keycloak-example-client.yaml

apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: aflow
  labels:
    client: aflow
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
  realmSelector:
    matchLabels:
      realm: dev
  client:
    authorizationServicesEnabled: false
    bearerOnly: false
    name: aflow
    clientId: aflow
    clientAuthenticatorType: "client-secret"
    consentRequired: false
    defaultClientScopes:
      - "profile"
      - "email"
      - "roles"
    enabled: true
    frontchannelLogout: false
    fullScopeAllowed: true
    protocol: openid-connect
    standardFlowEnabled: true
    serviceAccountsEnabled: true
    directAccessGrantsEnabled: true
    surrogateAuthRequired: false
    secret: <secret>
    implicitFlowEnabled: false
    publicClient: false
    redirectUris:
      - "*"
    webOrigins:
      - "*"
    nodeReRegistrationTimeout: -1
    protocolMappers:
      - name: username
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
        consentRequired: false
        config:
          userinfo.token.claim: 'true'
          user.attribute: username
          id.token.claim: 'true'
          access.token.claim: 'true'
          claim.name: preferred_username
          jsonType.label: String
      - name: 'client roles'
        protocol: openid-connect
        protocolMapper: oidc-usermodel-client-role-mapper
        consentRequired: false
        config:
          userinfo.token.claim: 'true'
          id.token.claim: 'true'
          user.attribute: username
          access.token.claim: 'true'
          claim.name: 'resource_access.${client_id}.roles'
          jsonType.label: String
          multivalued: 'true'
      - name: audience
        protocol: openid-connect
        protocolMapper: oidc-audience-mapper
        consentRequired: false
        config:
          included.client.audience: superset
          id.token.claim: 'false'
          access.token.claim: 'true'
  roles:
    - name: Admin
      composite: false
      clientRole: true
    - name: Public
      composite: false
      clientRole: true
    - name: Viewer
      composite: false
      clientRole: true
    - name: User
      composite: false
      clientRole: true
    - name: Op
      composite: false
      clientRole: true