apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: rhacs-client
  namespace: openshift-sso
  labels:
    app: sso
spec:
  realmSelector:
     matchLabels:
      app: sso
  client:
    clientId: rhacs
    secret: averysecretsecret
    defaultClientScopes:
      - email
      - web-origins
      - acr
      - profile
      - roles
    optionalClientScopes:
      - address
      - phone
      - offline_access
      - microprofile-jwt
    protocolMappers:
      - name: "realm roles"
        protocol: openid-connect
        protocolMapper: oidc-usermodel-realm-role-mapper
        consentRequired: false
        config:
          "multivalued": "true"
          "userinfo.token.claim": "true"
          "access.token.claim": "true"
          "claim.name": "realm_access.roles"
          "jsonType.label": "String"
      - name: groups
        protocol: openid-connect
        protocolMapper: oidc-usermodel-realm-role-mapper
        consentRequired: false
        config:
          "multivalued": "true"
          "userinfo.token.claim": "true"
          "access.token.claim": "true"
          "claim.name": "groups"
          "jsonType.label": "JSON"
    standardFlowEnabled: True
    directAccessGrantsEnabled: True
    frontChannelLogout: True
    fullScopeAllowed: True
    implicitFlowEnabled: True
    redirectUris:
      - https://central-rhacs.apps.ocp4.example.com/sso/providers/oidc/callback
      - https://central-rhacs.apps.ocp4.example.com/auth/response/oidc