XRDs
API Reference
Section titled “API Reference”Packages:
k8saas.io/v1alpha1
Section titled “k8saas.io/v1alpha1”Resource Types:
KeycloakClient
Section titled “KeycloakClient”| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | k8saas.io/v1alpha1 | true |
| kind | string | KeycloakClient | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false |
KeycloakClient.spec
Section titled “KeycloakClient.spec”| Name | Type | Description | Required |
|---|---|---|---|
| clientConfiguration | object | The complete Keycloak client configuration. Setup values from the spec.forProvider object https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.9.2/resources/openidclient.keycloak.crossplane.io/Client/v1alpha1. | false |
| clientId | string | The Client ID for this client, referenced in the URI during authentication and in issued tokens. | false |
| groupMembershipClaim | string | Default: groups | false |
| optionalScopes | []string | Default: [address phone offline_access microprofile-jwt groups] | false |
| realmId | string | The realm this client is attached to. | false |
KeycloakClient.spec.clientConfiguration
Section titled “KeycloakClient.spec.clientConfiguration”The complete Keycloak client configuration. Setup values from the spec.forProvider object https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.9.2/resources/openidclient.keycloak.crossplane.io/Client/v1alpha1.
| Name | Type | Description | Required |
|---|---|---|---|
| accessTokenLifespan | string | The amount of time in seconds before an access token expires. This will override the default for the realm. | false |
| accessType | string | Specifies the type of client, which can be one of the following: | false |
| adminUrl | string | URL to the admin interface of the client. | false |
| authenticationFlowBindingOverrides | []object | Override realm authentication flow bindings | false |
| authorization | []object | When this block is present, fine-grained authorization will be enabled for this client. The client’s access_type must be CONFIDENTIAL, and service_accounts_enabled must be true. This block has the following arguments: | false |
| backchannelLogoutRevokeOfflineSessions | boolean | Specifying whether a “revoke_offline_access” event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. | false |
| backchannelLogoutSessionRequired | boolean | When true, a sid (session ID) claim will be included in the logout token when the backchannel logout URL is used. Defaults to true. | false |
| backchannelLogoutUrl | string | The URL that will cause the client to log itself out when a logout request is sent to this realm. If omitted, no logout request will be sent to the client is this case. | false |
| baseUrl | string | Default URL to use when the auth server needs to redirect or link back to the client. | false |
| clientAuthenticatorType | string | Defaults to client-secret. The authenticator type for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. A default Keycloak installation will have the following available types: | false |
| clientOfflineSessionIdleTimeout | string | Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. | false |
| clientOfflineSessionMaxLifespan | string | Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. | false |
| clientSecretSecretRef | object | The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak. | false |
| clientSessionIdleTimeout | string | Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. | false |
| clientSessionMaxLifespan | string | Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. | false |
| consentRequired | boolean | When true, users have to consent to client access. Defaults to false. | false |
| consentScreenText | string | The text to display on the consent screen about permissions specific to this client. This is applicable only when display_on_consent_screen is true. | false |
| description | string | The description of this client in the GUI. | false |
| directAccessGrantsEnabled | boolean | When true, the OAuth2 Resource Owner Password Grant will be enabled for this client. Defaults to false. | false |
| displayOnConsentScreen | boolean | When true, the consent screen will display information about the client itself. Defaults to false. This is applicable only when consent_required is true. | false |
| enabled | boolean | When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true. | false |
| excludeSessionStateFromAuthResponse | boolean | When true, the parameter session_state will not be included in OpenID Connect Authentication Response. | false |
| extraConfig | map[string]string | A map of key/value pairs to add extra configuration attributes to this client. Use this attribute at your own risk, as it may conflict with top-level configuration attributes in future provider updates. For example, the extra_config map can be used to set Authentication Context Class Reference (ACR) to Level of Authentication (LoA) mapping | false |
| frontchannelLogoutEnabled | boolean | When true, frontchannel logout will be enabled for this client. Specify the url with frontchannel_logout_url. Defaults to false. | false |
| frontchannelLogoutUrl | string | The frontchannel logout url. This is applicable only when frontchannel_logout_enabled is true. | false |
| fullScopeAllowed | boolean | Allow to include all roles mappings in the access token. | false |
