keycloak · missedone · Jun 1, 2024
diff --git a/provider/resource_keycloak_openid_client.go b/provider/resource_keycloak_openid_client.go
@@ -502,6 +502,15 @@ func setOpenidClientData(ctx context.Context, keycloakClient *keycloak.KeycloakC
 		data.Set("access_type", "CONFIDENTIAL")
 	}
 
+	if client.AuthorizationSettings != nil {
+		authorizationSettings := make(map[string]any)
+		authorizationSettings["policy_enforcement_mode"] = client.AuthorizationSettings.PolicyEnforcementMode
+		authorizationSettings["decision_strategy"] = client.AuthorizationSettings.DecisionStrategy
+		authorizationSettings["allow_remote_resource_management"] = client.AuthorizationSettings.AllowRemoteResourceManagement
+		authorizationSettings["keep_defaults"] = client.AuthorizationSettings.KeepDefaults
+		data.Set("authorization", []interface{}{authorizationSettings})
+	}
+
 	if (keycloak.OpenidAuthenticationFlowBindingOverrides{}) == client.AuthenticationFlowBindingOverrides {
 		data.Set("authentication_flow_binding_overrides", nil)
 	} else {

diff --git a/provider/resource_keycloak_openid_client_test.go b/provider/resource_keycloak_openid_client_test.go
@@ -61,6 +61,23 @@ func TestAccKeycloakOpenidClient_basic_with_consent(t *testing.T) {
 	})
 }
 
+func TestAccKeycloakOpenidClient_basic_with_authorization(t *testing.T) {
+	t.Parallel()
+	clientId := acctest.RandomWithPrefix("tf-acc")
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: testAccProviderFactories,
+		PreCheck:          func() { testAccPreCheck(t) },
+		CheckDestroy:      testAccCheckKeycloakOpenidClientDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testKeycloakOpenidClient_basic_with_authorization(clientId),
+				Check:  testAccCheckKeycloakOpenidClientExistsWithCorrectAuthorizationSettings("keycloak_openid_client.client"),
+			},
+		},
+	})
+}
+
 func TestAccKeycloakOpenidClient_createAfterManualDestroy(t *testing.T) {
 	t.Parallel()
 	var client = &keycloak.OpenidClient{}
@@ -814,6 +831,29 @@ func testAccCheckKeycloakOpenidClientExistsWithCorrectConsentSettings(resourceNa
 	}
 }
 
+func testAccCheckKeycloakOpenidClientExistsWithCorrectAuthorizationSettings(resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client, err := getOpenidClientFromState(s, resourceName)
+		if err != nil {
+			return err
+		}
+
+		if client.AuthorizationSettings == nil {
+			return fmt.Errorf("expected openid client to have authorization settings")
+		}
+
+		if client.AuthorizationSettings.DecisionStrategy != "AFFIRMATIVE" {
+			return fmt.Errorf("expected openid client to have decision_strategy %v, but got %v", "AFFIRMATIVE", client.AuthorizationSettings.DecisionStrategy)
+		}
+
+		if client.AuthorizationSettings.PolicyEnforcementMode != "ENFORCING" {
+			return fmt.Errorf("expected openid client to have policy_enforcement_mode %v, but got %v", "ENFORCING", client.AuthorizationSettings.PolicyEnforcementMode)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckKeycloakOpenidClientHasBackchannelSettings(resourceName, backchannelLogoutUrl string, backchannelLogoutSessionRequired, backchannelLogoutRevokeOfflineSessions bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client, err := getOpenidClientFromState(s, resourceName)
@@ -1284,6 +1324,31 @@ resource "keycloak_openid_client" "client" {
 	`, testAccRealm.Realm, clientId)
 }
 
+func testKeycloakOpenidClient_basic_with_authorization(clientId string) string {
+	return fmt.Sprintf(`
+data "keycloak_realm" "realm" {
+	realm = "%s"
+}
+
+resource "keycloak_openid_client" "client" {
+	client_id   				= "%s"
+	realm_id    				= data.keycloak_realm.realm.id
+	access_type 				= "CONFIDENTIAL"
+	client_authenticator_type    = "client-secret"
+	standard_flow_enabled        = false
+	implicit_flow_enabled        = false
+	direct_access_grants_enabled = false
+	service_accounts_enabled     = true
+
+	authorization {
+    	policy_enforcement_mode          = "ENFORCING"
+    	decision_strategy                = "AFFIRMATIVE"
+    	allow_remote_resource_management = "true"
+	}
+}
+	`, testAccRealm.Realm, clientId)
+}
+
 func testKeycloakOpenidClient_AccessToken_basic(clientId, accessTokenLifespan string) string {
 	return fmt.Sprintf(`
 data "keycloak_realm" "realm" {