation for create and update requests.", "type": "boolean" }, "adminEventsEnabled": { "title": "Save events", "description": "If enabled, admin events are saved to the database, which makes events available to the Admin UI.", "type": "boolean" }, "adminPermissionsClient": { "$ref": "#/$defs/ClientRepresentation" }, "adminPermissionsEnabled": { "type": "boolean" }, "adminTheme": { "title": "Admin theme", "type": "string" }, "applicationScopeMappings": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } } }, "applications": { "type": "array", "items": { "$ref": "#/$defs/ApplicationRepresentation" } }, "attributes": { "type": "object", "properties": { "adminEventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "string", "pattern": "^[0-9]*$" }, "cibaAuthRequestedUserHint": { "title": "Authentication Requested User Hint", "description": "The way of identifying the end-user for whom authentication is being requested. Currently only \"login_hint\" is supported.", "type": "string", "enum": [ "login_hint" ] }, "cibaBackchannelTokenDeliveryMode": { "title": "Backchannel Token Delivery Mode", "description": "Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.", "type": "string", "enum": [ "ping", "poll" ] }, "cibaExpiresIn": { "title": "Expires In", "description": "The expiration time of the \"auth_req_id\" in seconds since the authentication request was received.", "type": "string", "pattern": "^[0-9]*$" }, "cibaInterval": { "title": "Interval", "description": "The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.", "type": "string", "pattern": "^[0-9]*$" }, "frontendUrl": { "title": "Frontend URL", "description": "Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authenticationFlows": { "type": "array", "items": { "$ref": "#/$defs/AuthenticationFlowRepresentation" } }, "authenticatorConfig": { "type": "array", "items": { "$ref": "#/$defs/AuthenticatorConfigRepresentation" } }, "browserFlow": { "type": "string" }, "browserSecurityHeaders": { "type": "object", "properties": { "contentSecurityPolicy": { "title": "Content-Security-Policy", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "contentSecurityPolicyReportOnly": { "title": "Content-Security-Policy-Report-Only", "description": "For testing Content Security Policies <1>Learn more</1>", "type": "string" }, "strictTransportSecurity": { "title": "HTTP Strict Transport Security (HSTS)", "description": "The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>", "type": "string" }, "xContentTypeOptions": { "title": "X-Content-Type-Options", "description": "The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>", "type": "string" }, "xFrameOptions": { "title": "X-Frame-Options", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "xRobotsTag": { "title": "X-Robots-Tag", "description": "Prevent pages from appearing in search engines. <1>Learn more</1>", "type": "string" }, "xXSSProtection": { "title": "X-XSS-Protection", "description": "This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>", "type": "string" } }, "additionalProperties": false }, "bruteForceDetection": { "title": "Brute force detection" }, "bruteForceProtected": { "type": "boolean" }, "bruteForceStrategy": { "title": "Strategy to increase wait time", "description": "Multiple means wait time will be increased only when number of failures are multiples of '{{failureFactor}}'. Linear means each new failure starting at '{{failureFactor}}' will increase wait time.", "$ref": "#/$defs/BruteForceStrategy" }, "certificate": { "type": "string" }, "clientAuthenticationFlow": { "type": "string" }, "clientOfflineSessionIdleTimeout": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientOfflineSessionMaxLifespan": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientPolicies": { "$ref": "#/$defs/ClientPoliciesRepresentation" }, "clientProfiles": { "$ref": "#/$defs/ClientProfilesRepresentation" }, "clientScopeMappings": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } } }, "clientScopes": { "type": "array", "items": { "$ref": "#/$defs/ClientScopeRepresentation" } }, "clientSessionIdleTimeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientSessionMaxLifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "clientTemplates": { "type": "array", "items": { "$ref": "#/$defs/ClientTemplateRepresentation" } }, "clients": { "type": "array", "items": { "$ref": "#/$defs/ClientRepresentation" } }, "codeSecret": { "type": "string" }, "components": { "$ref": "#/$defs/MultivaluedHashMapStringComponentExportRepresentation" }, "defaultDefaultClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultGroups": { "type": "array", "items": { "type": "string" } }, "defaultLocale": { "title": "Default locale", "type": "string" }, "defaultOptionalClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultRole": { "$ref": "#/$defs/RoleRepresentation" }, "defaultRoles": { "type": "array", "items": { "type": "string" } }, "defaultSignatureAlgorithm": { "title": "Default Signature Algorithm", "description": "Default algorithm used to sign tokens for the realm", "type": "string", "enum": [ "EdDSA", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512" ] }, "directGrantFlow": { "type": "string" }, "displayName": { "title": "Display name", "type": "string" }, "displayNameHtml": { "title": "HTML Display name", "type": "string" }, "dockerAuthenticationFlow": { "type": "string" }, "duplicateEmailsAllowed": { "title": "Duplicate emails", "description": "Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses.", "type": "boolean" }, "editUsernameAllowed": { "title": "Edit username", "description": "If enabled, the username field is editable, readonly otherwise.", "type": "boolean" }, "emailTheme": { "title": "Email theme", "description": "Select a theme for emails that are sent by the server.", "type": "string" }, "enabled": { "type": "boolean" }, "enabledEventTypes": { "type": "array", "items": { "type": "string" } }, "eventsEnabled": { "title": "Save events", "description": "If enabled, user events are saved to the database, which makes events available to the admin and account management UIs.", "type": "boolean" }, "eventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "integer", "format": "int64", "maximum": 9.223372036854776e18, "minimum": -9.223372036854776e18 }, "eventsListeners": { "title": "Event listeners", "description": "Configure what listeners receive events for the realm.", "type": "array", "items": { "type": "string" } }, "failureFactor": { "title": "Max login failures", "description": "Max login failures", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "federatedUsers": { "type": "array", "items": { "$ref": "#/$defs/UserRepresentation" } }, "firstBrokerLoginFlow": { "type": "string" }, "groups": { "type": "array", "items": { "$ref": "#/$defs/GroupRepresentation" } }, "id": { "type": "string" }, "identityProviderMappers": { "type": "array", "items": { "$ref": "#/$defs/IdentityProviderMapperRepresentation" } }, "identityProviders": { "type": "array", "items": { "$ref": "#/$defs/IdentityProviderRepresentation" } }, "internationalizationEnabled": { "title": "Internationalization", "description": "If enabled, you can choose which locales you support for this realm and which locale is the default.", "type": "boolean" }, "keycloakVersion": { "type": "string" }, "localizationTexts": { "type": "object", "additionalProperties": { "type": "object", "additionalProperties": { "type": "string" } } }, "loginTheme": { "title": "Login theme", "description": "Select theme for login, OTP, grant, registration and forgot password pages.", "type": "string" }, "loginWithEmailAllowed": { "title": "Login with email", "description": "Allow users to log in with their email address.", "type": "boolean" }, "maxDeltaTimeSeconds": { "title": "Failure reset time", "description": "When will failure count be reset?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "maxFailureWaitSeconds": { "title": "Max wait", "description": "Max time a user will be locked out.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "maxTemporaryLockouts": { "title": "Maximum temporary lockouts", "description": "The number of temporary lockouts permitted before the user is permanently locked out.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "minimumQuickLoginWaitSeconds": { "title": "Minimum quick login wait", "description": "How long to wait after a quick login failure.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "notBefore": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oAuth2DeviceCodeLifespan": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oAuth2DevicePollingInterval": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauth2DeviceCodeLifespan": { "title": "OAuth 2.0 Device Code Lifespan", "description": "Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauth2DevicePollingInterval": { "title": "OAuth 2.0 Device Polling Interval", "description": "The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "oauthClients": { "type": "array", "items": { "$ref": "#/$defs/OAuthClientRepresentation" } }, "offlineSessionIdleTimeout": { "title": "Offline Session Idle", "description": "Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "offlineSessionMaxLifespan": { "title": "Offline Session Max", "description": "Max time before an offline session is expired regardless of activity.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "offlineSessionMaxLifespanEnabled": { "title": "Offline Session Max Limited", "description": "Enable offline session maximum lifetime", "type": "boolean" }, "organizations": { "type": "array", "items": { "$ref": "#/$defs/OrganizationRepresentation" } }, "organizationsEnabled": { "type": "boolean" }, "otpPolicyAlgorithm": { "title": "OTP hash algorithm", "description": "What hashing algorithm should be used to generate the OTP.", "type": "string" }, "otpPolicyCodeReusable": { "title": "Reusable token", "description": "Possibility to use the same OTP code again after successful authentication.", "type": "boolean" }, "otpPolicyDigits": { "title": "Number of digits", "description": "How many digits should the OTP have?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyInitialCounter": { "title": "Initial counter", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyLookAheadWindow": { "title": "Look around window", "description": "How far around (extra token periods or counts) should the server look just in case the token generator and server are out of time sync or counter sync?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyPeriod": { "title": "OTP Token period", "description": "How many seconds should an OTP token be valid? Defaults to 30 seconds.