| implicitFlowEnabled | boolean | When true, the OAuth2 Implicit Grant will be enabled for this client. Defaults to false. | false |
| import | boolean | When true, the client with the specified client_id is assumed to already exist, and it will be imported into state instead of being created. This attribute is useful when dealing with clients that Keycloak creates automatically during realm creation, such as account and admin-cli. Note, that the client will not be removed during destruction if import is true. | false |
| loginTheme | string | The client login theme. This will override the default theme for the realm. | false |
| name | string | The display name of this client in the GUI. | false |
| oauth2DeviceAuthorizationGrantEnabled | boolean | Enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. | false |
| oauth2DeviceCodeLifespan | string | The maximum amount of time a client has to finish the device code flow before it expires. | false |
| oauth2DevicePollingInterval | string | The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. | false |
| pkceCodeChallengeMethod | string | The challenge method to use for Proof Key for Code Exchange. Can be either plain or S256 or set to empty value “. | false |
| rootUrl | string | When specified, this URL is prepended to any relative URLs found within valid_redirect_uris, web_origins, and admin_url. NOTE: Due to limitations in the Keycloak API, when the root_url attribute is used, the valid_redirect_uris, web_origins, and admin_url attributes will be required. | false |
| serviceAccountsEnabled | boolean | When true, the OAuth2 Client Credentials grant will be enabled for this client. Defaults to false. | false |
| standardFlowEnabled | boolean | When true, the OAuth2 Authorization Code Grant will be enabled for this client. Defaults to false. | false |
| useRefreshTokens | boolean | If this is true, a refresh_token will be created and added to the token response. If this is false then no refresh_token will be generated. Defaults to true. | false |
| useRefreshTokensClientCredentials | boolean | If this is true, a refresh_token will be created and added to the token response if the client_credentials grant is used and a user session will be created. If this is false then no refresh_token will be generated and the associated user session will be removed, in accordance with OAuth 2.0 RFC6749 Section 4.4.3. Defaults to false. | false |
| validPostLogoutRedirectUris | []string | A list of valid URIs a browser is permitted to redirect to after a successful logout. | false |
| validRedirectUris | []string | A list of valid URIs a browser is permitted to redirect to after a successful login or logout. Simple
wildcards in the form of an asterisk can be used here. This attribute must be set if either standard_flow_enabled or implicit_flow_enabled
is set to true. | false |
| webOrigins | []string | A list of allowed CORS origins. To permit all valid redirect URIs, add +. Note that this will not include the * wildcard. To permit all origins, explicitly add *.“ | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index]
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index]”| Name | Type | Description | Required |
|---|---|---|---|
| browserId | string | Browser flow id, (flow needs to exist) | false |
| browserIdRef | object | Reference to a Flow in authenticationflow to populate browserId. | false |
| browserIdSelector | object | Selector for a Flow in authenticationflow to populate browserId. | false |
| directGrantId | string | Direct grant flow id (flow needs to exist) | false |
| directGrantIdRef | object | Reference to a Flow in authenticationflow to populate directGrantId. | false |
| directGrantIdSelector | object | Selector for a Flow in authenticationflow to populate directGrantId. | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdRef
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdRef”Reference to a Flow in authenticationflow to populate browserId.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdRef.policy
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdRef.policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdSelector
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdSelector”Selector for a Flow in authenticationflow to populate browserId.
| Name | Type | Description | Required |
|---|---|---|---|
| matchControllerRef | boolean | MatchControllerRef ensures an object with the same controller reference
as the selecting object is selected. | false |
| matchLabels | map[string]string | MatchLabels ensures an object with matching labels is selected. | false |
| policy | object | Policies for selection. | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdSelector.policy
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].browserIdSelector.policy”Policies for selection.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdRef
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdRef”Reference to a Flow in authenticationflow to populate directGrantId.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdRef.policy
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdRef.policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdSelector
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdSelector”Selector for a Flow in authenticationflow to populate directGrantId.
