Keycloak Operator API
Packages:
v1.edp.epam.com/v1alpha1
Resource Types:
ClusterKeycloakRealmβ
β© ParentClusterKeycloakRealm is the Schema for the clusterkeycloakrealms API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | ClusterKeycloakRealm | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | ClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm. | false |
status | object | ClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm. | false |
ClusterKeycloakRealm.specβ
β© ParentClusterKeycloakRealmSpec defines the desired state of ClusterKeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
clusterKeycloakRef | string | ClusterKeycloakRef is a name of the ClusterKeycloak instance that owns the realm. | true |
realmName | string | RealmName specifies the name of the realm. | true |
authenticationFlows | object | AuthenticationFlow is the configuration for authentication flows in the realm. | false |
browserSecurityHeaders | map[string]string | BrowserSecurityHeaders is a map of security headers to apply to HTTP responses from the realm's browser clients. | false |
displayHtmlName | string | DisplayHTMLName name to render in the UI. | false |
displayName | string | DisplayName is the display name of the realm. | false |
frontendUrl | string | FrontendURL Set the frontend URL for the realm.
Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. | false |
localization | object | Localization is the configuration for localization in the realm. | false |
passwordPolicy | []object | PasswordPolicies is a list of password policies to apply to the realm. | false |
realmEventConfig | object | RealmEventConfig is the configuration for events in the realm. | false |
themes | object | Themes is a map of themes to apply to the realm. | false |
tokenSettings | object | TokenSettings is the configuration for tokens in the realm. | false |
userProfileConfig | object | UserProfileConfig is the configuration for user profiles in the realm. | false |
ClusterKeycloakRealm.spec.authenticationFlowsβ
β© ParentAuthenticationFlow is the configuration for authentication flows in the realm.
Name | Type | Description | Required |
---|---|---|---|
browserFlow | string | BrowserFlow specifies the authentication flow to use for the realm's browser clients. | false |
ClusterKeycloakRealm.spec.localizationβ
β© ParentLocalization is the configuration for localization in the realm.
Name | Type | Description | Required |
---|---|---|---|
internationalizationEnabled | boolean | InternationalizationEnabled indicates whether to enable internationalization. | false |
ClusterKeycloakRealm.spec.passwordPolicy[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
type | string | Type of password policy. | true |
value | string | Value of password policy. | true |
ClusterKeycloakRealm.spec.realmEventConfigβ
β© ParentRealmEventConfig is the configuration for events in the realm.
Name | Type | Description | Required |
---|---|---|---|
adminEventsDetailsEnabled | boolean | AdminEventsDetailsEnabled indicates whether to enable detailed admin events. | false |
adminEventsEnabled | boolean | AdminEventsEnabled indicates whether to enable admin events. | false |
enabledEventTypes | []string | EnabledEventTypes is a list of event types to enable. | false |
eventsEnabled | boolean | EventsEnabled indicates whether to enable events. | false |
eventsExpiration | integer | EventsExpiration is the number of seconds after which events expire. | false |
eventsListeners | []string | EventsListeners is a list of event listeners to enable. | false |
ClusterKeycloakRealm.spec.themesβ
β© ParentThemes is a map of themes to apply to the realm.
Name | Type | Description | Required |
---|---|---|---|
accountTheme | string | AccountTheme specifies the account theme to use for the realm. | false |
adminConsoleTheme | string | AdminConsoleTheme specifies the admin console theme to use for the realm. | false |
emailTheme | string | EmailTheme specifies the email theme to use for the realm. | false |
loginTheme | string | LoginTheme specifies the login theme to use for the realm. | false |
ClusterKeycloakRealm.spec.tokenSettingsβ
β© ParentTokenSettings is the configuration for tokens in the realm.
Name | Type | Description | Required |
---|---|---|---|
accessCodeLifespan | integer | AccessCodeLifespan specifies max time(in seconds)a client has to finish the access token protocol.