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "otpPolicyType": { "title": "OTP type", "description": "totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.", "type": "string", "enum": [ "totp", "hotp" ] }, "otpSupportedApplications": { "type": "array", "items": { "type": "string" } }, "passwordCredentialGrantAllowed": { "type": "boolean" }, "passwordPolicy": { "type": "string" }, "permanentLockout": { "title": "Permanent lockout", "type": "boolean" }, "privateKey": { "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicKey": { "type": "string" }, "quickLoginCheckMilliSeconds": { "title": "Quick login check milliseconds", "description": "If a failure happens concurrently too quickly, lock out the user.", "type": "integer", "format": "int64", "maximum": 9.223372036854776e18, "minimum": -9.223372036854776e18 }, "realm": { "title": "Realm ID", "type": "string" }, "realmCacheEnabled": { "type": "boolean" }, "refreshTokenMaxReuse": { "title": "Refresh Token Max Reuse", "description": "Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "registrationAllowed": { "title": "User registration", "description": "Enable/disable the registration page. A link for registration will show on login page too.", "type": "boolean" }, "registrationEmailAsUsername": { "title": "Email as username", "description": "Allow users to set email as username.", "type": "boolean" }, "registrationFlow": { "type": "string" }, "rememberMe": { "title": "Remember me", "description": "Show checkbox on login page to allow user to remain logged in between browser restarts until session expires.", "type": "boolean" }, "requiredActions": { "type": "array", "items": { "$ref": "#/$defs/RequiredActionProviderRepresentation" } }, "requiredCredentials": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resetCredentialsFlow": { "type": "string" }, "resetPasswordAllowed": { "title": "Specifies independent timeout for forgot password.", "description": "Show a link on login page for user to click when they have forgotten their credentials.", "type": "boolean" }, "revokeRefreshToken": { "title": "Revoke Refresh Token", "description": "If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.", "type": "boolean" }, "roles": { "$ref": "#/$defs/RolesRepresentation" }, "scopeMappings": { "type": "array", "items": { "$ref": "#/$defs/ScopeMappingRepresentation" } }, "smtpServer": { "type": "object", "properties": { "auth": { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] }, "envelopeFrom": { "title": "Envelope from", "description": "An email address used for bounces (optional).", "type": "string" }, "from": { "title": "From", "type": "string" }, "fromDisplayName": { "title": "From display name", "description": "A user-friendly name for the 'From' address (optional).", "type": "string" }, "host": { "title": "Host", "type": "string" }, "password": { "title": "Password", "description": "SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.", "type": "string" }, "port": { "title": "Port", "type": "string" }, "replyTo": { "title": "Reply to", "type": "string" }, "replyToDisplayName": { "title": "Reply to display name", "description": "A user-friendly name for the 'Reply-To' address (optional).", "type": "string" }, "ssl": { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] }, "starttls": { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] }, "user": { "title": "Username", "type": "string" } }, "additionalProperties": false }, "social": { "type": "boolean" }, "socialProviders": { "type": "object", "additionalProperties": { "type": "string" } }, "sslRequired": { "title": "Require SSL", "description": "Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses.", "type": "string", "enum": [ "all", "external", "none" ] }, "ssoSessionIdleTimeout": { "title": "SSO Session Idle", "description": "Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionIdleTimeoutRememberMe": { "title": "SSO Session Idle Remember Me", "description": "Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionMaxLifespan": { "title": "SSO Session Max", "description": "Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "ssoSessionMaxLifespanRememberMe": { "title": "SSO Session Max Remember Me", "description": "Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "supportedLocales": { "title": "Supported locales", "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "updateProfileOnInitialSocialLogin": { "type": "boolean" }, "userCacheEnabled": { "type": "boolean" }, "userFederationMappers": { "type": "array", "items": { "$ref": "#/$defs/UserFederationMapperRepresentation" } }, "userFederationProviders": { "type": "array", "items": { "$ref": "#/$defs/UserFederationProviderRepresentation" } }, "userManagedAccessAllowed": { "title": "User-managed access", "description": "If enabled, users are allowed to manage their resources and permissions using the Account Management UI.", "type": "boolean" }, "users": { "type": "array", "items": { "$ref": "#/$defs/UserRepresentation" } }, "verifiableCredentialsEnabled": { "type": "boolean" }, "verifyEmail": { "title": "Verify email", "description": "Require user to verify their email address after initial login or after address changes are submitted.", "type": "boolean" }, "waitIncrementSeconds": { "title": "Wait increment", "description": "When failure threshold has been met, how much time should the user be locked out?", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyAcceptableAaguids": { "title": "Acceptable AAGUIDs", "description": "The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).", "type": "array", "items": { "type": "string" } }, "webAuthnPolicyAttestationConveyancePreference": { "title": "Attestation conveyance preference", "description": "Communicates to an authenticator the preference of how to generate an attestation statement.", "type": "string", "enum": [ "not specified", "none", "indirect", "direct" ] }, "webAuthnPolicyAuthenticatorAttachment": { "title": "Authenticator Attachment", "description": "Communicates to an authenticator an acceptable attachment pattern.", "type": "string", "enum": [ "not specified", "platform", "cross-platform" ] }, "webAuthnPolicyAvoidSameAuthenticatorRegister": { "title": "Avoid same authenticator registration", "description": "Avoid registering an authenticator that has already been registered.", "type": "boolean" }, "webAuthnPolicyCreateTimeout": { "title": "Timeout", "description": "The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyExtraOrigins": { "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessAcceptableAaguids": { "title": "Acceptable AAGUIDs", "description": "The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).", "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessAttestationConveyancePreference": { "title": "Attestation conveyance preference", "description": "Communicates to an authenticator the preference of how to generate an attestation statement.", "type": "string", "enum": [ "not specified", "none", "indirect", "direct" ] }, "webAuthnPolicyPasswordlessAuthenticatorAttachment": { "title": "Authenticator Attachment", "description": "Communicates to an authenticator an acceptable attachment pattern.", "type": "string", "enum": [ "not specified", "platform", "cross-platform" ] }, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": { "title": "Avoid same authenticator registration", "description": "Avoid registering an authenticator that has already been registered.", "type": "boolean" }, "webAuthnPolicyPasswordlessCreateTimeout": { "title": "Timeout", "description": "The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "webAuthnPolicyPasswordlessExtraOrigins": { "type": "array", "items": { "type": "string" } }, "webAuthnPolicyPasswordlessRequireResidentKey": { "title": "Require discoverable credential", "description": "It tells an authenticator whether to create a public key credential as a Discoverable Credential.", "type": "string", "enum": [ "not specified", "Yes", "No" ] }, "webAuthnPolicyPasswordlessRpEntityName": { "title": "Relying party entity name", "description": "Human-readable server name as WebAuthn Relying Party", "type": "string" }, "webAuthnPolicyPasswordlessRpId": { "title": "Relying party ID", "description": "The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.", "type": "string" }, "webAuthnPolicyPasswordlessSignatureAlgorithms": { "title": "Signature algorithms", "description": "The signature algorithms that should be used for the Authentication Assertion.", "type": "array", "items": { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } }, "webAuthnPolicyPasswordlessUserVerificationRequirement": { "title": "User verification requirement", "description": "Communicates to an authenticator whether to require to verify a user.", "type": "string", "enum": [ "not specified", "required", "preferred", "discouraged" ] }, "webAuthnPolicyRequireResidentKey": { "title": "Require discoverable credential", "description": "It tells an authenticator whether to create a public key credential as a Discoverable Credential.", "type": "string", "enum": [ "not specified", "Yes", "No" ] }, "webAuthnPolicyRpEntityName": { "title": "Relying party entity name", "description": "Human-readable server name as WebAuthn Relying Party", "type": "string" }, "webAuthnPolicyRpId": { "title": "Relying party ID", "description": "The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.", "type": "string" }, "webAuthnPolicySignatureAlgorithms": { "title": "Signature algorithms", "description": "The signature algorithms that should be used for the Authentication Assertion.", "type": "array", "items": { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } }, "webAuthnPolicyUserVerificationRequirement": { "title": "User verification requirement", "description": "Communicates to an authenticator whether to require to verify a user.", "type": "string", "enum": [ "not specified", "required", "preferred", "discouraged" ] } }, "additionalProperties": false } ``` </details>
properties:
accessCodeLifespan:
description: Max time a client has to finish the access token protocol. This should normally be 1 minute.
format: int32
nullable: true
type: integer
accessCodeLifespanLogin:
description: Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.
format: int32
nullable: true
type: integer
accessCodeLifespanUserAction:
description: Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.
format: int32
nullable: true
type: integer
accessTokenLifespan:
description: Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
format: int32
nullable: true
type: integer
accessTokenLifespanForImplicitFlow:
description: Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'.
format: int32
nullable: true
type: integer
accountTheme:
description: Select theme for login, OTP, grant, registration and forgot password pages.
nullable: true
type: string
actionTokenGeneratedByAdminLifespan:
description: Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.
format: int32
nullable: true
type: integer
actionTokenGeneratedByUserLifespan:
description: Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly.
format: int32
nullable: true
type: integer
adminEventsDetailsEnabled:
description: Include JSON representation for create and update requests.
nullable: true
type: boolean
adminEventsEnabled:
description: If enabled, admin events are saved to the database, which makes events available to the Admin UI.