| Name | Type | Description | Required |
|---|---|---|---|
| matchControllerRef | boolean | MatchControllerRef ensures an object with the same controller reference
as the selecting object is selected. | false |
| matchLabels | map[string]string | MatchLabels ensures an object with matching labels is selected. | false |
| policy | object | Policies for selection. | false |
KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdSelector.policy
Section titled “KeycloakClient.spec.clientConfiguration.authenticationFlowBindingOverrides[index].directGrantIdSelector.policy”Policies for selection.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakClient.spec.clientConfiguration.authorization[index]
Section titled “KeycloakClient.spec.clientConfiguration.authorization[index]”| Name | Type | Description | Required |
|---|---|---|---|
| allowRemoteResourceManagement | boolean | When true, resources can be managed remotely by the resource server. Defaults to false. | false |
| decisionStrategy | string | Dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. Could be one of AFFIRMATIVE, CONSENSUS, or UNANIMOUS. Applies to permissions. | false |
| keepDefaults | boolean | When true, defaults set by Keycloak will be respected. Defaults to false. | false |
| policyEnforcementMode | string | Dictates how policies are enforced when evaluating authorization requests. Can be one of ENFORCING, PERMISSIVE, or DISABLED. | false |
KeycloakClient.spec.clientConfiguration.clientSecretSecretRef
Section titled “KeycloakClient.spec.clientConfiguration.clientSecretSecretRef”The secret for clients with an access_type of CONFIDENTIAL or BEARER-ONLY. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | The key to select. | true |
| name | string | Name of the secret. | true |
| namespace | string | Namespace of the secret. | true |
KeycloakGroup
Section titled “KeycloakGroup”| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | k8saas.io/v1alpha1 | true |
| kind | string | KeycloakGroup | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false |
KeycloakGroup.spec
Section titled “KeycloakGroup.spec”| Name | Type | Description | Required |
|---|---|---|---|
| groupConfiguration | object | The complete Keycloak group configuration. Setup values from the spec.forProvider object https://github.com/crossplane-contrib/provider-keycloak/blob/v1.9.2/package/crds/group.keycloak.crossplane.io_groups.yaml. | false |
| members | []string | A list of usernames that belong to this group. | false |
| name | string | The name of the group. | false |
| realmId | string | The realm this group is attached to. | false |
| roleIdsRefs | []object | References to Role in roles to populate roleIds. | false |
KeycloakGroup.spec.groupConfiguration
Section titled “KeycloakGroup.spec.groupConfiguration”The complete Keycloak group configuration. Setup values from the spec.forProvider object https://github.com/crossplane-contrib/provider-keycloak/blob/v1.9.2/package/crds/group.keycloak.crossplane.io_groups.yaml.
| Name | Type | Description | Required |
|---|---|---|---|
| attributes | map[string]string | A map representing attributes for the group. In order to add multivalue attributes, use ## to seperate the values. Max length for each value is 255 chars | false |
| parentIdRef | object | Reference to a Group in group to populate parentId. | false |
KeycloakGroup.spec.groupConfiguration.parentIdRef
Section titled “KeycloakGroup.spec.groupConfiguration.parentIdRef”Reference to a Group in group to populate parentId.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakGroup.spec.groupConfiguration.parentIdRef.policy
Section titled “KeycloakGroup.spec.groupConfiguration.parentIdRef.policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakGroup.spec.roleIdsRefs[index]
Section titled “KeycloakGroup.spec.roleIdsRefs[index]”A Reference to a named object.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakGroup.spec.roleIdsRefs[index].policy
Section titled “KeycloakGroup.spec.roleIdsRefs[index].policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakRealm
Section titled “KeycloakRealm”| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | k8saas.io/v1alpha1 | true |
| kind | string | KeycloakRealm | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false |
KeycloakRealm.spec
Section titled “KeycloakRealm.spec”| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Default: true | false |
| enabledEventTypes | []string | The event types that will be saved to the database. Omitting this field enables all event types. Defaults to [] or all event types. Default: [] | false |
| eventsExpiration | number | The amount of time in seconds events will be saved in the database. Defaults to 0 or never. Default: 604800 | false |
| eventsListeners | []string | The event listeners that events should be sent to. Note that new realms enable the jboss-logging listener by default, and this resource will remove that unless it is specified. Default: [jboss-logging] | false |
| name | string | The name of the realm. This is unique across Keycloak. This will also be used as the realm’s internal ID within Keycloak. | false |
| realmConfiguration | object | The complete Keycloak realm configuration. Setup values from the spec.forProvider object https://github.com/crossplane-contrib/provider-keycloak/blob/v1.9.2/package/crds/realm.keycloak.crossplane.io_realms.yaml. | false |
KeycloakRealm.spec.realmConfiguration
Section titled “KeycloakRealm.spec.realmConfiguration”The complete Keycloak realm configuration. Setup values from the spec.forProvider object https://github.com/crossplane-contrib/provider-keycloak/blob/v1.9.2/package/crds/realm.keycloak.crossplane.io_realms.yaml.