This should normally be 1 minute. Default: 60 | false |
accessToken | integer | AccessTokenLifespanForImplicitFlow specifies max time(in seconds) before an access token is expired for implicit flow. Default: 900 | false |
accessTokenLifespan | integer | AccessTokenLifespan specifies max time(in seconds) before an access token is expired.
This value is recommended to be short relative to the SSO timeout. Default: 300 | false |
actionTokenGeneratedByAdminLifespan | integer | ActionTokenGeneratedByAdminLifespan specifies max time(in seconds) before an action permit sent to a user by administrator is expired.
This value is recommended to be long to allow administrators to send e-mails for users that are currently offline.
The default timeout can be overridden immediately before issuing the token. Default: 43200 | false |
actionTokenGeneratedByUserLifespan | integer | AccessCodeLifespanUserAction specifies max time(in seconds) before an action permit sent by a user (such as a forgot password e-mail) is expired.
This value is recommended to be short because it's expected that the user would react to self-created action quickly. Default: 300 | false |
defaultSignatureAlgorithm | enum | DefaultSignatureAlgorithm specifies the default algorithm used to sign tokens for the realm Enum: ES256, ES384, ES512, EdDSA, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, RS512 | false |
refreshTokenMaxReuse | integer | RefreshTokenMaxReuse specifies maximum number of times a refresh token can be reused.
When a different token is used, revocation is immediate. Default: 0 | false |
revokeRefreshToken | boolean | RevokeRefreshToken if enabled a refresh token can only be used up to 'refreshTokenMaxReuse' and
is revoked when a different token is used.
Otherwise, refresh tokens are not revoked when used and can be used multiple times. Default: false | false |
ClusterKeycloakRealm.spec.userProfileConfigβ
β© ParentUserProfileConfig is the configuration for user profiles in the realm.
Name | Type | Description | Required |
---|---|---|---|
attributes | []object | Attributes specifies the list of user profile attributes. | false |
groups | []object | Groups specifies the list of user profile groups. | false |
unmanagedAttributePolicy | string | UnmanagedAttributePolicy are user attributes not explicitly defined in the user profile configuration.
Empty value means that unmanaged attributes are disabled.
Possible values:
ENABLED - unmanaged attributes are allowed.
ADMIN_VIEW - unmanaged attributes are read-only and only available through the administration console and API.
ADMIN_EDIT - unmanaged attributes can be managed only through the administration console and API. | false |
ClusterKeycloakRealm.spec.userProfileConfig.attributes[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name of the user attribute, used to uniquely identify an attribute. | true |
annotations | map[string]string | Annotations specifies the annotations for the attribute. | false |
displayName | string | Display name for the attribute. | false |
group | string | Group to which the attribute belongs. | false |
multivalued | boolean | Multivalued specifies if this attribute supports multiple values.
This setting is an indicator and does not enable any validation | false |
permissions | object | Permissions specifies the permissions for the attribute. | false |
required | object | Required indicates that the attribute must be set by users and administrators. | false |
selector | object | Selector specifies the scopes for which the attribute is available. | false |
validations | map[string]map[string]object | Validations specifies the validations for the attribute. | false |
ClusterKeycloakRealm.spec.userProfileConfig.attributes[index].permissionsβ
β© ParentPermissions specifies the permissions for the attribute.
Name | Type | Description | Required |
---|---|---|---|
edit | []string | Edit specifies who can edit the attribute. | false |
view | []string | View specifies who can view the attribute. | false |
ClusterKeycloakRealm.spec.userProfileConfig.attributes[index].requiredβ
β© ParentRequired indicates that the attribute must be set by users and administrators.
Name | Type | Description | Required |
---|---|---|---|
roles | []string | Roles specifies the roles for whom the attribute is required. | false |
scopes | []string | Scopes specifies the scopes when the attribute is required. | false |
ClusterKeycloakRealm.spec.userProfileConfig.attributes[index].selectorβ
β© ParentSelector specifies the scopes for which the attribute is available.
