expose EnableStandardTokenExchange and allow refresh token in standard token exchange in keycloak_openid_client (#1229)

KyriosGN0 · sschu · web-flow · commit 186f7cf1bc14 · 2025-06-30T19:33:49.000Z
* support settings allow_refresh_token_in_standartd_token_exhange and expose standard_token_exchange_enabled in openid_client

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

* update tests

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

* fix tests

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

* skip test unless keycloak is version 26.2

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

* fix datasource

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

* fix tests

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;

---------

Signed-off-by: AvivGuiser &lt;avivguiser@gmail.com&gt;
Co-authored-by: Sebastian Schuster &lt;sebastian.schuster@bosch.com&gt;
diff --git a/keycloak/openid_client.go b/keycloak/openid_client.go
@@ -61,29 +61,30 @@ type OpenidClient struct {
 }
 
 type OpenidClientAttributes struct {
-	PkceCodeChallengeMethod               string                           `json:"pkce.code.challenge.method"`
-	ExcludeSessionStateFromAuthResponse   types.KeycloakBoolQuoted         `json:"exclude.session.state.from.auth.response"`
-	ExcludeIssuerFromAuthResponse         types.KeycloakBoolQuoted         `json:"exclude.issuer.from.auth.response"`
-	AccessTokenLifespan                   string                           `json:"access.token.lifespan"`
-	LoginTheme                            string                           `json:"login_theme"`
-	ClientOfflineSessionIdleTimeout       string                           `json:"client.offline.session.idle.timeout,omitempty"`
-	DisplayOnConsentScreen                types.KeycloakBoolQuoted         `json:"display.on.consent.screen"`
-	ConsentScreenText                     string                           `json:"consent.screen.text"`
-	ClientOfflineSessionMaxLifespan       string                           `json:"client.offline.session.max.lifespan,omitempty"`
-	ClientSessionIdleTimeout              string                           `json:"client.session.idle.timeout,omitempty"`
-	ClientSessionMaxLifespan              string                           `json:"client.session.max.lifespan,omitempty"`
-	UseRefreshTokens                      types.KeycloakBoolQuoted         `json:"use.refresh.tokens"`
-	UseRefreshTokensClientCredentials     types.KeycloakBoolQuoted         `json:"client_credentials.use_refresh_token"`
-	BackchannelLogoutUrl                  string                           `json:"backchannel.logout.url"`
-	FrontchannelLogoutUrl                 string                           `json:"frontchannel.logout.url"`
-	BackchannelLogoutRevokeOfflineTokens  types.KeycloakBoolQuoted         `json:"backchannel.logout.revoke.offline.tokens"`
-	BackchannelLogoutSessionRequired      types.KeycloakBoolQuoted         `json:"backchannel.logout.session.required"`
-	ExtraConfig                           map[string]interface{}           `json:"-"`
-	Oauth2DeviceAuthorizationGrantEnabled types.KeycloakBoolQuoted         `json:"oauth2.device.authorization.grant.enabled"`
-	Oauth2DeviceCodeLifespan              string                           `json:"oauth2.device.code.lifespan,omitempty"`