| Name | Type | Description | Required |
|---|---|---|---|
| accessCodeLifespan | string | The maximum amount of time a client has to finish the authorization code flow. | false |
| accessCodeLifespanLogin | string | The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted. | false |
| accessCodeLifespanUserAction | string | The maximum amount of time a user has to complete login related actions, such as updating a password. | false |
| accessTokenLifespan | string | The amount of time an access token can be used before it expires. | false |
| accessTokenLifespanForImplicitFlow | string | The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires. | false |
| accountTheme | string | Used for account management pages. | false |
| actionTokenGeneratedByAdminLifespan | string | The maximum time a user has to use an admin-generated permit before it expires. | false |
| actionTokenGeneratedByUserLifespan | string | The maximum time a user has to use a user-generated permit before it expires. | false |
| adminTheme | string | Used for the admin console. | false |
| attributes | map[string]string | A map of custom attributes to add to the realm. | false |
| browserFlow | string | The desired flow for browser authentication. Defaults to browser.
Which flow should be used for BrowserFlow | false |
| clientAuthenticationFlow | string | The desired flow for client authentication. Defaults to clients.
Which flow should be used for ClientAuthenticationFlow | false |
| clientSessionIdleTimeout | string | The amount of time a session can be idle before it expires. Users can override it for individual clients. | false |
| clientSessionMaxLifespan | string | The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients. | false |
| defaultDefaultClientScopes | []string | A list of default default client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default default client-scopes. | false |
| defaultOptionalClientScopes | []string | A list of default optional client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default optional client-scopes. | false |
| defaultSignatureAlgorithm | string | Default algorithm used to sign tokens for the realm. | false |
| directGrantFlow | string | The desired flow for direct access authentication. Defaults to direct grant.
Which flow should be used for DirectGrantFlow | false |
| displayName | string | The display name for the realm that is shown when logging in to the admin console. | false |
| displayNameHtml | string | The display name for the realm that is rendered as HTML on the screen when logging in to the admin console. | false |
| dockerAuthenticationFlow | string | The desired flow for Docker authentication. Defaults to docker auth.
Which flow should be used for DockerAuthenticationFlow | false |
| duplicateEmailsAllowed | boolean | When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true. | false |
| editUsernameAllowed | boolean | When true, the username field is editable. | false |
| emailTheme | string | Used for emails that are sent by Keycloak. | false |
| internationalization | []object | false | |
| loginTheme | string | Used for the login, forgot password, and registration pages. | false |
| loginWithEmailAllowed | boolean | When true, users may log in with their email address. | false |
| oauth2DeviceCodeLifespan | string | The maximum amount of time a client has to finish the device code flow before it expires. | false |
| oauth2DevicePollingInterval | number | The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. | false |
| offlineSessionIdleTimeout | string | The amount of time an offline session can be idle before it expires. | false |
| offlineSessionMaxLifespan | string | The maximum amount of time before an offline session expires regardless of activity. | false |
| offlineSessionMaxLifespanEnabled | boolean | Enable offline_session_max_lifespan. | false |
| otpPolicy | []object | false | |
| passwordPolicy | string | The password policy for users within the realm.
String that represents the passwordPolicies that are in place. Each policy is separated with ” and ”. Supported policies can be found in the server-info providers page. example: “upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername(undefined)“ | false |
| refreshTokenMaxReuse | number | Maximum number of times a refresh token can be reused before they are revoked. If unspecified and ‘revoke_refresh_token’ is enabled the default value is 0 and refresh tokens can not be reused. | false |
| registrationAllowed | boolean | When true, user registration will be enabled, and a link for registration will be displayed on the login page. | false |
| registrationEmailAsUsername | boolean | When true, the user’s email will be used as their username during registration. | false |
| registrationFlow | string | The desired flow for user registration. Defaults to registration.