nullable: true
type: boolean
adminPermissionsClient:
description: |-
ClientRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "access": { "type": "object", "additionalProperties": { "type": "boolean" } }, "adminUrl": { "title": "Admin URL", "description": "URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.", "type": "string" }, "alwaysDisplayInConsole": { "title": "Always display in UI", "description": "Always list this client in the Account UI, even if the user does not have an active session.", "type": "boolean" }, "attributes": { "type": "object", "properties": { "access.token.lifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "string", "pattern": "^[0-9]*$" }, "access.token.signed.response.alg": { "title": "Access token signature algorithm", "description": "JWA algorithm used for signing access tokens.", "type": "string" }, "authorization.encrypted.response.alg": { "title": "Authorization response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.encrypted.response.enc": { "title": "Authorization response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.signed.response.alg": { "title": "Authorization response signature algorithm", "description": "JWA algorithm used for signing authorization response tokens when the response mode is jwt.", "type": "string" }, "client.offline.session.idle.timeout": { "title": "Client Offline Session Idle", "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.offline.session.max.lifespan": { "title": "Client Offline Session Max", "description": "Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.idle.timeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.max.lifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client_credentials.use_refresh_token": { "title": "Use refresh tokens for client credentials grant", "description": "If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.", "type": "string", "enum": [ "true", "false", "" ] }, "exclude.session.state.from.auth.response": { "title": "Exclude Session State From Authentication Response", "description": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "id.token.encrypted.response.alg": { "title": "ID token encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.encrypted.response.enc": { "title": "ID token encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.signed.response.alg": { "title": "ID token signature algorithm", "description": "JWA algorithm used for signing ID tokens.", "type": "string" }, "logoUri": { "title": "Logo URL", "description": "URL that references a logo for the Client application", "type": "string" }, "pkce.code.challenge.method": { "title": "Proof Key for Code Exchange Code Challenge Method", "description": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.", "type": "string" }, "policyUri": { "title": "Policy URL", "description": "URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used", "type": "string" }, "post.logout.redirect.uris": { "title": "Valid post logout redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "string" }, "request.object.encryption.alg": { "title": "Request object encryption algorithm", "description": "JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.", "type": "string" }, "request.object.encryption.enc": { "title": "Request object content encryption algorithm", "description": "JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.", "type": "string" }, "request.object.required": { "title": "Request object required", "description": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.", "type": "string" }, "request.object.signature.alg": { "title": "Request object signature algorithm", "description": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).", "type": "string" }, "require.pushed.authorization.requests": { "title": "Pushed authorization request required", "description": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.", "type": "string", "enum": [ "true", "false", "" ] }, "tls.client.certificate.bound.access.tokens": { "title": "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled", "description": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.", "type": "string", "enum": [ "true", "false", "" ] }, "token.endpoint.auth.signing.alg": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "token.response.type.bearer.lower-case": { "title": "Use lower-case bearer type in token responses", "description": "If this is on, token responses will be set the with the type \"bearer\" in lower-case. By default, the server sets the type as \"Bearer\" as defined by RFC6750.", "type": "string", "enum": [ "true", "false", "" ] }, "tosUri": { "title": "Terms of service URL", "description": "URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service", "type": "string" }, "use.refresh.tokens": { "title": "Use refresh tokens", "description": "If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.", "type": "string", "enum": [ "true", "false", "" ] }, "user.info.encrypted.response.alg": { "title": "User info response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.", "type": "string" }, "user.info.encrypted.response.enc": { "title": "User info response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.", "type": "string" }, "user.info.response.signature.alg": { "title": "User info signed response algorithm", "description": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.", "type": "string" }, "x509.allow.regex.pattern.comparison": { "title": "Allow regex pattern comparison", "description": "If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.", "type": "string", "enum": [ "true", "false", "" ] }, "x509.subjectdn": { "title": "Subject DN", "description": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authenticationFlowBindingOverrides": { "title": "Authentication flow overrides", "type": "object", "properties": { "browser": { "title": "Browser Flow", "description": "Select the flow you want to use for browser authentication.", "type": "string" }, "direct_grant": { "title": "Direct Grant Flow", "description": "Select the flow you want to use for direct grant authentication.", "type": "string" } }, "additionalProperties": { "type": "string" } }, "authorizationServicesEnabled": { "title": "Authorization", "description": "Enable/Disable fine-grained authorization support for a client.", "type": "boolean" }, "authorizationSettings": { "$ref": "#/$defs/ResourceServerRepresentation" }, "baseUrl": { "title": "Home URL", "description": "Default URL to use when the auth server needs to redirect or link back to the client.", "type": "string" }, "bearerOnly": { "description": "This is a special OIDC type. This client only allows bearer token requests and cannot participate in browser logins.", "type": "boolean" }, "clientAuthenticatorType": { "title": "Client Authenticator", "description": "Client Authenticator used for authentication of this client against Keycloak server", "type": "string", "enum": [ "client-jwt", "client-secret", "client-secret-jwt", "client-x509" ] }, "clientId": { "title": "Client ID", "description": "The client identifier registered with the identity provider.", "type": "string" }, "clientTemplate": { "type": "string" }, "consentRequired": { "title": "Consent required", "description": "If enabled, users have to consent to client access.", "type": "boolean" }, "defaultClientScopes": { "type": "array", "items": { "type": "string" } }, "defaultRoles": { "type": "array", "items": { "type": "string" } }, "description": { "title": "Description", "description": "Help text for the description of the new flow", "type": "string" }, "directAccessGrantsEnabled": { "title": "Direct access grants", "description": "This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.", "type": "boolean" }, "directGrantsOnly": { "type": "boolean" }, "enabled": { "title": "Enabled", "description": "Disabled clients cannot initiate a login or have obtained access tokens.", "type": "boolean" }, "frontchannelLogout": { "title": "Front channel logout", "description": "When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.", "type": "boolean" }, "fullScopeAllowed": { "title": "Full scope allowed", "description": "Allows you to disable all restrictions.", "type": "boolean" }, "id": { "type": "string" }, "implicitFlowEnabled": { "title": "Implicit flow", "description": "This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.", "type": "boolean" }, "name": { "title": "Name", "description": "Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}.", "type": "string" }, "nodeReRegistrationTimeout": { "title": "Node Re-registration timeout", "description": "Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak.", "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "notBefore": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "optionalClientScopes": { "type": "array", "items": { "type": "string" } }, "origin": { "type": "string" }, "protocol": { "title": "Protocol", "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicClient": { "title": "Client authentication", "description": "This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type.", "type": "boolean" }, "redirectUris": { "title": "Valid redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "array", "items": { "type": "string" } }, "registeredNodes": { "type": "object", "additionalProperties": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 } }, "registrationAccessToken": { "title": "Registration access token", "description": "The registration access token provides access for clients to the client registration service.", "type": "string" }, "rootUrl": { "title": "Root URL", "description": "Root URL appended to relative URLs", "type": "string" }, "secret": { "title": "Client Secret", "type": "string" }, "serviceAccountsEnabled": { "title": "Service accounts roles", "description": "Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.", "type": "boolean" }, "standardFlowEnabled": { "title": "Standard flow", "description": "This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.", "type": "boolean" }, "surrogateAuthRequired": { "type": "boolean" }, "type": { "type": "string" }, "useTemplateConfig": { "type": "boolean" }, "useTemplateMappers": { "type": "boolean" }, "useTemplateScope": { "type": "boolean" }, "webOrigins": { "title": "Web origins", "description": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.", "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
access:
additionalProperties:
type: boolean
type: object
adminUrl:
description: URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.
nullable: true
type: string
alwaysDisplayInConsole:
description: Always list this client in the Account UI, even if the user does not have an active session.
nullable: true
type: boolean
attributes:
description: |-
ClientRepresentationAttributes
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "access.token.lifespan": { "title": "Access Token Lifespan", "description": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "type": "string", "pattern": "^[0-9]*$" }, "access.token.signed.response.alg": { "title": "Access token signature algorithm", "description": "JWA algorithm used for signing access tokens.", "type": "string" }, "authorization.encrypted.response.alg": { "title": "Authorization response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.encrypted.response.enc": { "title": "Authorization response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "type": "string" }, "authorization.signed.response.alg": { "title": "Authorization response signature algorithm", "description": "JWA algorithm used for signing authorization response tokens when the response mode is jwt.", "type": "string" }, "client.offline.session.idle.timeout": { "title": "Client Offline Session Idle", "description": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.offline.session.max.lifespan": { "title": "Client Offline Session Max", "description": "Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.idle.timeout": { "title": "Client Session Idle", "description": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.", "type": "string", "pattern": "^[0-9]*$" }, "client.session.max.lifespan": { "title": "Client Session Max", "description": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.", "type": "string", "pattern": "^[0-9]*$" }, "client_credentials.use_refresh_token": { "title": "Use refresh tokens for client credentials grant", "description": "If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.", "type": "string", "enum": [ "true", "false", "" ] }, "exclude.session.state.from.auth.response": { "title": "Exclude Session State From Authentication Response", "description": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "id.token.encrypted.response.alg": { "title": "ID token encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.encrypted.response.enc": { "title": "ID token encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "type": "string" }, "id.token.signed.response.alg": { "title": "ID token signature algorithm", "description": "JWA algorithm used for signing ID tokens.", "type": "string" }, "logoUri": { "title": "Logo URL", "description": "URL that references a logo for the Client application", "type": "string" }, "pkce.code.challenge.method": { "title": "Proof Key for Code Exchange Code Challenge Method", "description": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.", "type": "string" }, "policyUri": { "title": "Policy URL", "description": "URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used", "type": "string" }, "post.logout.redirect.uris": { "title": "Valid post logout redirect URIs", "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "type": "string" }, "request.object.encryption.alg": { "title": "Request object encryption algorithm", "description": "JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.", "type": "string" }, "request.object.encryption.enc": { "title": "Request object content encryption algorithm", "description": "JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.", "type": "string" }, "request.object.required": { "title": "Request object required", "description": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.", "type": "string" }, "request.object.signature.alg": { "title": "Request object signature algorithm", "description": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).", "type": "string" }, "require.pushed.authorization.requests": { "title": "Pushed authorization request required", "description": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.", "type": "string", "enum": [ "true", "false", "" ] }, "tls.client.certificate.bound.access.tokens": { "title": "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled", "description": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.", "type": "string", "enum": [ "true", "false", "" ] }, "token.endpoint.auth.signing.alg": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "token.response.type.bearer.lower-case": { "title": "Use lower-case bearer type in token responses", "description": "If this is on, token responses will be set the with the type \"bearer\" in lower-case. By default, the server sets the type as \"Bearer\" as defined by RFC6750.", "type": "string", "enum": [ "true", "false", "" ] }, "tosUri": { "title": "Terms of service URL", "description": "URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service", "type": "string" }, "use.refresh.tokens": { "title": "Use refresh tokens", "description": "If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.", "type": "string", "enum": [ "true", "false", "" ] }, "user.info.encrypted.response.alg": { "title": "User info response encryption key management algorithm", "description": "JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.", "type": "string" }, "user.info.encrypted.response.enc": { "title": "User info response encryption content encryption algorithm", "description": "JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.", "type": "string" }, "user.info.response.signature.alg": { "title": "User info signed response algorithm", "description": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.", "type": "string" }, "x509.allow.regex.pattern.comparison": { "title": "Allow regex pattern comparison", "description": "If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.", "type": "string", "enum": [ "true", "false", "" ] }, "x509.subjectdn": { "title": "Subject DN", "description": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
access.token.lifespan:
description: Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
nullable: true
type: string
access.token.signed.response.alg:
description: JWA algorithm used for signing access tokens.
nullable: true
type: string
authorization.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.
nullable: true
type: string
authorization.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.
nullable: true
type: string
authorization.signed.response.alg:
description: JWA algorithm used for signing authorization response tokens when the response mode is jwt.
nullable: true
type: string
client.offline.session.idle.timeout:
description: Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.
nullable: true
type: string
client.offline.session.max.lifespan:
description: Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.
nullable: true
type: string
client.session.idle.timeout:
description: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.
nullable: true
type: string
client.session.max.lifespan:
description: Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.
nullable: true
type: string
client_credentials.use_refresh_token:
description: If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
exclude.session.state.from.auth.response:
description: If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
id.token.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
nullable: true
type: string
id.token.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
nullable: true
type: string
id.token.signed.response.alg:
description: JWA algorithm used for signing ID tokens.
nullable: true
type: string
logoUri:
description: URL that references a logo for the Client application
nullable: true
type: string
pkce.code.challenge.method:
description: Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.