-	Oauth2DevicePollingInterval           string                           `json:"oauth2.device.polling.interval,omitempty"`
-	PostLogoutRedirectUris                types.KeycloakSliceHashDelimited `json:"post.logout.redirect.uris,omitempty"`
-	StandardTokenExchangeEnabled          types.KeycloakBoolQuoted         `json:"standard.token.exchange.enabled,omitempty"`
+	PkceCodeChallengeMethod                  string                           `json:"pkce.code.challenge.method"`
+	ExcludeSessionStateFromAuthResponse      types.KeycloakBoolQuoted         `json:"exclude.session.state.from.auth.response"`
+	ExcludeIssuerFromAuthResponse            types.KeycloakBoolQuoted         `json:"exclude.issuer.from.auth.response"`
+	AccessTokenLifespan                      string                           `json:"access.token.lifespan"`
+	LoginTheme                               string                           `json:"login_theme"`
+	ClientOfflineSessionIdleTimeout          string                           `json:"client.offline.session.idle.timeout,omitempty"`
+	DisplayOnConsentScreen                   types.KeycloakBoolQuoted         `json:"display.on.consent.screen"`
+	ConsentScreenText                        string                           `json:"consent.screen.text"`
+	ClientOfflineSessionMaxLifespan          string                           `json:"client.offline.session.max.lifespan,omitempty"`
+	ClientSessionIdleTimeout                 string                           `json:"client.session.idle.timeout,omitempty"`
+	ClientSessionMaxLifespan                 string                           `json:"client.session.max.lifespan,omitempty"`
+	UseRefreshTokens                         types.KeycloakBoolQuoted         `json:"use.refresh.tokens"`
+	UseRefreshTokensClientCredentials        types.KeycloakBoolQuoted         `json:"client_credentials.use_refresh_token"`
+	BackchannelLogoutUrl                     string                           `json:"backchannel.logout.url"`
+	FrontchannelLogoutUrl                    string                           `json:"frontchannel.logout.url"`
+	BackchannelLogoutRevokeOfflineTokens     types.KeycloakBoolQuoted         `json:"backchannel.logout.revoke.offline.tokens"`
+	BackchannelLogoutSessionRequired         types.KeycloakBoolQuoted         `json:"backchannel.logout.session.required"`
+	ExtraConfig                              map[string]interface{}           `json:"-"`
+	Oauth2DeviceAuthorizationGrantEnabled    types.KeycloakBoolQuoted         `json:"oauth2.device.authorization.grant.enabled"`
+	Oauth2DeviceCodeLifespan                 string                           `json:"oauth2.device.code.lifespan,omitempty"`
+	Oauth2DevicePollingInterval              string                           `json:"oauth2.device.polling.interval,omitempty"`
+	PostLogoutRedirectUris                   types.KeycloakSliceHashDelimited `json:"post.logout.redirect.uris,omitempty"`
+	StandardTokenExchangeEnabled             types.KeycloakBoolQuoted         `json:"standard.token.exchange.enabled,omitempty"`
+	AllowRefreshTokenInStandardTokenExchange string                           `json:"standard.token.exchange.enableRefreshRequestedTokenType,omitempty"`
 }
 