Which flow should be used for RegistrationFlow | false |
| rememberMe | boolean | When true, a “remember me” checkbox will be displayed on the login page, and the user’s session will not expire between browser restarts. | false |
| resetCredentialsFlow | string | The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
Which flow should be used for ResetCredentialsFlow | false |
| resetPasswordAllowed | boolean | When true, a “forgot password” link will be displayed on the login page. | false |
| revokeRefreshToken | boolean | If enabled a refresh token can only be used number of times specified in ‘refresh_token_max_reuse’ before they are revoked. If unspecified, refresh tokens can be reused. | false |
| securityDefenses | []object | false | |
| smtpServer | []object | false | |
| sslRequired | string | Can be one of following values: ‘none, ‘external’ or ‘all’
SSL Required: Values can be ‘none’, ‘external’ or ‘all’. | false |
| ssoSessionIdleTimeout | string | The amount of time a session can be idle before it expires. | false |
| ssoSessionIdleTimeoutRememberMe | string | Similar to sso_session_idle_timeout, but used when a user clicks “Remember Me”. If not set, Keycloak will default to the value of sso_session_idle_timeout. | false |
| ssoSessionMaxLifespan | string | The maximum amount of time before a session expires regardless of activity. | false |
| ssoSessionMaxLifespanRememberMe | string | Similar to sso_session_max_lifespan, but used when a user clicks “Remember Me”. If not set, Keycloak will default to the value of sso_session_max_lifespan. | false |
| userManagedAccess | boolean | When true, users are allowed to manage their own resources. Defaults to false. | false |
| verifyEmail | boolean | When true, users are required to verify their email address after registration and after email address changes. | false |
| webAuthnPasswordlessPolicy | []object | Configuration for WebAuthn Passwordless Policy authentication. | false |
| webAuthnPolicy | []object | Configuration for WebAuthn Policy authentication. | false |
KeycloakRealm.spec.realmConfiguration.internationalization[index]
Section titled “KeycloakRealm.spec.realmConfiguration.internationalization[index]”| Name | Type | Description | Required |
|---|---|---|---|
| defaultLocale | string | The locale to use by default. This locale code must be present within the supported_locales list. | false |
| supportedLocales | []string | A list of ISO 639-1 locale codes that the realm should support. | false |
KeycloakRealm.spec.realmConfiguration.otpPolicy[index]
Section titled “KeycloakRealm.spec.realmConfiguration.otpPolicy[index]”| Name | Type | Description | Required |
|---|---|---|---|
| algorithm | string | What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
What hashing algorithm should be used to generate the OTP. | false |
| digits | number | How many digits the OTP have. Defaults to 6. | false |
| initialCounter | number | What should the initial counter value be. Defaults to 2. | false |
| lookAheadWindow | number | How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1. | false |
| period | number | How many seconds should an OTP token be valid. Defaults to 30. | false |
| type | string | One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.
OTP Type, totp for Time-Based One Time Password or hotp for counter base one time password | false |
KeycloakRealm.spec.realmConfiguration.securityDefenses[index]
Section titled “KeycloakRealm.spec.realmConfiguration.securityDefenses[index]”| Name | Type | Description | Required |
|---|---|---|---|
| bruteForceDetection | []object | false | |
| headers | []object | false |
KeycloakRealm.spec.realmConfiguration.securityDefenses[index].bruteForceDetection[index]
Section titled “KeycloakRealm.spec.realmConfiguration.securityDefenses[index].bruteForceDetection[index]”| Name | Type | Description | Required |
|---|---|---|---|
| failureResetTimeSeconds | number | When will failure count be reset? | false |
| maxFailureWaitSeconds | number | false | |
| maxLoginFailures | number | How many failures before wait is triggered. | false |
| minimumQuickLoginWaitSeconds | number | How long to wait after a quick login failure. | false |
| permanentLockout | boolean | When true, this will lock the user permanently when the user exceeds the maximum login failures. | false |
| quickLoginCheckMilliSeconds | number | Configures the amount of time, in milliseconds, for consecutive failures to lock a user out. | false |
| waitIncrementSeconds | number | This represents the amount of time a user should be locked out when the login failure threshold has been met. | false |
KeycloakRealm.spec.realmConfiguration.securityDefenses[index].headers[index]
Section titled “KeycloakRealm.spec.realmConfiguration.securityDefenses[index].headers[index]”| Name | Type | Description | Required |
|---|---|---|---|
| contentSecurityPolicy | string | Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract. | false |
| contentSecurityPolicyReportOnly | string | Used for testing Content Security Policies. | false |