nullable: true
type: string
policyUri:
description: URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used
nullable: true
type: string
post.logout.redirect.uris:
description: Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
nullable: true
type: string
request.object.encryption.alg:
description: JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.
nullable: true
type: string
request.object.encryption.enc:
description: JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.
nullable: true
type: string
request.object.required:
description: Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used.
nullable: true
type: string
request.object.signature.alg:
description: JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).
nullable: true
type: string
require.pushed.authorization.requests:
description: Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
tls.client.certificate.bound.access.tokens:
description: This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
token.endpoint.auth.signing.alg:
description: The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.
nullable: true
type: string
token.response.type.bearer.lower-case:
description: If this is on, token responses will be set the with the type "bearer" in lower-case. By default, the server sets the type as "Bearer" as defined by RFC6750.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
tosUri:
description: URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service
nullable: true
type: string
use.refresh.tokens:
description: If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
user.info.encrypted.response.alg:
description: JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.
nullable: true
type: string
user.info.encrypted.response.enc:
description: JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.
nullable: true
type: string
user.info.response.signature.alg:
description: JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.
nullable: true
type: string
x509.allow.regex.pattern.comparison:
description: If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC4514 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
x509.subjectdn:
description: A regular expression for validating Subject DN in the Client Certificate. Use "(.*?)(?:$)" to match all kind of expressions.
nullable: true
type: string
type: object
authenticationFlowBindingOverrides:
description: |-
AuthenticationFlowOverrides
<details><summary>JSON schema</summary>
```json { "title": "Authentication flow overrides", "type": "object", "properties": { "browser": { "title": "Browser Flow", "description": "Select the flow you want to use for browser authentication.", "type": "string" }, "direct_grant": { "title": "Direct Grant Flow", "description": "Select the flow you want to use for direct grant authentication.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
browser:
description: Select the flow you want to use for browser authentication.
nullable: true
type: string
direct_grant:
description: Select the flow you want to use for direct grant authentication.
nullable: true
type: string
type: object
authorizationServicesEnabled:
description: Enable/Disable fine-grained authorization support for a client.
nullable: true
type: boolean
authorizationSettings:
description: |-
ResourceServerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "allowRemoteResourceManagement": { "type": "boolean" }, "authorizationSchema": { "$ref": "#/$defs/AuthorizationSchema" }, "clientId": { "type": "string" }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "policyEnforcementMode": { "$ref": "#/$defs/PolicyEnforcementMode" }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
allowRemoteResourceManagement:
nullable: true
type: boolean
authorizationSchema:
description: |-
AuthorizationSchema
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "resourceTypes": { "type": "object", "additionalProperties": { "$ref": "#/$defs/ResourceType" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
resourceTypes:
additionalProperties:
description: |-
ResourceType
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
type: object
type: object
clientId:
nullable: true
type: string
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
resourcesData:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopesUma:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
scopesData:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
type: object
type: array
policyEnforcementMode:
description: |-
PolicyEnforcementMode
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "ENFORCING", "PERMISSIVE", "DISABLED" ] } ``` </details>
enum:
- ENFORCING
- PERMISSIVE
- DISABLED
nullable: true
type: string
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopesUma:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
type: array
scopes:
items:
description: |-
ScopeRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "displayName": { "type": "string" }, "iconUri": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "policies": { "type": "array", "items": { "$ref": "#/$defs/PolicyRepresentation" } }, "resources": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" } } }, "additionalProperties": false } ``` </details>
properties:
displayName:
nullable: true
type: string
iconUri:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
policies:
items:
description: |-
PolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "decisionStrategy": { "$ref": "#/$defs/DecisionStrategy" }, "description": { "type": "string" }, "id": { "type": "string" }, "logic": { "$ref": "#/$defs/Logic" }, "name": { "type": "string" }, "owner": { "type": "string" }, "policies": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourceType": { "type": "string" }, "resources": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "resourcesData": { "type": "array", "items": { "$ref": "#/$defs/ResourceRepresentation" }, "uniqueItems": true }, "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "scopesData": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
decisionStrategy:
description: |-
DecisionStrategy
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "AFFIRMATIVE", "UNANIMOUS", "CONSENSUS" ] } ``` </details>
enum:
- AFFIRMATIVE
- UNANIMOUS
- CONSENSUS
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
logic:
description: |-
Logic
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "POSITIVE", "NEGATIVE" ] } ``` </details>
enum:
- POSITIVE
- NEGATIVE
nullable: true
type: string
name:
nullable: true
type: string
owner:
nullable: true
type: string
policies:
items:
type: string
nullable: true
type: array
resourceType:
nullable: true
type: string
resources:
items:
type: string
nullable: true
type: array
resourcesData:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
nullable: true
type: array
scopes:
items:
type: string
nullable: true
type: array
type:
nullable: true
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
resources:
items:
description: |-
ResourceRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "_id": { "type": "string" }, "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "displayName": { "type": "string" }, "icon_uri": { "type": "string" }, "name": { "type": "string" }, "owner": { "type": "object", "allOf": [ { "$ref": "#/$defs/ResourceOwnerRepresentation" } ] }, "ownerManagedAccess": { "type": "boolean" }, "scopes": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "scopesUma": { "type": "array", "items": { "$ref": "#/$defs/ScopeRepresentation" }, "uniqueItems": true }, "type": { "type": "string" }, "uri": { "type": "string" }, "uris": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
properties:
_id:
nullable: true
type: string
attributes:
additionalProperties:
items:
type: string
type: array
type: object
displayName:
nullable: true
type: string
icon_uri:
nullable: true
type: string
name:
nullable: true
type: string
owner:
description: |-
ResourceOwnerRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
ownerManagedAccess:
nullable: true
type: boolean
type:
nullable: true
type: string
uri:
nullable: true
type: string
uris:
items:
type: string
nullable: true
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
type: array
type: object
baseUrl:
description: Default URL to use when the auth server needs to redirect or link back to the client.
nullable: true
type: string
bearerOnly:
description: This is a special OIDC type. This client only allows bearer token requests and cannot participate in browser logins.
nullable: true
type: boolean
clientAuthenticatorType:
description: Client Authenticator used for authentication of this client against Keycloak server
enum:
- client-jwt
- client-secret
- client-secret-jwt
- client-x509
nullable: true
type: string
clientId:
description: The client identifier registered with the identity provider.
nullable: true
type: string
clientTemplate:
nullable: true
type: string
consentRequired:
description: If enabled, users have to consent to client access.
nullable: true
type: boolean
defaultClientScopes:
items:
type: string
type: array
defaultRoles:
items:
type: string
type: array
description:
description: Help text for the description of the new flow
nullable: true
type: string
directAccessGrantsEnabled:
description: This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.
nullable: true
type: boolean
directGrantsOnly:
nullable: true
type: boolean
enabled:
description: Disabled clients cannot initiate a login or have obtained access tokens.
nullable: true
type: boolean
frontchannelLogout:
description: When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.
nullable: true
type: boolean
fullScopeAllowed:
description: Allows you to disable all restrictions.
nullable: true
type: boolean
id:
nullable: true
type: string
implicitFlowEnabled:
description: This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.
nullable: true
type: boolean
name:
description: 'Specifies display name of the client. For example ''My Client''. Supports keys for localized values as well. For example: ${my_client}.'
nullable: true
type: string
nodeReRegistrationTimeout:
description: Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak.
format: int32
nullable: true
type: integer
notBefore:
format: int32
nullable: true
type: integer
optionalClientScopes:
items:
type: string
type: array
origin:
nullable: true
type: string
protocol:
nullable: true
type: string
protocolMappers:
items:
description: |-
ProtocolMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "consentRequired": { "type": "boolean" }, "consentText": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "protocol": { "type": "string", "enum": [ "openid-connect", "saml" ] }, "protocolMapper": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
consentRequired:
nullable: true
type: boolean
consentText:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
protocol:
description: |-
ProtocolMapperRepresentationProtocol
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "openid-connect", "saml" ] } ``` </details>
enum:
- openid-connect
- saml
nullable: true
type: string
protocolMapper:
nullable: true
type: string
type: object
type: array
publicClient:
description: This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type.
nullable: true
type: boolean
redirectUris:
description: Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
items:
type: string
type: array
registeredNodes:
additionalProperties:
format: int32
type: integer
type: object
registrationAccessToken:
description: The registration access token provides access for clients to the client registration service.
nullable: true
type: string
rootUrl:
description: Root URL appended to relative URLs
nullable: true
type: string
secret:
nullable: true
type: string
serviceAccountsEnabled:
description: Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.
nullable: true
type: boolean
standardFlowEnabled:
description: This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.
nullable: true
type: boolean
surrogateAuthRequired:
nullable: true
type: boolean
type:
nullable: true
type: string
useTemplateConfig:
nullable: true
type: boolean
useTemplateMappers:
nullable: true
type: boolean
useTemplateScope:
nullable: true
type: boolean
webOrigins:
description: Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.
items:
type: string
type: array
type: object
adminPermissionsEnabled:
nullable: true
type: boolean
adminTheme:
nullable: true
type: string
applicationScopeMappings:
additionalProperties:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
type: object
attributes:
description: |-
RealmRepresentationAttributes
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "adminEventsExpiration": { "title": "Expiration", "description": "Sets the expiration for events. Expired events are periodically deleted from the database.", "type": "string", "pattern": "^[0-9]*$" }, "cibaAuthRequestedUserHint": { "title": "Authentication Requested User Hint", "description": "The way of identifying the end-user for whom authentication is being requested. Currently only \"login_hint\" is supported.", "type": "string", "enum": [ "login_hint" ] }, "cibaBackchannelTokenDeliveryMode": { "title": "Backchannel Token Delivery Mode", "description": "Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.", "type": "string", "enum": [ "ping", "poll" ] }, "cibaExpiresIn": { "title": "Expires In", "description": "The expiration time of the \"auth_req_id\" in seconds since the authentication request was received.", "type": "string", "pattern": "^[0-9]*$" }, "cibaInterval": { "title": "Interval", "description": "The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.", "type": "string", "pattern": "^[0-9]*$" }, "frontendUrl": { "title": "Frontend URL", "description": "Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
adminEventsExpiration:
description: Sets the expiration for events. Expired events are periodically deleted from the database.
nullable: true
type: string
cibaAuthRequestedUserHint:
description: The way of identifying the end-user for whom authentication is being requested. Currently only "login_hint" is supported.