 type OpenidAuthenticationFlowBindingOverrides struct {
diff --git a/provider/data_source_keycloak_openid_client.go b/provider/data_source_keycloak_openid_client.go
@@ -204,6 +204,14 @@ func dataSourceKeycloakOpenidClient() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"standard_token_exchange_enabled": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"allow_refresh_token_in_standard_token_exchange": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"backchannel_logout_url": {
 				Type:     schema.TypeString,
 				Computed: true,
diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go
@@ -4,10 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/hashicorp/go-cty/cty"
 	"reflect"
 	"strings"
 
+	"github.com/hashicorp/go-cty/cty"
+
 	"dario.cat/mergo"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
@@ -283,6 +284,15 @@ func resourceKeycloakOpenidClient() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"standard_token_exchange_enabled": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"allow_refresh_token_in_standard_token_exchange": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"frontchannel_logout_url": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -382,28 +392,30 @@ func getOpenidClientFromData(data *schema.ResourceData) (*keycloak.OpenidClient,
 		FrontChannelLogoutEnabled: data.Get("frontchannel_logout_enabled").(bool),
 		FullScopeAllowed:          data.Get("full_scope_allowed").(bool),
 		Attributes: keycloak.OpenidClientAttributes{
-			PkceCodeChallengeMethod:               data.Get("pkce_code_challenge_method").(string),
-			ExcludeSessionStateFromAuthResponse:   types.KeycloakBoolQuoted(data.Get("exclude_session_state_from_auth_response").(bool)),
-			ExcludeIssuerFromAuthResponse:         types.KeycloakBoolQuoted(data.Get("exclude_issuer_from_auth_response").(bool)),
-			AccessTokenLifespan:                   data.Get("access_token_lifespan").(string),
-			LoginTheme:                            data.Get("login_theme").(string),
-			ClientOfflineSessionIdleTimeout:       data.Get("client_offline_session_idle_timeout").(string),
-			ClientOfflineSessionMaxLifespan:       data.Get("client_offline_session_max_lifespan").(string),
-			ClientSessionIdleTimeout:              data.Get("client_session_idle_timeout").(string),
-			ClientSessionMaxLifespan:              data.Get("client_session_max_lifespan").(string),
-			UseRefreshTokens:                      types.KeycloakBoolQuoted(data.Get("use_refresh_tokens").(bool)),
-			UseRefreshTokensClientCredentials:     types.KeycloakBoolQuoted(data.Get("use_refresh_tokens_client_credentials").(bool)),
-			FrontchannelLogoutUrl:                 data.Get("frontchannel_logout_url").(string),
-			BackchannelLogoutUrl:                  data.Get("backchannel_logout_url").(string),
-			BackchannelLogoutRevokeOfflineTokens:  types.KeycloakBoolQuoted(data.Get("backchannel_logout_revoke_offline_sessions").(bool)),
-			BackchannelLogoutSessionRequired:      types.KeycloakBoolQuoted(data.Get("backchannel_logout_session_required").(bool)),
-			ExtraConfig:                           getExtraConfigFromData(data),
-			Oauth2DeviceAuthorizationGrantEnabled: types.KeycloakBoolQuoted(data.Get("oauth2_device_authorization_grant_enabled").(bool)),
-			Oauth2DeviceCodeLifespan:              data.Get("oauth2_device_code_lifespan").(string),
-			Oauth2DevicePollingInterval:           data.Get("oauth2_device_polling_interval").(string),
-			ConsentScreenText:                     data.Get("consent_screen_text").(string),
-			DisplayOnConsentScreen:                types.KeycloakBoolQuoted(data.Get("display_on_consent_screen").(bool)),