Name | Type | Description | Required |
---|---|---|---|
scopes | []string | Scopes specifies the scopes for which the attribute is available. | false |
ClusterKeycloakRealm.spec.userProfileConfig.attributes[index].validations[key][key]β
β© ParentName | Type | Description | Required |
---|---|---|---|
intVal | integer | false | |
mapVal | map[string]string | false | |
sliceVal | []string | false | |
stringVal | string | false |
ClusterKeycloakRealm.spec.userProfileConfig.groups[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is unique name of the group. | true |
annotations | map[string]string | Annotations specifies the annotations for the group.
nullable | false |
displayDescription | string | DisplayDescription specifies a user-friendly name for the group that should be used when rendering a group of attributes in user-facing forms. | false |
displayHeader | string | DisplayHeader specifies a text that should be used as a header when rendering user-facing forms. | false |
ClusterKeycloakRealm.statusβ
β© ParentClusterKeycloakRealmStatus defines the observed state of ClusterKeycloakRealm.
Name | Type | Description | Required |
---|---|---|---|
available | boolean | false | |
failureCount | integer | Format: int64 | false |
value | string | false |
ClusterKeycloakβ
β© ParentClusterKeycloak is the Schema for the clusterkeycloaks API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1alpha1 | true |
kind | string | ClusterKeycloak | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | ClusterKeycloakSpec defines the desired state of ClusterKeycloak. | false |
status | object | ClusterKeycloakStatus defines the observed state of ClusterKeycloak. Default: map[connected:false] | false |
ClusterKeycloak.specβ
β© ParentClusterKeycloakSpec defines the desired state of ClusterKeycloak.
Name | Type | Description | Required |
---|---|---|---|
secret | string | Secret is a secret name which contains admin credentials. | true |
url | string | URL of keycloak service. | true |
adminType | enum | AdminType can be user or serviceAccount, if serviceAccount was specified,
then client_credentials grant type should be used for getting admin realm token. Enum: serviceAccount, user | false |
caCert | object | CACert defines the root certificate authority
that api clients use when verifying server certificates.
Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env. | false |
insecureSkipVerify | boolean | InsecureSkipVerify controls whether api client verifies the server's
certificate chain and host name. If InsecureSkipVerify is true, api client
accepts any certificate presented by the server and any host name in that
certificate. | false |
ClusterKeycloak.spec.caCertβ
β© ParentCACert defines the root certificate authority that api clients use when verifying server certificates. Resources should be in the namespace defined in operator OPERATOR_NAMESPACE env.
Name | Type | Description | Required |
---|---|---|---|
configMapKeyRef | object | Selects a key of a ConfigMap. | false |
secretKeyRef | object | Selects a key of a secret. | false |
ClusterKeycloak.spec.caCert.configMapKeyRefβ
β© ParentSelects a key of a ConfigMap.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key to select. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
ClusterKeycloak.spec.caCert.secretKeyRefβ
β© ParentSelects a key of a secret.
Name | Type | Description | Required |
---|---|---|---|
key | string | The key of the secret to select from. | true |
name | string | Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid? | false |
ClusterKeycloak.statusβ
β© ParentClusterKeycloakStatus defines the observed state of ClusterKeycloak.
Name | Type | Description | Required |
---|---|---|---|
connected | boolean | Connected shows if keycloak service is up and running. | true |
v1.edp.epam.com/v1
Resource Types:
KeycloakAuthFlowβ
β© ParentKeycloakAuthFlow is the Schema for the keycloak authentication flow API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakAuthFlow | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow. | false |
status | object | KeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow. | false |
KeycloakAuthFlow.specβ
β© ParentKeycloakAuthFlowSpec defines the desired state of KeycloakAuthFlow.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for authentication flow. | true |
builtIn | boolean | BuiltIn is true if this is built-in auth flow. | true |
providerId | string | ProviderID for root auth flow and provider for child auth flows. | true |
topLevel | boolean | TopLevel is true if this is root auth flow. | true |
authenticationExecutions | []object | AuthenticationExecutions is list of authentication executions for this auth flow. | false |
childRequirement | string | ChildRequirement is requirement for child execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL. | false |
childType | string | ChildType is type for auth flow if it has a parent, available options: basic-flow, form-flow | false |
description | string | Description is description for authentication flow. | false |
parentName | string | ParentName is name of parent auth flow. | false |
realm | string | Deprecated: use RealmRef instead.