| referrerPolicy | string | The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. | false |
| strictTransportSecurity | string | The Script-Transport-Security HTTP header tells browsers to always use HTTPS. | false |
| xContentTypeOptions | string | Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type | false |
| xFrameOptions | string | Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034 | false |
| xRobotsTag | string | Prevent pages from appearing in search engines. | false |
| xXssProtection | string | This header configures the Cross-site scripting (XSS) filter in your browser. | false |
KeycloakRealm.spec.realmConfiguration.smtpServer[index]
Section titled “KeycloakRealm.spec.realmConfiguration.smtpServer[index]”| Name | Type | Description | Required |
|---|---|---|---|
| auth | []object | Enables authentication to the SMTP server. This block supports the following arguments: | false |
| envelopeFrom | string | The email address uses for bounces. | false |
| from | string | The email address for the sender. | false |
| fromDisplayName | string | The display name of the sender email address. | false |
| host | string | The host of the SMTP server. | false |
| port | string | The port of the SMTP server (defaults to 25). | false |
| replyTo | string | The “reply to” email address. | false |
| replyToDisplayName | string | The display name of the “reply to” email address. | false |
| ssl | boolean | When true, enables SSL. Defaults to false. | false |
| starttls | boolean | When true, enables StartTLS. Defaults to false. | false |
KeycloakRealm.spec.realmConfiguration.smtpServer[index].auth[index]
Section titled “KeycloakRealm.spec.realmConfiguration.smtpServer[index].auth[index]”| Name | Type | Description | Required |
|---|---|---|---|
| passwordSecretRef | object | The SMTP server password. | false |
| username | string | The SMTP server username. | false |
KeycloakRealm.spec.realmConfiguration.smtpServer[index].auth[index].passwordSecretRef
Section titled “KeycloakRealm.spec.realmConfiguration.smtpServer[index].auth[index].passwordSecretRef”The SMTP server password.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | The key to select. | true |
| name | string | Name of the secret. | true |
| namespace | string | Namespace of the secret. | true |
KeycloakRealm.spec.realmConfiguration.webAuthnPasswordlessPolicy[index]
Section titled “KeycloakRealm.spec.realmConfiguration.webAuthnPasswordlessPolicy[index]”| Name | Type | Description | Required |
|---|---|---|---|
| acceptableAaguids | []string | A set of AAGUIDs for which an authenticator can be registered. | false |
| attestationConveyancePreference | string | The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
Either none, indirect or direct | false |
| authenticatorAttachment | string | The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
Either platform or cross-platform | false |
| avoidSameAuthenticatorRegister | boolean | When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false. | false |
| createTimeout | number | The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0. | false |
| relyingPartyEntityName | string | A human readable server name for the WebAuthn Relying Party. Defaults to keycloak. | false |
| relyingPartyId | string | The WebAuthn relying party ID. | false |
| requireResidentKey | string | Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
Either Yes or No | false |
| signatureAlgorithms | []string | A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing | false |
| userVerificationRequirement | string | Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
Either required, preferred or discouraged | false |
KeycloakRealm.spec.realmConfiguration.webAuthnPolicy[index]
Section titled “KeycloakRealm.spec.realmConfiguration.webAuthnPolicy[index]”| Name | Type | Description | Required |
|---|---|---|---|
| acceptableAaguids | []string | A set of AAGUIDs for which an authenticator can be registered. | false |
| attestationConveyancePreference | string | The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
Either none, indirect or direct | false |
| authenticatorAttachment | string | The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
Either platform or cross-platform | false |
| avoidSameAuthenticatorRegister | boolean | When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false. | false |
| createTimeout | number | The timeout value for creating a user’s public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0. | false |
| relyingPartyEntityName | string | A human readable server name for the WebAuthn Relying Party. Defaults to keycloak. | false |
| relyingPartyId | string | The WebAuthn relying party ID. | false |
| requireResidentKey | string | Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
Either Yes or No | false |
| signatureAlgorithms | []string | A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
Keycloak lists ES256, ES384, ES512, RS256, RS384, RS512, RS1 at the time of writing | false |
| userVerificationRequirement | string | Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.