enum:
- login_hint
nullable: true
type: string
cibaBackchannelTokenDeliveryMode:
description: Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set.
enum:
- ping
- poll
nullable: true
type: string
cibaExpiresIn:
description: The expiration time of the "auth_req_id" in seconds since the authentication request was received.
nullable: true
type: string
cibaInterval:
description: The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification.
nullable: true
type: string
frontendUrl:
description: Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
nullable: true
type: string
type: object
browserFlow:
nullable: true
type: string
browserSecurityHeaders:
description: |-
RealmRepresentationBrowserSecurityHeaders
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "contentSecurityPolicy": { "title": "Content-Security-Policy", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "contentSecurityPolicyReportOnly": { "title": "Content-Security-Policy-Report-Only", "description": "For testing Content Security Policies <1>Learn more</1>", "type": "string" }, "strictTransportSecurity": { "title": "HTTP Strict Transport Security (HSTS)", "description": "The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>", "type": "string" }, "xContentTypeOptions": { "title": "X-Content-Type-Options", "description": "The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>", "type": "string" }, "xFrameOptions": { "title": "X-Frame-Options", "description": "Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>", "type": "string" }, "xRobotsTag": { "title": "X-Robots-Tag", "description": "Prevent pages from appearing in search engines. <1>Learn more</1>", "type": "string" }, "xXSSProtection": { "title": "X-XSS-Protection", "description": "This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>", "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
contentSecurityPolicy:
description: Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>
nullable: true
type: string
contentSecurityPolicyReportOnly:
description: For testing Content Security Policies <1>Learn more</1>
nullable: true
type: string
strictTransportSecurity:
description: The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more</1>
nullable: true
type: string
xContentTypeOptions:
description: The default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. <1>Learn more</1>
nullable: true
type: string
xFrameOptions:
description: Default value prevents pages from being included by non-origin iframes. <1>Learn more</1>
nullable: true
type: string
xRobotsTag:
description: Prevent pages from appearing in search engines. <1>Learn more</1>
nullable: true
type: string
xXSSProtection:
description: This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>
nullable: true
type: string
type: object
bruteForceProtected:
nullable: true
type: boolean
bruteForceStrategy:
description: Multiple means wait time will be increased only when number of failures are multiples of '{{failureFactor}}'. Linear means each new failure starting at '{{failureFactor}}' will increase wait time.
enum:
- LINEAR
- MULTIPLE
nullable: true
type: string
certificate:
nullable: true
type: string
clientAuthenticationFlow:
nullable: true
type: string
clientOfflineSessionIdleTimeout:
format: int32
nullable: true
type: integer
clientOfflineSessionMaxLifespan:
format: int32
nullable: true
type: integer
clientPolicies:
description: |-
ClientPoliciesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "globalPolicies": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyRepresentation" } }, "policies": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
globalPolicies:
items:
description: |-
ClientPolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "conditions": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyConditionRepresentation" } }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "name": { "type": "string" }, "profiles": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
properties:
conditions:
items:
description: |-
ClientPolicyConditionRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "condition": { "type": "string" }, "configuration": { "type": "object" } }, "additionalProperties": false } ``` </details>
properties:
condition:
nullable: true
type: string
configuration:
additionalProperties: true
type: object
type: object
type: array
description:
nullable: true
type: string
enabled:
nullable: true
type: boolean
name:
nullable: true
type: string
profiles:
items:
type: string
type: array
type: object
type: array
policies:
items:
description: |-
ClientPolicyRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "conditions": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyConditionRepresentation" } }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "name": { "type": "string" }, "profiles": { "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } ``` </details>
properties:
conditions:
items:
description: |-
ClientPolicyConditionRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "condition": { "type": "string" }, "configuration": { "type": "object" } }, "additionalProperties": false } ``` </details>
properties:
condition:
nullable: true
type: string
configuration:
additionalProperties: true
type: object
type: object
type: array
description:
nullable: true
type: string
enabled:
nullable: true
type: boolean
name:
nullable: true
type: string
profiles:
items:
type: string
type: array
type: object
type: array
type: object
clientProfiles:
description: |-
ClientProfilesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "globalProfiles": { "type": "array", "items": { "$ref": "#/$defs/ClientProfileRepresentation" } }, "profiles": { "type": "array", "items": { "$ref": "#/$defs/ClientProfileRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
globalProfiles:
items:
description: |-
ClientProfileRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "description": { "type": "string" }, "executors": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyExecutorRepresentation" } }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
description:
nullable: true
type: string
executors:
items:
description: |-
ClientPolicyExecutorRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "configuration": { "type": "object" }, "executor": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
configuration:
additionalProperties: true
type: object
executor:
nullable: true
type: string
type: object
type: array
name:
nullable: true
type: string
type: object
type: array
profiles:
items:
description: |-
ClientProfileRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "description": { "type": "string" }, "executors": { "type": "array", "items": { "$ref": "#/$defs/ClientPolicyExecutorRepresentation" } }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
description:
nullable: true
type: string
executors:
items:
description: |-
ClientPolicyExecutorRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "configuration": { "type": "object" }, "executor": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
configuration:
additionalProperties: true
type: object
executor:
nullable: true
type: string
type: object
type: array
name:
nullable: true
type: string
type: object
type: array
type: object
clientScopeMappings:
additionalProperties:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
type: object
clientSessionIdleTimeout:
description: Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.
format: int32
nullable: true
type: integer
clientSessionMaxLifespan:
description: Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.
format: int32
nullable: true
type: integer
clientTemplates:
items:
description: |-
ClientTemplateRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "string" } }, "bearerOnly": { "type": "boolean" }, "consentRequired": { "type": "boolean" }, "description": { "type": "string" }, "directAccessGrantsEnabled": { "type": "boolean" }, "frontchannelLogout": { "type": "boolean" }, "fullScopeAllowed": { "type": "boolean" }, "id": { "type": "string" }, "implicitFlowEnabled": { "type": "boolean" }, "name": { "type": "string" }, "protocol": { "type": "string" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/$defs/ProtocolMapperRepresentation" } }, "publicClient": { "type": "boolean" }, "serviceAccountsEnabled": { "type": "boolean" }, "standardFlowEnabled": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
type: string
type: object
bearerOnly:
nullable: true
type: boolean
consentRequired:
nullable: true
type: boolean
description:
nullable: true
type: string
directAccessGrantsEnabled:
nullable: true
type: boolean
frontchannelLogout:
nullable: true
type: boolean
fullScopeAllowed:
nullable: true
type: boolean
id:
nullable: true
type: string
implicitFlowEnabled:
nullable: true
type: boolean
name:
nullable: true
type: string
protocol:
nullable: true
type: string
protocolMappers:
items:
description: |-
ProtocolMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "consentRequired": { "type": "boolean" }, "consentText": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "protocol": { "type": "string", "enum": [ "openid-connect", "saml" ] }, "protocolMapper": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
consentRequired:
nullable: true
type: boolean
consentText:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
protocol:
description: |-
ProtocolMapperRepresentationProtocol
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "openid-connect", "saml" ] } ``` </details>
enum:
- openid-connect
- saml
nullable: true
type: string
protocolMapper:
nullable: true
type: string
type: object
type: array
publicClient:
nullable: true
type: boolean
serviceAccountsEnabled:
nullable: true
type: boolean
standardFlowEnabled:
nullable: true
type: boolean
type: object
type: array
codeSecret:
nullable: true
type: string
defaultDefaultClientScopes:
items:
type: string
type: array
defaultGroups:
items:
type: string
type: array
defaultLocale:
nullable: true
type: string
defaultOptionalClientScopes:
items:
type: string
type: array
defaultRole:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
defaultRoles:
items:
type: string
type: array
defaultSignatureAlgorithm:
description: Default algorithm used to sign tokens for the realm
enum:
- EdDSA
- ES256
- ES384
- ES512
- HS256
- HS384
- HS512
- PS256
- PS384
- PS512
- RS256
- RS384
- RS512
nullable: true
type: string
directGrantFlow:
nullable: true
type: string
displayName:
nullable: true
type: string
displayNameHtml:
nullable: true
type: string
dockerAuthenticationFlow:
nullable: true
type: string
duplicateEmailsAllowed:
description: Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses.
nullable: true
type: boolean
editUsernameAllowed:
description: If enabled, the username field is editable, readonly otherwise.
nullable: true
type: boolean
emailTheme:
description: Select a theme for emails that are sent by the server.
nullable: true
type: string
enabled:
nullable: true
type: boolean
enabledEventTypes:
items:
type: string
type: array
eventsEnabled:
description: If enabled, user events are saved to the database, which makes events available to the admin and account management UIs.
nullable: true
type: boolean
eventsExpiration:
description: Sets the expiration for events. Expired events are periodically deleted from the database.
format: int64
nullable: true
type: integer
eventsListeners:
description: Configure what listeners receive events for the realm.
items:
type: string
type: array
failureFactor:
description: Max login failures
format: int32
nullable: true
type: integer
firstBrokerLoginFlow:
nullable: true
type: string
id:
nullable: true
type: string
identityProviderMappers:
items:
description: |-
IdentityProviderMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "properties": { "attribute.friendly.name": { "title": "Friendly name", "description": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.", "type": "string" }, "attribute.name.format": { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] }, "syncMode": { "title": "Sync mode override", "description": "Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper.", "type": "string", "enum": [ "INHERIT", "IMPORT", "LEGACY", "FORCE" ] }, "user.attribute": { "title": "User Attribute Name", "description": "Name of user attribute you want to hardcode", "type": "string" } }, "additionalProperties": { "type": "string" } }, "id": { "type": "string" }, "identityProviderAlias": { "type": "string" }, "identityProviderMapper": { "type": "string" }, "name": { "title": "Name", "description": "Name of the mapper.", "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
description: |-
IdentityProviderMapperRepresentationConfig
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attribute.friendly.name": { "title": "Friendly name", "description": "Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.", "type": "string" }, "attribute.name.format": { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] }, "syncMode": { "title": "Sync mode override", "description": "Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper.", "type": "string", "enum": [ "INHERIT", "IMPORT", "LEGACY", "FORCE" ] }, "user.attribute": { "title": "User Attribute Name", "description": "Name of user attribute you want to hardcode", "type": "string" } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
attribute.friendly.name:
description: Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead.