Realm is name of KeycloakRealm custom resource. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
KeycloakAuthFlow.spec.authenticationExecutions[index]β
β© ParentAuthenticationExecution defines keycloak authentication execution.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for this execution. | false |
authenticator | string | Authenticator is name of authenticator. | false |
authenticatorConfig | object | AuthenticatorConfig is configuration for authenticator. | false |
authenticatorFlow | boolean | AuthenticatorFlow is true if this is auth flow. | false |
priority | integer | Priority is priority for this execution. Lower values have higher priority. | false |
requirement | string | Requirement is requirement for this execution. Available options: REQUIRED, ALTERNATIVE, DISABLED, CONDITIONAL. | false |
KeycloakAuthFlow.spec.authenticationExecutions[index].authenticatorConfigβ
β© ParentAuthenticatorConfig is configuration for authenticator.
Name | Type | Description | Required |
---|---|---|---|
alias | string | Alias is display name for authenticator config. | false |
config | map[string]string | Config is configuration for authenticator. | false |
KeycloakAuthFlow.spec.realmRefβ
β© ParentRealmRef is reference to Realm custom resource.
Name | Type | Description | Required |
---|---|---|---|
kind | enum | Kind specifies the kind of the Keycloak resource. Enum: KeycloakRealm, ClusterKeycloakRealm | false |
name | string | Name specifies the name of the Keycloak resource. | false |
KeycloakAuthFlow.statusβ
β© ParentKeycloakAuthFlowStatus defines the observed state of KeycloakAuthFlow.
Name | Type | Description | Required |
---|---|---|---|
failureCount | integer | Format: int64 | false |
value | string | false |
KeycloakClientβ
β© ParentKeycloakClient is the Schema for the keycloak clients API.
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | v1.edp.epam.com/v1 | true |
kind | string | KeycloakClient | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | KeycloakClientSpec defines the desired state of KeycloakClient. | false |
status | object | KeycloakClientStatus defines the observed state of KeycloakClient. | false |
KeycloakClient.specβ
β© ParentKeycloakClientSpec defines the desired state of KeycloakClient.
Name | Type | Description | Required |
---|---|---|---|
clientId | string | ClientId is a unique keycloak client ID referenced in URI and tokens. | true |
adminUrl | string | AdminUrl | false |
advancedProtocolMappers | boolean | AdvancedProtocolMappers is a flag to enable advanced protocol mappers. | false |
attributes | map[string]string | Attributes is a map of client attributes. Default: map[post.logout.redirect.uris:+] | false |
authorization | object | Authorization is a client authorization configuration. | false |
authorizationServicesEnabled | boolean | ServiceAccountsEnabled enable/disable fine-grained authorization support for a client. | false |
bearerOnly | boolean | BearerOnly is a flag to enable bearer-only. | false |
clientAuthenticatorType | string | ClientAuthenticatorType is a client authenticator type. Default: client-secret | false |
clientRoles | []string | ClientRoles is a list of client roles names assigned to client. | false |
consentRequired | boolean | ConsentRequired is a flag to enable consent. | false |
defaultClientScopes | []string | DefaultClientScopes is a list of default client scopes assigned to client. | false |
description | string | Description is a client description. | false |
directAccess | boolean | DirectAccess is a flag to set client as direct access. | false |
enabled | boolean | Enabled is a flag to enable client. Default: true | false |
frontChannelLogout | boolean | FrontChannelLogout is a flag to enable front channel logout. | false |
fullScopeAllowed | boolean | FullScopeAllowed is a flag to enable full scope. Default: true | false |
homeUrl | string | false | |
implicitFlowEnabled | boolean | ImplicitFlowEnabled is a flag to enable support for OpenID Connect redirect based authentication without authorization code. | false |
name | string | Name is a client name. | false |
optionalClientScopes | []string | OptionalClientScopes is a list of optional client scopes assigned to client. | false |
protocol | string | Protocol is a client protocol. | false |
protocolMappers | []object | ProtocolMappers is a list of protocol mappers assigned to client. | false |
public | boolean | Public is a flag to set client as public. | false |
realmRef | object | RealmRef is reference to Realm custom resource. | false |
realmRoles | []object | RealmRoles is a list of realm roles assigned to client. | false |
reconciliationStrategy | enum | ReconciliationStrategy is a strategy to reconcile client. Enum: full, addOnly | false |
redirectUris | []string | RedirectUris is a list of valid URI pattern a browser can redirect to after a successful login.