Either required, preferred or discouraged | false |
KeycloakUser
Section titled “KeycloakUser”| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | k8saas.io/v1alpha1 | true |
| kind | string | KeycloakUser | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false |
KeycloakUser.spec
Section titled “KeycloakUser.spec”| Name | Type | Description | Required |
|---|---|---|---|
| groupIdsRefs | []object | References to Group in group to populate groupIds. | false |
| realmId | string | The realm this user is attached to. | false |
| roleIdsRefs | []object | References to Role in roles to populate roleIds. | false |
| userConfiguration | object | The complete Keycloak client configuration. Setup values from the spec.forProvider object https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.9.2/resources/openidclient.keycloak.crossplane.io/Client/v1alpha1. | false |
| username | string | The unique username of this user. | false |
KeycloakUser.spec.groupIdsRefs[index]
Section titled “KeycloakUser.spec.groupIdsRefs[index]”A Reference to a named object.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakUser.spec.groupIdsRefs[index].policy
Section titled “KeycloakUser.spec.groupIdsRefs[index].policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakUser.spec.roleIdsRefs[index]
Section titled “KeycloakUser.spec.roleIdsRefs[index]”A Reference to a named object.
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the referenced object. | true |
| policy | object | Policies for referencing. | false |
KeycloakUser.spec.roleIdsRefs[index].policy
Section titled “KeycloakUser.spec.roleIdsRefs[index].policy”Policies for referencing.
| Name | Type | Description | Required |
|---|---|---|---|
| resolution | enum | Resolution specifies whether resolution of this reference is required.
The default is ‘Required’, which means the reconcile will fail if the
reference cannot be resolved. ‘Optional’ means this reference will be
a no-op if it cannot be resolved. Enum: Required, Optional | false |
| resolve | enum | Resolve specifies when this reference should be resolved. The default
is ‘IfNotPresent’, which will attempt to resolve the reference only when
the corresponding field is not present. Use ‘Always’ to resolve the
reference on every reconcile. Enum: Always, IfNotPresent | false |
KeycloakUser.spec.userConfiguration
Section titled “KeycloakUser.spec.userConfiguration”The complete Keycloak client configuration. Setup values from the spec.forProvider object https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v1.9.2/resources/openidclient.keycloak.crossplane.io/Client/v1alpha1.
| Name | Type | Description | Required |
|---|---|---|---|
| attributes | map[string]string | A map representing attributes for the user. In order to add multivalue attributes, use ## to seperate the values. Max length for each value is 255 chars | false |
| string | The user’s email. | false | |
| emailVerified | boolean | Whether the email address was validated or not. Default to false. | false |
| enabled | boolean | When false, this user cannot log in. Defaults to true. | false |
| federatedIdentity | []object | When specified, the user will be linked to a federated identity provider. Refer to the federated user example for more details. | false |
| firstName | string | The user’s first name. | false |
| initialPassword | []object | When given, the user’s initial password will be set. This attribute is only respected during initial user creation. | false |
| lastName | string | The user’s last name. | false |
| requiredActions | []string | A list of required user actions. | false |
KeycloakUser.spec.userConfiguration.federatedIdentity[index]
Section titled “KeycloakUser.spec.userConfiguration.federatedIdentity[index]”| Name | Type | Description | Required |
|---|---|---|---|
| identityProvider | string | The name of the identity provider | false |
| userId | string | The ID of the user defined in the identity provider | false |
| userName | string | The user name of the user defined in the identity provider | false |
KeycloakUser.spec.userConfiguration.initialPassword[index]
Section titled “KeycloakUser.spec.userConfiguration.initialPassword[index]”| Name | Type | Description | Required |
|---|---|---|---|
| temporary | boolean | If set to true, the initial password is set up for renewal on first use. Default to false. | false |
| valueSecretRef | object | The initial password. | false |
KeycloakUser.spec.userConfiguration.initialPassword[index].valueSecretRef
Section titled “KeycloakUser.spec.userConfiguration.initialPassword[index].valueSecretRef”The initial password.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | The key to select. | true |
| name | string | Name of the secret. | true |
| namespace | string | Namespace of the secret. | true |