fix: allow use of custom client authenticator types (#845)

keycloak · Nov 10, 2023 · 11b8a66 · 11b8a66
1 parent a7e53aa
commit 11b8a66
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/docs/resources/openid_client.md b/docs/resources/openid_client.md
@@ -53,7 +53,7 @@ resource "keycloak_openid_client" "openid_client" {
       URIs for security. This client should be used for applications using the Implicit grant flow.
   - `BEARER-ONLY` - Used for services that never initiate a login. This client will only allow bearer token requests.
 - `client_secret` - (Optional) The secret for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. This value is sensitive and should be treated with the same care as a password. If omitted, this will be generated by Keycloak.
-- `client_authenticator_type` - (Optional) Defaults to `client-secret` The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. Can be one of the following:
+- `client_authenticator_type` - (Optional) Defaults to `client-secret`. The authenticator type for clients with an `access_type` of `CONFIDENTIAL` or `BEARER-ONLY`. A default Keycloak installation will have the following available types:
   - `client-secret` (Default) Use client id and client secret to authenticate client.
   - `client-jwt` Use signed JWT to authenticate client. Set signing algorithm in `extra_config` with `attributes.token.endpoint.auth.signing.alg = <alg>`
   - `client-x509` Use x509 certificate to authenticate client. Set Subject DN in `extra_config` with `attributes.x509.subjectdn = <subjectDn>`

diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go
@@ -22,7 +22,6 @@ var (
 	keycloakOpenidClientAuthorizationPolicyEnforcementMode   = []string{"ENFORCING", "PERMISSIVE", "DISABLED"}
 	keycloakOpenidClientResourcePermissionDecisionStrategies = []string{"UNANIMOUS", "AFFIRMATIVE", "CONSENSUS"}
 	keycloakOpenidClientPkceCodeChallengeMethod              = []string{"", "plain", "S256"}
-	keycloakOpenidClientAuthenticatorTypes                   = []string{"client-secret", "client-jwt", "client-x509", "client-secret-jwt"}
 )
 
 func resourceKeycloakOpenidClient() *schema.Resource {
@@ -72,10 +71,10 @@ func resourceKeycloakOpenidClient() *schema.Resource {
 				Sensitive: true,
 			},
 			"client_authenticator_type": {
-				Type:         schema.TypeString,
-				Optional:     true,
-				ValidateFunc: validation.StringInSlice(keycloakOpenidClientAuthenticatorTypes, false),
-				Default:      "client-secret",
+				Type:     schema.TypeString,
+				Optional: true,
+				// No validation is performed since Keycloak plugins can register custom client authenticators
+				Default: "client-secret",
 			},
 			"standard_flow_enabled": {
 				Type:     schema.TypeBool,