-			PostLogoutRedirectUris:                types.KeycloakSliceHashDelimited(validPostLogoutRedirectUris),
+			PkceCodeChallengeMethod:                  data.Get("pkce_code_challenge_method").(string),
+			ExcludeSessionStateFromAuthResponse:      types.KeycloakBoolQuoted(data.Get("exclude_session_state_from_auth_response").(bool)),
+			ExcludeIssuerFromAuthResponse:            types.KeycloakBoolQuoted(data.Get("exclude_issuer_from_auth_response").(bool)),
+			AccessTokenLifespan:                      data.Get("access_token_lifespan").(string),
+			LoginTheme:                               data.Get("login_theme").(string),
+			ClientOfflineSessionIdleTimeout:          data.Get("client_offline_session_idle_timeout").(string),
+			ClientOfflineSessionMaxLifespan:          data.Get("client_offline_session_max_lifespan").(string),
+			ClientSessionIdleTimeout:                 data.Get("client_session_idle_timeout").(string),
+			ClientSessionMaxLifespan:                 data.Get("client_session_max_lifespan").(string),
+			UseRefreshTokens:                         types.KeycloakBoolQuoted(data.Get("use_refresh_tokens").(bool)),
+			UseRefreshTokensClientCredentials:        types.KeycloakBoolQuoted(data.Get("use_refresh_tokens_client_credentials").(bool)),
+			StandardTokenExchangeEnabled:             types.KeycloakBoolQuoted(data.Get("standard_token_exchange_enabled").(bool)),
+			AllowRefreshTokenInStandardTokenExchange: data.Get("allow_refresh_token_in_standard_token_exchange").(string),
+			FrontchannelLogoutUrl:                    data.Get("frontchannel_logout_url").(string),
+			BackchannelLogoutUrl:                     data.Get("backchannel_logout_url").(string),
+			BackchannelLogoutRevokeOfflineTokens:     types.KeycloakBoolQuoted(data.Get("backchannel_logout_revoke_offline_sessions").(bool)),
+			BackchannelLogoutSessionRequired:         types.KeycloakBoolQuoted(data.Get("backchannel_logout_session_required").(bool)),
+			ExtraConfig:                              getExtraConfigFromData(data),
+			Oauth2DeviceAuthorizationGrantEnabled:    types.KeycloakBoolQuoted(data.Get("oauth2_device_authorization_grant_enabled").(bool)),
+			Oauth2DeviceCodeLifespan:                 data.Get("oauth2_device_code_lifespan").(string),
+			Oauth2DevicePollingInterval:              data.Get("oauth2_device_polling_interval").(string),
+			ConsentScreenText:                        data.Get("consent_screen_text").(string),
+			DisplayOnConsentScreen:                   types.KeycloakBoolQuoted(data.Get("display_on_consent_screen").(bool)),
+			PostLogoutRedirectUris:                   types.KeycloakSliceHashDelimited(validPostLogoutRedirectUris),
 		},
 		ValidRedirectUris:      validRedirectUris,
 		WebOrigins:             webOrigins,
@@ -506,6 +518,8 @@ func setOpenidClientData(ctx context.Context, keycloakClient *keycloak.KeycloakC
 	data.Set("login_theme", client.Attributes.LoginTheme)
 	data.Set("use_refresh_tokens", client.Attributes.UseRefreshTokens)
 	data.Set("use_refresh_tokens_client_credentials", client.Attributes.UseRefreshTokensClientCredentials)
+	data.Set("standard_token_exchange_enabled", client.Attributes.StandardTokenExchangeEnabled)
+	data.Set("allow_refresh_token_in_standard_token_exchange", client.Attributes.AllowRefreshTokenInStandardTokenExchange)
 	data.Set("oauth2_device_authorization_grant_enabled", client.Attributes.Oauth2DeviceAuthorizationGrantEnabled)
 	data.Set("oauth2_device_code_lifespan", client.Attributes.Oauth2DeviceCodeLifespan)
 	data.Set("oauth2_device_polling_interval", client.Attributes.Oauth2DevicePollingInterval)
diff --git a/provider/resource_keycloak_openid_client_test.go b/provider/resource_keycloak_openid_client_test.go
@@ -2,12 +2,13 @@ package provider
 
 import (
 	"fmt"
-	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
 	"regexp"
 	"strconv"
 	"strings"
 	"testing"
 
+	"github.com/keycloak/terraform-provider-keycloak/keycloak/types"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
@@ -792,6 +793,54 @@ func TestAccKeycloakOpenidClient_useRefreshTokens(t *testing.T) {
 	})
 }
 
+func TestAccKeycloakOpenidClient_enableStandardTokenExchange(t *testing.T) {
+	if ok, _ := keycloakClient.VersionIsGreaterThanOrEqualTo(testCtx, keycloak.Version_26_2); !ok {
+		t.Skip()
+	}
+	t.Parallel()
+	clientId := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		CheckDestroy:      testAccCheckKeycloakOpenidClientDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakOpenidClient_enableStandardTokenExchange(clientId, true),
+				Check:  testAccCheckKeycloakOpenidClientEnableStandardTokenExchange("keycloak_openid_client.client", true),
+			},
+			{
+				Config: testKeycloakOpenidClient_enableStandardTokenExchange(clientId, false),
+				Check:  testAccCheckKeycloakOpenidClientEnableStandardTokenExchange("keycloak_openid_client.client", false),
+			},
+		},
+	})
+}
+
+func TestAccKeycloakOpenidClient_allowRefreshTokenInStandardExchange(t *testing.T) {
+	if ok, _ := keycloakClient.VersionIsGreaterThanOrEqualTo(testCtx, keycloak.Version_26_2); !ok {
+		t.Skip()
+	}
+	t.Parallel()
+	clientId := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		CheckDestroy:      testAccCheckKeycloakOpenidClientDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakOpenidClient_allowRefreshTokenInStandardExchange(clientId, "SAME_SESSION"),
+				Check:  testAccCheckKeycloakOpenidClientAllowRefreshTokenInStandardExchange("keycloak_openid_client.client", "SAME_SESSION"),
+			},
+			{
+				Config: testKeycloakOpenidClient_allowRefreshTokenInStandardExchange(clientId, ""),
+				Check:  testAccCheckKeycloakOpenidClientAllowRefreshTokenInStandardExchange("keycloak_openid_client.client", ""),
+			},
+		},
+	})
+}
+
 func TestAccKeycloakOpenidClient_useRefreshTokensClientCredentials(t *testing.T) {
 	t.Parallel()
 	clientId := acctest.RandomWithPrefix("tf-acc")
@@ -1277,6 +1326,36 @@ func testAccCheckKeycloakOpenidClientUseRefreshTokens(resourceName string, useRe
 	}
 }
 
+func testAccCheckKeycloakOpenidClientEnableStandardTokenExchange(resourceName string, enableStandardTokenExchange bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client, err := getOpenidClientFromState(s, resourceName)
+		if err != nil {
+			return err
+		}
+
+		if client.Attributes.StandardTokenExchangeEnabled != types.KeycloakBoolQuoted(enableStandardTokenExchange) {
+			return fmt.Errorf("expected openid client to have enable standard token exchange set to %t, but got %v", enableStandardTokenExchange, client.Attributes.StandardTokenExchangeEnabled)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckKeycloakOpenidClientAllowRefreshTokenInStandardExchange(resourceName string, AllowRefreshTokenInStandardTokenExchange string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client, err := getOpenidClientFromState(s, resourceName)
+		if err != nil {
+			return err
+		}
+
+		if client.Attributes.AllowRefreshTokenInStandardTokenExchange != AllowRefreshTokenInStandardTokenExchange {
+			return fmt.Errorf("expected openid client to have enable standard token exchange set to %s, but got %v", AllowRefreshTokenInStandardTokenExchange, client.Attributes.AllowRefreshTokenInStandardTokenExchange)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckKeycloakOpenidClientUseRefreshTokensClientCredentials(resourceName string, useRefreshTokensClientCredentials bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client, err := getOpenidClientFromState(s, resourceName)
@@ -1834,6 +1913,39 @@ resource "keycloak_openid_client" "client" {
 	`, testAccRealm.Realm, clientId, useRefreshTokens)
 }
 
+func testKeycloakOpenidClient_enableStandardTokenExchange(clientId string, enableStandardTokenExchange bool) string {
+
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource "keycloak_openid_client" "client" {
+	client_id   = "%s"
+	realm_id    = data.keycloak_realm.realm.id
+	access_type = "CONFIDENTIAL"
+	standard_token_exchange_enabled = %t
+}
+	`, testAccRealm.Realm, clientId, enableStandardTokenExchange)
+}
+
+func testKeycloakOpenidClient_allowRefreshTokenInStandardExchange(clientId string, allowRefreshTokenInStandardTokenExchange string) string {
+
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource "keycloak_openid_client" "client" {
+	client_id   = "%s"
+	realm_id    = data.keycloak_realm.realm.id
+	access_type = "CONFIDENTIAL"
+	standard_token_exchange_enabled = true
+	allow_refresh_token_in_standard_token_exchange = "%s"
+}
+	`, testAccRealm.Realm, clientId, allowRefreshTokenInStandardTokenExchange)
+}
+
 func testKeycloakOpenidClient_useRefreshTokensClientCredentials(clientId string, useRefreshTokensClientCredentials bool) string {
 
 	return fmt.Sprintf(`