nullable: true
type: string
attribute.name.format:
description: |-
IdentityProviderMapperRepresentationConfigAttributeNameFormat
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "ATTRIBUTE_FORMAT_BASIC", "ATTRIBUTE_FORMAT_URI", "ATTRIBUTE_FORMAT_UNSPECIFIED" ] } ``` </details>
enum:
- ATTRIBUTE_FORMAT_BASIC
- ATTRIBUTE_FORMAT_URI
- ATTRIBUTE_FORMAT_UNSPECIFIED
nullable: true
type: string
syncMode:
description: 'Overrides the default sync mode of the IDP for this mapper. Values are: ''legacy'' to keep the behaviour before this option was introduced, ''import'' to only import the user once during first login of the user with this identity provider, ''force'' to always update the user during every login with this identity provider and ''inherit'' to use the sync mode defined in the identity provider for this mapper.'
enum:
- INHERIT
- IMPORT
- LEGACY
- FORCE
nullable: true
type: string
user.attribute:
description: Name of user attribute you want to hardcode
nullable: true
type: string
type: object
id:
nullable: true
type: string
identityProviderAlias:
nullable: true
type: string
identityProviderMapper:
nullable: true
type: string
name:
description: Name of the mapper.
nullable: true
type: string
type: object
type: array
identityProviders:
items:
description: |-
IdentityProviderRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "addReadTokenRoleOnCreate": { "title": "Stored tokens readable", "description": "Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.", "type": "boolean" }, "alias": { "title": "Alias", "description": "The alias uniquely identifies an identity provider and it is also used to build the redirect uri.", "type": "string" }, "authenticateByDefault": { "type": "boolean" }, "config": { "type": "object", "properties": { "allowCreate": { "title": "Allow create", "description": "Allow the external identity provider to create a new identifier to represent the principal.", "type": "string", "enum": [ "true", "false", "" ] }, "allowedClockSkew": { "title": "Allowed clock skew", "description": "Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.", "type": "string", "pattern": "^[0-9]*$" }, "attributeConsumingServiceIndex": { "title": "Attribute Consuming Service Index", "description": "Index of the Attribute Consuming Service profile to request during authentication.", "type": "string", "pattern": "^[0-9]*$" }, "authnContextClassRefs": { "title": "AuthnContext ClassRefs", "description": "Ordered list of requested AuthnContext ClassRefs.", "type": "string" }, "authnContextComparisonType": { "title": "Comparison", "description": "Specifies the comparison method used to evaluate the requested context classes or statements. The default is \"Exact\".", "type": "string", "enum": [ "exact", "minimum", "maximum", "better" ] }, "authnContextDeclRefs": { "title": "AuthnContext DeclRefs", "description": "Ordered list of requested AuthnContext DeclRefs.", "type": "string" }, "backchannelSupported": { "title": "Backchannel logout", "description": "Does the external IDP support backchannel logout?", "type": "string", "enum": [ "true", "false", "" ] }, "encryptionAlgorithm": { "title": "Encryption Algorithm", "description": "Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.", "type": "string" }, "entityId": { "title": "Service provider entity ID", "description": "The Entity ID that will be used to uniquely identify this SAML Service Provider.", "type": "string" }, "forceAuthn": { "title": "Force authentication", "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.", "type": "string", "enum": [ "true", "false", "" ] }, "hideOnLoginPage": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "idpEntityId": { "title": "Identity provider entity ID", "description": "The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.", "type": "string" }, "loginHint": { "title": "Pass subject", "description": "During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.", "type": "string", "enum": [ "true", "false", "" ] }, "nameIDPolicyFormat": { "title": "NameID policy format", "description": "Specifies the URI reference corresponding to a name identifier format.", "type": "string" }, "postBindingAuthnRequest": { "title": "HTTP-POST binding for AuthnRequest", "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingLogout": { "title": "HTTP-POST binding logout", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingResponse": { "title": "HTTP-POST binding response", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "principalAttribute": { "title": "Principal attribute", "description": "Name or Friendly Name of the attribute used to identify external users.", "type": "string" }, "principalType": { "title": "Principal type", "description": "Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.", "type": "string", "enum": [ "SUBJECT", "ATTRIBUTE", "FRIENDLY_ATTRIBUTE" ] }, "signSpMetadata": { "title": "Sign service provider metadata", "description": "Enable/disable signature of the provider SAML metadata.", "type": "string", "enum": [ "true", "false", "" ] }, "signatureAlgorithm": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "signingCertificate": { "title": "Validating X509 certificates", "description": "The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.", "type": "string" }, "singleSignOnServiceUrl": { "title": "Single Sign-On service URL", "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).", "type": "string" }, "syncMode": { "title": "Sync mode", "description": "Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider.", "type": "string", "enum": [ "IMPORT", "LEGACY", "FORCE" ] }, "validateSignature": { "title": "Validate Signatures", "description": "Enable/disable signature validation of external IDP signatures.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsEncrypted": { "title": "Want Assertions encrypted", "description": "Indicates whether this service provider expects an encrypted Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsSigned": { "title": "Want Assertions signed", "description": "Indicates whether this service provider expects a signed Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAuthnRequestsSigned": { "title": "Want AuthnRequests signed", "description": "Indicates whether the identity provider expects a signed AuthnRequest.", "type": "string", "enum": [ "true", "false", "" ] }, "xmlSigKeyInfoKeyNameTransformer": { "title": "SAML signature key name", "description": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "type": "string", "enum": [ "NONE", "KEY_ID", "CERT_SUBJECT" ] } }, "additionalProperties": { "type": "string" } }, "displayName": { "title": "Display name", "description": "Friendly name for Identity Providers.", "type": "string" }, "enabled": { "title": "Enabled", "type": "boolean" }, "firstBrokerLoginFlowAlias": { "title": "First login flow override", "description": "Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account.", "type": "string" }, "hideOnLogin": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "boolean" }, "internalId": { "type": "string" }, "linkOnly": { "title": "Account linking only", "description": "If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.", "type": "boolean" }, "organizationId": { "type": "string" }, "postBrokerLoginFlowAlias": { "title": "Post login flow", "description": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to \"None\" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.", "type": "string" }, "providerId": { "type": "string" }, "storeToken": { "title": "Store tokens", "description": "Enable/disable if tokens must be stored after authenticating users.", "type": "boolean" }, "trustEmail": { "title": "Trust Email", "description": "If enabled, email provided by this provider is not verified even if verification is enabled for the realm.", "type": "boolean" }, "updateProfileFirstLogin": { "type": "boolean" }, "updateProfileFirstLoginMode": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
addReadTokenRoleOnCreate:
description: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
nullable: true
type: boolean
alias:
description: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
nullable: true
type: string
authenticateByDefault:
nullable: true
type: boolean
config:
description: |-
IdentityProviderRepresentationConfig
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "allowCreate": { "title": "Allow create", "description": "Allow the external identity provider to create a new identifier to represent the principal.", "type": "string", "enum": [ "true", "false", "" ] }, "allowedClockSkew": { "title": "Allowed clock skew", "description": "Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.", "type": "string", "pattern": "^[0-9]*$" }, "attributeConsumingServiceIndex": { "title": "Attribute Consuming Service Index", "description": "Index of the Attribute Consuming Service profile to request during authentication.", "type": "string", "pattern": "^[0-9]*$" }, "authnContextClassRefs": { "title": "AuthnContext ClassRefs", "description": "Ordered list of requested AuthnContext ClassRefs.", "type": "string" }, "authnContextComparisonType": { "title": "Comparison", "description": "Specifies the comparison method used to evaluate the requested context classes or statements. The default is \"Exact\".", "type": "string", "enum": [ "exact", "minimum", "maximum", "better" ] }, "authnContextDeclRefs": { "title": "AuthnContext DeclRefs", "description": "Ordered list of requested AuthnContext DeclRefs.", "type": "string" }, "backchannelSupported": { "title": "Backchannel logout", "description": "Does the external IDP support backchannel logout?", "type": "string", "enum": [ "true", "false", "" ] }, "encryptionAlgorithm": { "title": "Encryption Algorithm", "description": "Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.", "type": "string" }, "entityId": { "title": "Service provider entity ID", "description": "The Entity ID that will be used to uniquely identify this SAML Service Provider.", "type": "string" }, "forceAuthn": { "title": "Force authentication", "description": "Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.", "type": "string", "enum": [ "true", "false", "" ] }, "hideOnLoginPage": { "title": "Hide on login page", "description": "If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.", "type": "string", "enum": [ "true", "false", "" ] }, "idpEntityId": { "title": "Identity provider entity ID", "description": "The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.", "type": "string" }, "loginHint": { "title": "Pass subject", "description": "During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.", "type": "string", "enum": [ "true", "false", "" ] }, "nameIDPolicyFormat": { "title": "NameID policy format", "description": "Specifies the URI reference corresponding to a name identifier format.", "type": "string" }, "postBindingAuthnRequest": { "title": "HTTP-POST binding for AuthnRequest", "description": "Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingLogout": { "title": "HTTP-POST binding logout", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "postBindingResponse": { "title": "HTTP-POST binding response", "description": "Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.", "type": "string", "enum": [ "true", "false", "" ] }, "principalAttribute": { "title": "Principal attribute", "description": "Name or Friendly Name of the attribute used to identify external users.", "type": "string" }, "principalType": { "title": "Principal type", "description": "Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.", "type": "string", "enum": [ "SUBJECT", "ATTRIBUTE", "FRIENDLY_ATTRIBUTE" ] }, "signSpMetadata": { "title": "Sign service provider metadata", "description": "Enable/disable signature of the provider SAML metadata.", "type": "string", "enum": [ "true", "false", "" ] }, "signatureAlgorithm": { "title": "Signature algorithm", "description": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.", "type": "string" }, "signingCertificate": { "title": "Validating X509 certificates", "description": "The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.", "type": "string" }, "singleSignOnServiceUrl": { "title": "Single Sign-On service URL", "description": "The Url that must be used to send authentication requests (SAML AuthnRequest).", "type": "string" }, "syncMode": { "title": "Sync mode", "description": "Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider.", "type": "string", "enum": [ "IMPORT", "LEGACY", "FORCE" ] }, "validateSignature": { "title": "Validate Signatures", "description": "Enable/disable signature validation of external IDP signatures.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsEncrypted": { "title": "Want Assertions encrypted", "description": "Indicates whether this service provider expects an encrypted Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAssertionsSigned": { "title": "Want Assertions signed", "description": "Indicates whether this service provider expects a signed Assertion.", "type": "string", "enum": [ "true", "false", "" ] }, "wantAuthnRequestsSigned": { "title": "Want AuthnRequests signed", "description": "Indicates whether the identity provider expects a signed AuthnRequest.", "type": "string", "enum": [ "true", "false", "" ] }, "xmlSigKeyInfoKeyNameTransformer": { "title": "SAML signature key name", "description": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "type": "string", "enum": [ "NONE", "KEY_ID", "CERT_SUBJECT" ] } }, "additionalProperties": { "type": "string" } } ``` </details>
nullable: true
properties:
allowCreate:
description: Allow the external identity provider to create a new identifier to represent the principal.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
allowedClockSkew:
description: Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.
nullable: true
type: string
attributeConsumingServiceIndex:
description: Index of the Attribute Consuming Service profile to request during authentication.
nullable: true
type: string
authnContextClassRefs:
description: Ordered list of requested AuthnContext ClassRefs.
nullable: true
type: string
authnContextComparisonType:
description: Specifies the comparison method used to evaluate the requested context classes or statements. The default is "Exact".
enum:
- exact
- minimum
- maximum
- better
nullable: true
type: string
authnContextDeclRefs:
description: Ordered list of requested AuthnContext DeclRefs.
nullable: true
type: string
backchannelSupported:
description: Does the external IDP support backchannel logout?