Simple wildcards are allowed such as 'https://example.com/'.
Relative path can be specified too, such as /my/relative/path/. Relative paths are relative to the client root URL.
If not specified, spec.webUrl + "/*" will be used. | false |
secret | string | Secret is kubernetes secret name where the client's secret will be stored.
Secret should have the following format: $secretName:secretKey.
If not specified, a client secret will be generated and stored in a secret with the name | false |
serviceAccount | object | ServiceAccount is a service account configuration. | false |
standardFlowEnabled | boolean | StandardFlowEnabled is a flag to enable standard flow. Default: true | false |
surrogateAuthRequired | boolean | SurrogateAuthRequired is a flag to enable surrogate auth. | false |
targetRealm | string | Deprecated: use RealmRef instead.
TargetRealm is a realm name where client will be created.
It has higher priority than RealmRef for backward compatibility.
If both TargetRealm and RealmRef are specified, TargetRealm will be used for client creation. | false |
webOrigins | []string | WebOrigins is a list of allowed CORS origins.
To permit all origins of Valid Redirect URIs, add '+'. This does not include the '' wildcard though.
To permit all origins, explicitly add ''.
If not specified, the value from | false |
webUrl | string | WebUrl is a client web url. | false |
KeycloakClient.spec.authorizationβ
β© ParentAuthorization is a client authorization configuration.
Name | Type | Description | Required |
---|---|---|---|
permissions | []object | false | |
policies | []object | false | |
resources | []object | false | |
scopes | []string | false |
KeycloakClient.spec.authorization.permissions[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
name | string | Name is a permission name. | true |
type | enum | Type is a permission type. Enum: resource, scope | true |
decisionStrategy | enum | DecisionStrategy is a permission decision strategy. Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS | false |
description | string | Description is a permission description. | false |
logic | enum | Logic is a permission logic. Enum: POSITIVE, NEGATIVE | false |
policies | []string | Policies is a list of policies names.
Specifies all the policies that must be applied to the scopes defined by this policy or permission. | false |
resources | []string | Resources is a list of resources names.
Specifies that this permission must be applied to all resource instances of a given type. | false |
scopes | []string | Scopes is a list of authorization scopes names.
Specifies that this permission must be applied to one or more scopes. | false |
KeycloakClient.spec.authorization.policies[index]β
β© ParentPolicy represents a client authorization policy.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a policy name. | true |
type | enum | Type is a policy type. Enum: aggregate, client, group, role, time, user | true |
aggregatedPolicy | object | AggregatedPolicy is an aggregated policy settings. | false |
clientPolicy | object | ClientPolicy is a client policy settings. | false |
decisionStrategy | enum | DecisionStrategy is a policy decision strategy. Enum: UNANIMOUS, AFFIRMATIVE, CONSENSUS | false |
description | string | Description is a policy description. | false |
groupPolicy | object | GroupPolicy is a group policy settings. | false |
logic | enum | Logic is a policy logic. Enum: POSITIVE, NEGATIVE | false |
rolePolicy | object | RolePolicy is a role policy settings. | false |
timePolicy | object | ScopePolicy is a scope policy settings. | false |
userPolicy | object | UserPolicy is a user policy settings. | false |
KeycloakClient.spec.authorization.policies[index].aggregatedPolicyβ
β© ParentAggregatedPolicy is an aggregated policy settings.
Name | Type | Description | Required |
---|---|---|---|
policies | []string | Policies is a list of aggregated policies names.
Specifies all the policies that must be applied to the scopes defined by this policy or permission. | true |
KeycloakClient.spec.authorization.policies[index].clientPolicyβ
β© ParentClientPolicy is a client policy settings.
Name | Type | Description | Required |
---|---|---|---|
clients | []string | Clients is a list of client names. Specifies which client(s) are allowed by this policy. | true |
KeycloakClient.spec.authorization.policies[index].groupPolicyβ
β© ParentGroupPolicy is a group policy settings.
Name | Type | Description | Required |
---|---|---|---|
groups | []object | Groups is a list of group names. Specifies which group(s) are allowed by this policy. | false |
groupsClaim | string | GroupsClaim is a group claim.
If defined, the policy will fetch user's groups from the given claim
within an access token or ID token representing the identity asking permissions.
If not defined, user's groups are obtained from your realm configuration. | false |
KeycloakClient.spec.authorization.policies[index].groupPolicy.groups[index]β
β© ParentGroupDefinition represents a group in a GroupPolicyData.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a group name. | true |
extendChildren | boolean | ExtendChildren is a flag that specifies whether to extend children. | false |
KeycloakClient.spec.authorization.policies[index].rolePolicyβ
β© ParentRolePolicy is a role policy settings.
Name | Type | Description | Required |
---|---|---|---|
roles | []object | Roles is a list of role. | true |
KeycloakClient.spec.authorization.policies[index].rolePolicy.roles[index]β
β© ParentRoleDefinition represents a role in a RolePolicyData.
Name | Type | Description | Required |
---|---|---|---|
name | string | Name is a role name. | true |
required | boolean | Required is a flag that specifies whether the role is required. | false |
KeycloakClient.spec.authorization.policies[index].timePolicyβ
β© ParentScopePolicy is a scope policy settings.
Name | Type | Description | Required |
---|---|---|---|
notBefore | string | NotBefore defines the time before which the policy MUST NOT be granted.
Only granted if current date/time is after or equal to this value. | true |
notOnOrAfter | string | NotOnOrAfter defines the time after which the policy MUST NOT be granted.
Only granted if current date/time is before or equal to this value. | true |
dayMonth | string | Day defines the month which the policy MUST be granted.
You can also provide a range by filling the dayMonthEnd field.
In this case, permission is granted only if current month is between or equal to the two values you provided. | false |
dayMonthEnd | string | false | |
hour | string | Hour defines the hour when the policy MUST be granted.
You can also provide a range by filling the hourEnd.
In this case, permission is granted only if current hour is between or equal to the two values you provided. | false |
hourEnd | string | false | |
minute | string | Minute defines the minute when the policy MUST be granted.
You can also provide a range by filling the minuteEnd field.
In this case, permission is granted only if current minute is between or equal to the two values you provided. | false |
minuteEnd | string | false | |
month | string | Month defines the month which the policy MUST be granted.
You can also provide a range by filling the monthEnd.
In this case, permission is granted only if current month is between or equal to the two values you provided. | false |
monthEnd | string | false |
KeycloakClient.spec.authorization.policies[index].userPolicyβ
β© ParentUserPolicy is a user policy settings.
Name | Type | Description | Required |
---|---|---|---|
users | []string | Users is a list of usernames. Specifies which user(s) are allowed by this policy. | true |
KeycloakClient.spec.authorization.resources[index]β
β© ParentName | Type | Description | Required |
---|---|---|---|
displayName | string | DisplayName for Identity Providers. | true |
name | string | Name is unique resource name. | true |
attributes | map[string][]string | Attributes is a map of resource attributes. | false |
iconUri | string | IconURI pointing to an icon. | false |
ownerManagedAccess | boolean | OwnerManagedAccess if enabled, the access to this resource can be managed by the resource owner. | false |
scopes | []string | Scopes requested or assigned in advance to the client to determine whether the policy is applied to this client.
Condition is evaluated during OpenID Connect authorization request and/or token request. | false |
type | string | Type of this resource. It can be used to group different resource instances with the same type. | false |
uris | []string | URIs which are protected by resource. | false |