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
encryptionAlgorithm:
description: Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself.
nullable: true
type: string
entityId:
description: The Entity ID that will be used to uniquely identify this SAML Service Provider.
nullable: true
type: string
forceAuthn:
description: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
hideOnLoginPage:
description: If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
idpEntityId:
description: The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.
nullable: true
type: string
loginHint:
description: During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
nameIDPolicyFormat:
description: Specifies the URI reference corresponding to a name identifier format.
nullable: true
type: string
postBindingAuthnRequest:
description: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
postBindingLogout:
description: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
postBindingResponse:
description: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
principalAttribute:
description: Name or Friendly Name of the attribute used to identify external users.
nullable: true
type: string
principalType:
description: Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.
enum:
- SUBJECT
- ATTRIBUTE
- FRIENDLY_ATTRIBUTE
nullable: true
type: string
signSpMetadata:
description: Enable/disable signature of the provider SAML metadata.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
signatureAlgorithm:
description: The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'.
nullable: true
type: string
signingCertificate:
description: The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.
nullable: true
type: string
singleSignOnServiceUrl:
description: The Url that must be used to send authentication requests (SAML AuthnRequest).
nullable: true
type: string
syncMode:
description: 'Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: ''legacy'' to keep the behaviour before this option was introduced, ''import'' to only import the user once during first login of the user with this identity provider, ''force'' to always update the user during every login with this identity provider.'
enum:
- IMPORT
- LEGACY
- FORCE
nullable: true
type: string
validateSignature:
description: Enable/disable signature validation of external IDP signatures.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAssertionsEncrypted:
description: Indicates whether this service provider expects an encrypted Assertion.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAssertionsSigned:
description: Indicates whether this service provider expects a signed Assertion.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
wantAuthnRequestsSigned:
description: Indicates whether the identity provider expects a signed AuthnRequest.
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
xmlSigKeyInfoKeyNameTransformer:
description: Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.
enum:
- NONE
- KEY_ID
- CERT_SUBJECT
nullable: true
type: string
type: object
displayName:
description: Friendly name for Identity Providers.
nullable: true
type: string
enabled:
nullable: true
type: boolean
firstBrokerLoginFlowAlias:
description: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account.
nullable: true
type: string
hideOnLogin:
description: If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
nullable: true
type: boolean
internalId:
nullable: true
type: string
linkOnly:
description: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
nullable: true
type: boolean
organizationId:
nullable: true
type: string
postBrokerLoginFlowAlias:
description: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to "None" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
nullable: true
type: string
providerId:
nullable: true
type: string
storeToken:
description: Enable/disable if tokens must be stored after authenticating users.
nullable: true
type: boolean
trustEmail:
description: If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
nullable: true
type: boolean
updateProfileFirstLogin:
nullable: true
type: boolean
updateProfileFirstLoginMode:
nullable: true
type: string
type: object
type: array
internationalizationEnabled:
description: If enabled, you can choose which locales you support for this realm and which locale is the default.
nullable: true
type: boolean
keycloakVersion:
nullable: true
type: string
localizationTexts:
additionalProperties:
additionalProperties:
type: string
type: object
type: object
loginTheme:
description: Select theme for login, OTP, grant, registration and forgot password pages.
nullable: true
type: string
loginWithEmailAllowed:
description: Allow users to log in with their email address.
nullable: true
type: boolean
maxDeltaTimeSeconds:
description: When will failure count be reset?
format: int32
nullable: true
type: integer
maxFailureWaitSeconds:
description: Max time a user will be locked out.
format: int32
nullable: true
type: integer
maxTemporaryLockouts:
description: The number of temporary lockouts permitted before the user is permanently locked out.
format: int32
nullable: true
type: integer
minimumQuickLoginWaitSeconds:
description: How long to wait after a quick login failure.
format: int32
nullable: true
type: integer
notBefore:
format: int32
nullable: true
type: integer
oAuth2DeviceCodeLifespan:
format: int32
nullable: true
type: integer
oAuth2DevicePollingInterval:
format: int32
nullable: true
type: integer
oauth2DeviceCodeLifespan:
description: Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing.
format: int32
nullable: true
type: integer
oauth2DevicePollingInterval:
description: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
format: int32
nullable: true
type: integer
offlineSessionIdleTimeout:
description: Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.
format: int32
nullable: true
type: integer
offlineSessionMaxLifespan:
description: Max time before an offline session is expired regardless of activity.
format: int32
nullable: true
type: integer
offlineSessionMaxLifespanEnabled:
description: Enable offline session maximum lifetime
nullable: true
type: boolean
organizationsEnabled:
nullable: true
type: boolean
otpPolicyAlgorithm:
description: What hashing algorithm should be used to generate the OTP.
nullable: true
type: string
otpPolicyCodeReusable:
description: Possibility to use the same OTP code again after successful authentication.
nullable: true
type: boolean
otpPolicyDigits:
description: How many digits should the OTP have?
format: int32
nullable: true
type: integer
otpPolicyInitialCounter:
format: int32
nullable: true
type: integer
otpPolicyLookAheadWindow:
description: How far around (extra token periods or counts) should the server look just in case the token generator and server are out of time sync or counter sync?
format: int32
nullable: true
type: integer
otpPolicyPeriod:
description: How many seconds should an OTP token be valid? Defaults to 30 seconds.
format: int32
nullable: true
type: integer
otpPolicyType:
description: totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.
enum:
- totp
- hotp
nullable: true
type: string
otpSupportedApplications:
items:
type: string
type: array
passwordCredentialGrantAllowed:
nullable: true
type: boolean
passwordPolicy:
nullable: true
type: string
permanentLockout:
nullable: true
type: boolean
privateKey:
nullable: true
type: string
publicKey:
nullable: true
type: string
quickLoginCheckMilliSeconds:
description: If a failure happens concurrently too quickly, lock out the user.
format: int64
nullable: true
type: integer
realm:
nullable: true
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
realmCacheEnabled:
nullable: true
type: boolean
refreshTokenMaxReuse:
description: Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.
format: int32
nullable: true
type: integer
registrationAllowed:
description: Enable/disable the registration page. A link for registration will show on login page too.
nullable: true
type: boolean
registrationEmailAsUsername:
description: Allow users to set email as username.
nullable: true
type: boolean
registrationFlow:
nullable: true
type: string
rememberMe:
description: Show checkbox on login page to allow user to remain logged in between browser restarts until session expires.
nullable: true
type: boolean
requiredCredentials:
items:
type: string
nullable: true
type: array
resetCredentialsFlow:
nullable: true
type: string
resetPasswordAllowed:
description: Show a link on login page for user to click when they have forgotten their credentials.
nullable: true
type: boolean
revokeRefreshToken:
description: If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.
nullable: true
type: boolean
roles:
description: |-
RolesRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "realm": { "type": "array", "items": { "$ref": "#/$defs/RoleRepresentation" } } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
client:
additionalProperties:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
realm:
items:
description: |-
RoleRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "attributes": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "clientRole": { "type": "boolean" }, "composite": { "type": "boolean" }, "composites": { "$ref": "#/$defs/Composites" }, "containerId": { "type": "string" }, "description": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" }, "scopeParamRequired": { "type": "boolean" } }, "additionalProperties": false } ``` </details>
properties:
attributes:
additionalProperties:
items:
type: string
type: array
type: object
clientRole:
nullable: true
type: boolean
composite:
nullable: true
type: boolean
composites:
description: |-
Composites
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "application": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "client": { "type": "object", "additionalProperties": { "type": "array", "items": { "type": "string" } } }, "realm": { "type": "array", "items": { "type": "string" }, "uniqueItems": true } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
application:
additionalProperties:
items:
type: string
type: array
type: object
client:
additionalProperties:
items:
type: string
type: array
type: object
realm:
items:
type: string
nullable: true
type: array
type: object
containerId:
nullable: true
type: string
description:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
scopeParamRequired:
nullable: true
type: boolean
type: object
type: array
type: object
scopeMappings:
items:
description: |-
ScopeMappingRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "client": { "type": "string" }, "clientScope": { "type": "string" }, "clientTemplate": { "type": "string" }, "roles": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }, "self": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
client:
nullable: true
type: string
clientScope:
nullable: true
type: string
clientTemplate:
nullable: true
type: string
roles:
items:
type: string
nullable: true
type: array
self:
nullable: true
type: string
type: object
type: array
smtpServer:
description: |-
RealmRepresentationSmtpServer
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "auth": { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] }, "envelopeFrom": { "title": "Envelope from", "description": "An email address used for bounces (optional).", "type": "string" }, "from": { "title": "From", "type": "string" }, "fromDisplayName": { "title": "From display name", "description": "A user-friendly name for the 'From' address (optional).", "type": "string" }, "host": { "title": "Host", "type": "string" }, "password": { "title": "Password", "description": "SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.", "type": "string" }, "port": { "title": "Port", "type": "string" }, "replyTo": { "title": "Reply to", "type": "string" }, "replyToDisplayName": { "title": "Reply to display name", "description": "A user-friendly name for the 'Reply-To' address (optional).", "type": "string" }, "ssl": { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] }, "starttls": { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] }, "user": { "title": "Username", "type": "string" } }, "additionalProperties": false } ``` </details>
nullable: true
properties:
auth:
description: |-
Authentication
<details><summary>JSON schema</summary>
```json { "title": "Authentication", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
envelopeFrom:
description: An email address used for bounces (optional).
nullable: true
type: string
from:
nullable: true
type: string
fromDisplayName:
description: A user-friendly name for the 'From' address (optional).
nullable: true
type: string
host:
nullable: true
type: string
password:
description: SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.
nullable: true
type: string
port:
nullable: true
type: string
replyTo:
nullable: true
type: string
replyToDisplayName:
description: A user-friendly name for the 'Reply-To' address (optional).
nullable: true
type: string
ssl:
description: |-
EnableSsl
<details><summary>JSON schema</summary>
```json { "title": "Enable SSL", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
starttls:
description: |-
EnableStartTls
<details><summary>JSON schema</summary>
```json { "title": "Enable StartTLS", "type": "string", "enum": [ "true", "false", "" ] } ``` </details>
enum:
- 'true'
- 'false'
- ''
nullable: true
type: string
user:
nullable: true
type: string
type: object
social:
nullable: true
type: boolean
socialProviders:
additionalProperties:
type: string
type: object
sslRequired:
description: Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses.
enum:
- all
- external
- none
nullable: true
type: string
ssoSessionIdleTimeout:
description: Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.
format: int32
nullable: true
type: integer
ssoSessionIdleTimeoutRememberMe:
description: Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.
format: int32
nullable: true
type: integer
ssoSessionMaxLifespan:
description: Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.
format: int32
nullable: true
type: integer
ssoSessionMaxLifespanRememberMe:
description: Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.
format: int32
nullable: true
type: integer
supportedLocales:
items:
type: string
nullable: true
type: array
updateProfileOnInitialSocialLogin:
nullable: true
type: boolean
userCacheEnabled:
nullable: true
type: boolean
userFederationMappers:
items:
description: |-
UserFederationMapperRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" } }, "federationMapperType": { "type": "string" }, "federationProviderDisplayName": { "type": "string" }, "id": { "type": "string" }, "name": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
config:
additionalProperties:
type: string
type: object
federationMapperType:
nullable: true
type: string
federationProviderDisplayName:
nullable: true
type: string
id:
nullable: true
type: string
name:
nullable: true
type: string
type: object
type: array
userFederationProviders:
items:
description: |-
UserFederationProviderRepresentation
<details><summary>JSON schema</summary>
```json { "type": "object", "properties": { "changedSyncPeriod": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "config": { "type": "object", "additionalProperties": { "type": "string" } }, "displayName": { "type": "string" }, "fullSyncPeriod": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "id": { "type": "string" }, "lastSync": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "priority": { "type": "integer", "format": "int32", "maximum": 2147483647.0, "minimum": -2147483648.0 }, "providerName": { "type": "string" } }, "additionalProperties": false } ``` </details>
properties:
changedSyncPeriod:
format: int32
nullable: true
type: integer
config:
additionalProperties:
type: string
type: object
displayName:
nullable: true
type: string
fullSyncPeriod:
format: int32
nullable: true
type: integer
id:
nullable: true
type: string
lastSync:
format: int32
nullable: true
type: integer
priority:
format: int32
nullable: true
type: integer
providerName:
nullable: true
type: string
type: object
type: array
userManagedAccessAllowed:
description: If enabled, users are allowed to manage their resources and permissions using the Account Management UI.
nullable: true
type: boolean
verifiableCredentialsEnabled:
nullable: true
type: boolean
verifyEmail:
description: Require user to verify their email address after initial login or after address changes are submitted.
nullable: true
type: boolean
waitIncrementSeconds:
description: When failure threshold has been met, how much time should the user be locked out?
format: int32
nullable: true
type: integer
webAuthnPolicyAcceptableAaguids:
description: The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).
items:
type: string
type: array
webAuthnPolicyAttestationConveyancePreference:
description: Communicates to an authenticator the preference of how to generate an attestation statement.
enum:
- not specified
- none
- indirect
- direct
nullable: true
type: string
webAuthnPolicyAuthenticatorAttachment:
description: Communicates to an authenticator an acceptable attachment pattern.
enum:
- not specified
- platform
- cross-platform
nullable: true
type: string
webAuthnPolicyAvoidSameAuthenticatorRegister:
description: Avoid registering an authenticator that has already been registered.
nullable: true
type: boolean
webAuthnPolicyCreateTimeout:
description: The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.
format: int32
nullable: true
type: integer
webAuthnPolicyExtraOrigins:
items:
type: string
type: array
webAuthnPolicyPasswordlessAcceptableAaguids:
description: The list of allowed AAGUIDs of which an authenticator can be registered. An AAGUID is a 128-bit identifier indicating the authenticator's type (e.g., make and model).
items:
type: string
type: array
webAuthnPolicyPasswordlessAttestationConveyancePreference:
description: Communicates to an authenticator the preference of how to generate an attestation statement.
enum:
- not specified
- none
- indirect
- direct
nullable: true
type: string
webAuthnPolicyPasswordlessAuthenticatorAttachment:
description: Communicates to an authenticator an acceptable attachment pattern.
enum:
- not specified
- platform
- cross-platform
nullable: true
type: string
webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister:
description: Avoid registering an authenticator that has already been registered.
nullable: true
type: boolean
webAuthnPolicyPasswordlessCreateTimeout:
description: The timeout value for creating the user's public key credential in seconds. If set to 0, this timeout option is not adapted.
format: int32
nullable: true
type: integer
webAuthnPolicyPasswordlessExtraOrigins:
items:
type: string
type: array
webAuthnPolicyPasswordlessRequireResidentKey:
description: It tells an authenticator whether to create a public key credential as a Discoverable Credential.
enum:
- not specified
- Yes
- No
nullable: true
type: string
webAuthnPolicyPasswordlessRpEntityName:
description: Human-readable server name as WebAuthn Relying Party
nullable: true
type: string
webAuthnPolicyPasswordlessRpId:
description: The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.
nullable: true
type: string
webAuthnPolicyPasswordlessSignatureAlgorithms:
description: The signature algorithms that should be used for the Authentication Assertion.
items:
description: |-
SignatureAlgorithmsItem
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } ``` </details>
enum:
- Ed25519
- ES256
- ES384
- ES512
- RS256
- RS384
- RS512
- RS1
type: string
type: array
webAuthnPolicyPasswordlessUserVerificationRequirement:
description: Communicates to an authenticator whether to require to verify a user.
enum:
- not specified
- required
- preferred
- discouraged
nullable: true
type: string
webAuthnPolicyRequireResidentKey:
description: It tells an authenticator whether to create a public key credential as a Discoverable Credential.
enum:
- not specified
- Yes
- No
nullable: true
type: string
webAuthnPolicyRpEntityName:
description: Human-readable server name as WebAuthn Relying Party
nullable: true
type: string
webAuthnPolicyRpId:
description: The WebAuthn Relying Party ID (RpID). It must be the origin's effective domain, e.g. 'company.com' or 'auth.company.com'.
nullable: true
type: string
webAuthnPolicySignatureAlgorithms:
description: The signature algorithms that should be used for the Authentication Assertion.
items:
description: |-
SignatureAlgorithmsItem
<details><summary>JSON schema</summary>
```json { "type": "string", "enum": [ "Ed25519", "ES256", "ES384", "ES512", "RS256", "RS384", "RS512", "RS1" ] } ``` </details>
enum:
- Ed25519
- ES256
- ES384
- ES512
- RS256
- RS384
- RS512
- RS1
type: string
type: array
webAuthnPolicyUserVerificationRequirement:
description: Communicates to an authenticator whether to require to verify a user.
enum:
- not specified
- required
- preferred
- discouraged
nullable: true
type: string
type: object
x-kubernetes-validations:
- message: Value is immutable
rule: has(self.realm) == has(oldSelf.realm)
instanceRef:
description: The name of the namespaced instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
options:
description: Options for the request to the Keycloak Admin API.
nullable: true
type: object
patchFrom:
additionalProperties:
description: EnvVarSource represents a source for the value of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
- name
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
- name
type: object
valueAs:
enum:
- auto
- string
- number
- yaml
- json
- bool
nullable: true
type: string
type: object
description: Defines additional values that can be loaded from secrets or configmaps. Field selectors are not supported. For more informations see [the patches documentation](../configuration/patches.md).
type: object
patchFrom2:
items:
description: EnvVarSource represents a source for the value of an EnvVar.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the ConfigMap or its key must be defined
type: boolean
required:
- key
- name
type: object
fieldRef:
description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels[''<KEY>'']`, `metadata.annotations[''<KEY>'']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.'
properties:
apiVersion:
description: Version of the schema the FieldPath is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the specified API version.
type: string
required:
- fieldPath
type: object
path:
type: string
resourceFieldRef:
description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.'
properties:
containerName:
description: 'Container name: required for volumes, optional for env vars'
type: string
divisor:
description: Specifies the output format of the exposed resources, defaults to "1"
type: string
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
secretKeyRef:
description: Selects a key of a secret in the pod's namespace
properties:
key:
description: The key of the secret to select from. Must be a valid secret key.
type: string
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
- name
type: object
valueAs:
enum:
- auto
- string
- number
- yaml
- json
- bool
nullable: true
type: string
required:
- path
type: object
type: array
required:
- definition
type: object
status:
nullable: true
properties:
conditions:
items:
properties:
lastTransitionTime:
description: Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
format: date-time
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
instance:
anyOf:
- required:
- instanceRef
- required:
- clusterInstanceRef
properties:
clusterInstanceRef:
description: The name of the cluster instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
instanceRef:
description: The name of the namespaced instance to which this object belongs to.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
type: object
message:
type: string
ready:
type: boolean
resourcePath:
type: string
status:
type: string
required:
- ready
type: object
required:
- spec
title: KeycloakRealm
type: object
served: true
storage: true
subresources:
status: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment