diff --git a/.pulumi-java-gen.version b/.pulumi-java-gen.version
index 1cc5f657..589268e6 100644
--- a/.pulumi-java-gen.version
+++ b/.pulumi-java-gen.version
@@ -1 +1 @@
-1.1.0
\ No newline at end of file
+1.3.0
\ No newline at end of file
diff --git a/examples/go.mod b/examples/go.mod
index 77332413..aae3a48b 100644
--- a/examples/go.mod
+++ b/examples/go.mod
@@ -4,7 +4,7 @@ go 1.22
 
 toolchain go1.22.11
 
-require github.com/pulumi/pulumi/pkg/v3 v3.147.0
+require github.com/pulumi/pulumi/pkg/v3 v3.148.0
 
 require (
 	cloud.google.com/go v0.112.1 // indirect
@@ -125,7 +125,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
 	github.com/pulumi/esc v0.10.0 // indirect
-	github.com/pulumi/pulumi/sdk/v3 v3.147.0 // indirect
+	github.com/pulumi/pulumi/sdk/v3 v3.148.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
diff --git a/examples/go.sum b/examples/go.sum
index d9d04598..107f0144 100644
--- a/examples/go.sum
+++ b/examples/go.sum
@@ -337,10 +337,10 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.10.0 h1:jzBKzkLVW0mePeanDRfqSQoCJ5yrkux0jIwAkUxpRKE=
 github.com/pulumi/esc v0.10.0/go.mod h1:2Bfa+FWj/xl8CKqRTWbWgDX0SOD4opdQgvYSURTGK2c=
-github.com/pulumi/pulumi/pkg/v3 v3.147.0 h1:aFzP2kXBL/nPPDao625xIkjAhqT5GKe3XfPXbG07oFA=
-github.com/pulumi/pulumi/pkg/v3 v3.147.0/go.mod h1:WqLJy8lfzbGTEqz5Rukd+GrqBYNBf8Y3dJ+Wde+G6g4=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0 h1:8ZDZnEsCZa6shw1dwIDUssbYMooYyebhpmx5feuZCqM=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
+github.com/pulumi/pulumi/pkg/v3 v3.148.0 h1:7FuRpw1ysvt5400x+5Ukbj14ue5W8b9fI+FZ8YMD7o4=
+github.com/pulumi/pulumi/pkg/v3 v3.148.0/go.mod h1:xxL0LnlNmjotV8Kz3sKITKCQf+U72prabgt4NAlJfRk=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0 h1:tEw1FQOKoQVP7HfZWI9DJQl4ZvGaL1z2ixZdN2wGV/o=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
diff --git a/provider/cmd/pulumi-resource-keycloak/schema.json b/provider/cmd/pulumi-resource-keycloak/schema.json
index 171e9405..c24f317b 100644
--- a/provider/cmd/pulumi-resource-keycloak/schema.json
+++ b/provider/cmd/pulumi-resource-keycloak/schema.json
@@ -3821,7 +3821,7 @@
             }
         },
         "keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission": {
-            "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst tokenExchangeRealm = new keycloak.Realm(\"token_exchange_realm\", {\n    realm: \"token-exchange_destination_realm\",\n    enabled: true,\n});\nconst tokenExchangeMyOidcIdp = new keycloak.oidc.IdentityProvider(\"token_exchange_my_oidc_idp\", {\n    realm: tokenExchangeRealm.id,\n    alias: \"myIdp\",\n    authorizationUrl: \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n    tokenUrl: \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n    clientId: \"clientId\",\n    clientSecret: \"secret\",\n    defaultScopes: \"openid\",\n});\nconst token_exchangeWebappClient = new keycloak.openid.Client(\"token-exchange_webapp_client\", {\n    realmId: tokenExchangeRealm.id,\n    name: \"webapp_client\",\n    clientId: \"webapp_client\",\n    clientSecret: \"secret\",\n    description: \"a webapp client on the destination realm\",\n    accessType: \"CONFIDENTIAL\",\n    standardFlowEnabled: true,\n    validRedirectUris: [\"http://localhost:8080/*\"],\n});\n//relevant part\nconst oidcIdpPermission = new keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\", {\n    realmId: tokenExchangeRealm.id,\n    providerAlias: tokenExchangeMyOidcIdp.alias,\n    policyType: \"client\",\n    clients: [token_exchangeWebappClient.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\ntoken_exchange_realm = keycloak.Realm(\"token_exchange_realm\",\n    realm=\"token-exchange_destination_realm\",\n    enabled=True)\ntoken_exchange_my_oidc_idp = keycloak.oidc.IdentityProvider(\"token_exchange_my_oidc_idp\",\n    realm=token_exchange_realm.id,\n    alias=\"myIdp\",\n    authorization_url=\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n    token_url=\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n    client_id=\"clientId\",\n    client_secret=\"secret\",\n    default_scopes=\"openid\")\ntoken_exchange_webapp_client = keycloak.openid.Client(\"token-exchange_webapp_client\",\n    realm_id=token_exchange_realm.id,\n    name=\"webapp_client\",\n    client_id=\"webapp_client\",\n    client_secret=\"secret\",\n    description=\"a webapp client on the destination realm\",\n    access_type=\"CONFIDENTIAL\",\n    standard_flow_enabled=True,\n    valid_redirect_uris=[\"http://localhost:8080/*\"])\n#relevant part\noidc_idp_permission = keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\",\n    realm_id=token_exchange_realm.id,\n    provider_alias=token_exchange_my_oidc_idp.alias,\n    policy_type=\"client\",\n    clients=[token_exchange_webapp_client.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var tokenExchangeRealm = new Keycloak.Realm(\"token_exchange_realm\", new()\n    {\n        RealmName = \"token-exchange_destination_realm\",\n        Enabled = true,\n    });\n\n    var tokenExchangeMyOidcIdp = new Keycloak.Oidc.IdentityProvider(\"token_exchange_my_oidc_idp\", new()\n    {\n        Realm = tokenExchangeRealm.Id,\n        Alias = \"myIdp\",\n        AuthorizationUrl = \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n        TokenUrl = \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n        ClientId = \"clientId\",\n        ClientSecret = \"secret\",\n        DefaultScopes = \"openid\",\n    });\n\n    var token_exchangeWebappClient = new Keycloak.OpenId.Client(\"token-exchange_webapp_client\", new()\n    {\n        RealmId = tokenExchangeRealm.Id,\n        Name = \"webapp_client\",\n        ClientId = \"webapp_client\",\n        ClientSecret = \"secret\",\n        Description = \"a webapp client on the destination realm\",\n        AccessType = \"CONFIDENTIAL\",\n        StandardFlowEnabled = true,\n        ValidRedirectUris = new[]\n        {\n            \"http://localhost:8080/*\",\n        },\n    });\n\n    //relevant part\n    var oidcIdpPermission = new Keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\", new()\n    {\n        RealmId = tokenExchangeRealm.Id,\n        ProviderAlias = tokenExchangeMyOidcIdp.Alias,\n        PolicyType = \"client\",\n        Clients = new[]\n        {\n            token_exchangeWebappClient.Id,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttokenExchangeRealm, err := keycloak.NewRealm(ctx, \"token_exchange_realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm:   pulumi.String(\"token-exchange_destination_realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttokenExchangeMyOidcIdp, err := oidc.NewIdentityProvider(ctx, \"token_exchange_my_oidc_idp\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm:            tokenExchangeRealm.ID(),\n\t\t\tAlias:            pulumi.String(\"myIdp\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\"),\n\t\t\tTokenUrl:         pulumi.String(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\"),\n\t\t\tClientId:         pulumi.String(\"clientId\"),\n\t\t\tClientSecret:     pulumi.String(\"secret\"),\n\t\t\tDefaultScopes:    pulumi.String(\"openid\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = openid.NewClient(ctx, \"token-exchange_webapp_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId:             tokenExchangeRealm.ID(),\n\t\t\tName:                pulumi.String(\"webapp_client\"),\n\t\t\tClientId:            pulumi.String(\"webapp_client\"),\n\t\t\tClientSecret:        pulumi.String(\"secret\"),\n\t\t\tDescription:         pulumi.String(\"a webapp client on the destination realm\"),\n\t\t\tAccessType:          pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tStandardFlowEnabled: pulumi.Bool(true),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/*\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// relevant part\n\t\t_, err = keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, \"oidc_idp_permission\", \u0026keycloak.IdentityProviderTokenExchangeScopePermissionArgs{\n\t\t\tRealmId:       tokenExchangeRealm.ID(),\n\t\t\tProviderAlias: tokenExchangeMyOidcIdp.Alias,\n\t\t\tPolicyType:    pulumi.String(\"client\"),\n\t\t\tClients: pulumi.StringArray{\n\t\t\t\ttoken_exchangeWebappClient.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermission;\nimport com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermissionArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var tokenExchangeRealm = new Realm(\"tokenExchangeRealm\", RealmArgs.builder()\n            .realm(\"token-exchange_destination_realm\")\n            .enabled(true)\n            .build());\n\n        var tokenExchangeMyOidcIdp = new IdentityProvider(\"tokenExchangeMyOidcIdp\", IdentityProviderArgs.builder()\n            .realm(tokenExchangeRealm.id())\n            .alias(\"myIdp\")\n            .authorizationUrl(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\")\n            .tokenUrl(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\")\n            .clientId(\"clientId\")\n            .clientSecret(\"secret\")\n            .defaultScopes(\"openid\")\n            .build());\n\n        var token_exchangeWebappClient = new Client(\"token-exchangeWebappClient\", ClientArgs.builder()\n            .realmId(tokenExchangeRealm.id())\n            .name(\"webapp_client\")\n            .clientId(\"webapp_client\")\n            .clientSecret(\"secret\")\n            .description(\"a webapp client on the destination realm\")\n            .accessType(\"CONFIDENTIAL\")\n            .standardFlowEnabled(true)\n            .validRedirectUris(\"http://localhost:8080/*\")\n            .build());\n\n        //relevant part\n        var oidcIdpPermission = new IdentityProviderTokenExchangeScopePermission(\"oidcIdpPermission\", IdentityProviderTokenExchangeScopePermissionArgs.builder()\n            .realmId(tokenExchangeRealm.id())\n            .providerAlias(tokenExchangeMyOidcIdp.alias())\n            .policyType(\"client\")\n            .clients(token_exchangeWebappClient.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  tokenExchangeRealm:\n    type: keycloak:Realm\n    name: token_exchange_realm\n    properties:\n      realm: token-exchange_destination_realm\n      enabled: true\n  tokenExchangeMyOidcIdp:\n    type: keycloak:oidc:IdentityProvider\n    name: token_exchange_my_oidc_idp\n    properties:\n      realm: ${tokenExchangeRealm.id}\n      alias: myIdp\n      authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\n      tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\n      clientId: clientId\n      clientSecret: secret\n      defaultScopes: openid\n  token-exchangeWebappClient:\n    type: keycloak:openid:Client\n    name: token-exchange_webapp_client\n    properties:\n      realmId: ${tokenExchangeRealm.id}\n      name: webapp_client\n      clientId: webapp_client\n      clientSecret: secret\n      description: a webapp client on the destination realm\n      accessType: CONFIDENTIAL\n      standardFlowEnabled: true\n      validRedirectUris:\n        - http://localhost:8080/*\n  # relevant part\n  oidcIdpPermission:\n    type: keycloak:IdentityProviderTokenExchangeScopePermission\n    name: oidc_idp_permission\n    properties:\n      realmId: ${tokenExchangeRealm.id}\n      providerAlias: ${tokenExchangeMyOidcIdp.alias}\n      policyType: client\n      clients:\n        - ${[\"token-exchangeWebappClient\"].id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource can be imported using the format `{{realm_id}}/{{provider_alias}}`, where `provider_alias` is the alias that\n\nyou assign to the identity provider upon creation.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission oidc_idp_permission my-realm/myIdp\n```\n\n",
+            "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as keycloak from \"@pulumi/keycloak\";\n\nconst tokenExchangeRealm = new keycloak.Realm(\"token_exchange_realm\", {\n    realm: \"token-exchange_destination_realm\",\n    enabled: true,\n});\nconst tokenExchangeMyOidcIdp = new keycloak.oidc.IdentityProvider(\"token_exchange_my_oidc_idp\", {\n    realm: tokenExchangeRealm.id,\n    alias: \"myIdp\",\n    authorizationUrl: \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n    tokenUrl: \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n    clientId: \"clientId\",\n    clientSecret: \"secret\",\n    defaultScopes: \"openid\",\n});\nconst token_exchangeWebappClient = new keycloak.openid.Client(\"token-exchange_webapp_client\", {\n    realmId: tokenExchangeRealm.id,\n    name: \"webapp_client\",\n    clientId: \"webapp_client\",\n    clientSecret: \"secret\",\n    description: \"a webapp client on the destination realm\",\n    accessType: \"CONFIDENTIAL\",\n    standardFlowEnabled: true,\n    validRedirectUris: [\"http://localhost:8080/*\"],\n});\n//relevant part\nconst oidcIdpPermission = new keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\", {\n    realmId: tokenExchangeRealm.id,\n    providerAlias: tokenExchangeMyOidcIdp.alias,\n    policyType: \"client\",\n    clients: [token_exchangeWebappClient.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_keycloak as keycloak\n\ntoken_exchange_realm = keycloak.Realm(\"token_exchange_realm\",\n    realm=\"token-exchange_destination_realm\",\n    enabled=True)\ntoken_exchange_my_oidc_idp = keycloak.oidc.IdentityProvider(\"token_exchange_my_oidc_idp\",\n    realm=token_exchange_realm.id,\n    alias=\"myIdp\",\n    authorization_url=\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n    token_url=\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n    client_id=\"clientId\",\n    client_secret=\"secret\",\n    default_scopes=\"openid\")\ntoken_exchange_webapp_client = keycloak.openid.Client(\"token-exchange_webapp_client\",\n    realm_id=token_exchange_realm.id,\n    name=\"webapp_client\",\n    client_id=\"webapp_client\",\n    client_secret=\"secret\",\n    description=\"a webapp client on the destination realm\",\n    access_type=\"CONFIDENTIAL\",\n    standard_flow_enabled=True,\n    valid_redirect_uris=[\"http://localhost:8080/*\"])\n#relevant part\noidc_idp_permission = keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\",\n    realm_id=token_exchange_realm.id,\n    provider_alias=token_exchange_my_oidc_idp.alias,\n    policy_type=\"client\",\n    clients=[token_exchange_webapp_client.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Keycloak = Pulumi.Keycloak;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var tokenExchangeRealm = new Keycloak.Realm(\"token_exchange_realm\", new()\n    {\n        RealmName = \"token-exchange_destination_realm\",\n        Enabled = true,\n    });\n\n    var tokenExchangeMyOidcIdp = new Keycloak.Oidc.IdentityProvider(\"token_exchange_my_oidc_idp\", new()\n    {\n        Realm = tokenExchangeRealm.Id,\n        Alias = \"myIdp\",\n        AuthorizationUrl = \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\",\n        TokenUrl = \"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\",\n        ClientId = \"clientId\",\n        ClientSecret = \"secret\",\n        DefaultScopes = \"openid\",\n    });\n\n    var token_exchangeWebappClient = new Keycloak.OpenId.Client(\"token-exchange_webapp_client\", new()\n    {\n        RealmId = tokenExchangeRealm.Id,\n        Name = \"webapp_client\",\n        ClientId = \"webapp_client\",\n        ClientSecret = \"secret\",\n        Description = \"a webapp client on the destination realm\",\n        AccessType = \"CONFIDENTIAL\",\n        StandardFlowEnabled = true,\n        ValidRedirectUris = new[]\n        {\n            \"http://localhost:8080/*\",\n        },\n    });\n\n    //relevant part\n    var oidcIdpPermission = new Keycloak.IdentityProviderTokenExchangeScopePermission(\"oidc_idp_permission\", new()\n    {\n        RealmId = tokenExchangeRealm.Id,\n        ProviderAlias = tokenExchangeMyOidcIdp.Alias,\n        PolicyType = \"client\",\n        Clients = new[]\n        {\n            token_exchangeWebappClient.Id,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc\"\n\t\"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/openid\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttokenExchangeRealm, err := keycloak.NewRealm(ctx, \"token_exchange_realm\", \u0026keycloak.RealmArgs{\n\t\t\tRealm:   pulumi.String(\"token-exchange_destination_realm\"),\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttokenExchangeMyOidcIdp, err := oidc.NewIdentityProvider(ctx, \"token_exchange_my_oidc_idp\", \u0026oidc.IdentityProviderArgs{\n\t\t\tRealm:            tokenExchangeRealm.ID(),\n\t\t\tAlias:            pulumi.String(\"myIdp\"),\n\t\t\tAuthorizationUrl: pulumi.String(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\"),\n\t\t\tTokenUrl:         pulumi.String(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\"),\n\t\t\tClientId:         pulumi.String(\"clientId\"),\n\t\t\tClientSecret:     pulumi.String(\"secret\"),\n\t\t\tDefaultScopes:    pulumi.String(\"openid\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttoken_exchangeWebappClient, err := openid.NewClient(ctx, \"token-exchange_webapp_client\", \u0026openid.ClientArgs{\n\t\t\tRealmId:             tokenExchangeRealm.ID(),\n\t\t\tName:                pulumi.String(\"webapp_client\"),\n\t\t\tClientId:            pulumi.String(\"webapp_client\"),\n\t\t\tClientSecret:        pulumi.String(\"secret\"),\n\t\t\tDescription:         pulumi.String(\"a webapp client on the destination realm\"),\n\t\t\tAccessType:          pulumi.String(\"CONFIDENTIAL\"),\n\t\t\tStandardFlowEnabled: pulumi.Bool(true),\n\t\t\tValidRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8080/*\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// relevant part\n\t\t_, err = keycloak.NewIdentityProviderTokenExchangeScopePermission(ctx, \"oidc_idp_permission\", \u0026keycloak.IdentityProviderTokenExchangeScopePermissionArgs{\n\t\t\tRealmId:       tokenExchangeRealm.ID(),\n\t\t\tProviderAlias: tokenExchangeMyOidcIdp.Alias,\n\t\t\tPolicyType:    pulumi.String(\"client\"),\n\t\t\tClients: pulumi.StringArray{\n\t\t\t\ttoken_exchangeWebappClient.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.keycloak.Realm;\nimport com.pulumi.keycloak.RealmArgs;\nimport com.pulumi.keycloak.oidc.IdentityProvider;\nimport com.pulumi.keycloak.oidc.IdentityProviderArgs;\nimport com.pulumi.keycloak.openid.Client;\nimport com.pulumi.keycloak.openid.ClientArgs;\nimport com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermission;\nimport com.pulumi.keycloak.IdentityProviderTokenExchangeScopePermissionArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var tokenExchangeRealm = new Realm(\"tokenExchangeRealm\", RealmArgs.builder()\n            .realm(\"token-exchange_destination_realm\")\n            .enabled(true)\n            .build());\n\n        var tokenExchangeMyOidcIdp = new IdentityProvider(\"tokenExchangeMyOidcIdp\", IdentityProviderArgs.builder()\n            .realm(tokenExchangeRealm.id())\n            .alias(\"myIdp\")\n            .authorizationUrl(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\")\n            .tokenUrl(\"http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\")\n            .clientId(\"clientId\")\n            .clientSecret(\"secret\")\n            .defaultScopes(\"openid\")\n            .build());\n\n        var token_exchangeWebappClient = new Client(\"token-exchangeWebappClient\", ClientArgs.builder()\n            .realmId(tokenExchangeRealm.id())\n            .name(\"webapp_client\")\n            .clientId(\"webapp_client\")\n            .clientSecret(\"secret\")\n            .description(\"a webapp client on the destination realm\")\n            .accessType(\"CONFIDENTIAL\")\n            .standardFlowEnabled(true)\n            .validRedirectUris(\"http://localhost:8080/*\")\n            .build());\n\n        //relevant part\n        var oidcIdpPermission = new IdentityProviderTokenExchangeScopePermission(\"oidcIdpPermission\", IdentityProviderTokenExchangeScopePermissionArgs.builder()\n            .realmId(tokenExchangeRealm.id())\n            .providerAlias(tokenExchangeMyOidcIdp.alias())\n            .policyType(\"client\")\n            .clients(token_exchangeWebappClient.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  tokenExchangeRealm:\n    type: keycloak:Realm\n    name: token_exchange_realm\n    properties:\n      realm: token-exchange_destination_realm\n      enabled: true\n  tokenExchangeMyOidcIdp:\n    type: keycloak:oidc:IdentityProvider\n    name: token_exchange_my_oidc_idp\n    properties:\n      realm: ${tokenExchangeRealm.id}\n      alias: myIdp\n      authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth\n      tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token\n      clientId: clientId\n      clientSecret: secret\n      defaultScopes: openid\n  token-exchangeWebappClient:\n    type: keycloak:openid:Client\n    name: token-exchange_webapp_client\n    properties:\n      realmId: ${tokenExchangeRealm.id}\n      name: webapp_client\n      clientId: webapp_client\n      clientSecret: secret\n      description: a webapp client on the destination realm\n      accessType: CONFIDENTIAL\n      standardFlowEnabled: true\n      validRedirectUris:\n        - http://localhost:8080/*\n  # relevant part\n  oidcIdpPermission:\n    type: keycloak:IdentityProviderTokenExchangeScopePermission\n    name: oidc_idp_permission\n    properties:\n      realmId: ${tokenExchangeRealm.id}\n      providerAlias: ${tokenExchangeMyOidcIdp.alias}\n      policyType: client\n      clients:\n        - ${[\"token-exchangeWebappClient\"].id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThis resource can be imported using the format `{{realm_id}}/{{provider_alias}}`, where `provider_alias` is the alias that\n\nyou assign to the identity provider upon creation.\n\nExample:\n\nbash\n\n```sh\n$ pulumi import keycloak:index/identityProviderTokenExchangeScopePermission:IdentityProviderTokenExchangeScopePermission oidc_idp_permission my-realm/myIdp\n```\n\n",
             "properties": {
                 "authorizationIdpResourceId": {
                     "type": "string",
diff --git a/provider/go.mod b/provider/go.mod
index ee3742cd..e74f9710 100644
--- a/provider/go.mod
+++ b/provider/go.mod
@@ -13,8 +13,8 @@ replace (
 require (
 	github.com/keycloak/terraform-provider-keycloak v0.0.0-20241206084240-f87470c95855
 	github.com/pulumi/providertest v0.1.3
-	github.com/pulumi/pulumi-terraform-bridge/v3 v3.102.0
-	github.com/pulumi/pulumi/sdk/v3 v3.147.0
+	github.com/pulumi/pulumi-terraform-bridge/v3 v3.103.0
+	github.com/pulumi/pulumi/sdk/v3 v3.148.0
 	github.com/stretchr/testify v1.10.0
 )
 
@@ -184,7 +184,7 @@ require (
 	github.com/pulumi/inflector v0.1.1 // indirect
 	github.com/pulumi/pulumi-java/pkg v0.19.0 // indirect
 	github.com/pulumi/pulumi-yaml v1.12.0 // indirect
-	github.com/pulumi/pulumi/pkg/v3 v3.147.0 // indirect
+	github.com/pulumi/pulumi/pkg/v3 v3.148.0 // indirect
 	github.com/pulumi/schema-tools v0.1.2 // indirect
 	github.com/pulumi/terraform-diff-reader v0.0.2 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
diff --git a/provider/go.sum b/provider/go.sum
index bfaa225a..e8644d17 100644
--- a/provider/go.sum
+++ b/provider/go.sum
@@ -2159,14 +2159,14 @@ github.com/pulumi/providertest v0.1.3 h1:GpNKRy/haNjRHiUA9bi4diU4Op2zf3axYXbga5A
 github.com/pulumi/providertest v0.1.3/go.mod h1:GcsqEGgSngwaNOD+kICJPIUQlnA911fGBU8HDlJvVL0=
 github.com/pulumi/pulumi-java/pkg v0.19.0 h1:T9kkGUQJV7UTxenw08m3txsgQkNVnZZxvn1zCcNjaE8=
 github.com/pulumi/pulumi-java/pkg v0.19.0/go.mod h1:YKYYFEb3Jvzf/dDJo0xOeEkIfBAMkkkdhXulauvEjmc=
-github.com/pulumi/pulumi-terraform-bridge/v3 v3.102.0 h1:shzw3WluUr/TcK92njRDFxpdUMP1brbGVsgBFCzlQl0=
-github.com/pulumi/pulumi-terraform-bridge/v3 v3.102.0/go.mod h1:LwhiXOl9rpoRImUuDTfQQH2vTjL1JACnIFm/kWp1znU=
+github.com/pulumi/pulumi-terraform-bridge/v3 v3.103.0 h1:kHY3wnVOutj1G3XcjA4ZNSlHbrUKHfMTZsJRykTYc48=
+github.com/pulumi/pulumi-terraform-bridge/v3 v3.103.0/go.mod h1:2+e4IIfbop+OBZYcMvlgx9KPZ9J6VrweKHadjnYyI6M=
 github.com/pulumi/pulumi-yaml v1.12.0 h1:ThJP+EBqeJyCnS6w6/PwcEFOT5o112qv0lObhefmFCk=
 github.com/pulumi/pulumi-yaml v1.12.0/go.mod h1:EhZd1XDfuLa15O51qVVE16U6r8ldK9mLIBclqWCX27Y=
-github.com/pulumi/pulumi/pkg/v3 v3.147.0 h1:aFzP2kXBL/nPPDao625xIkjAhqT5GKe3XfPXbG07oFA=
-github.com/pulumi/pulumi/pkg/v3 v3.147.0/go.mod h1:WqLJy8lfzbGTEqz5Rukd+GrqBYNBf8Y3dJ+Wde+G6g4=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0 h1:8ZDZnEsCZa6shw1dwIDUssbYMooYyebhpmx5feuZCqM=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
+github.com/pulumi/pulumi/pkg/v3 v3.148.0 h1:7FuRpw1ysvt5400x+5Ukbj14ue5W8b9fI+FZ8YMD7o4=
+github.com/pulumi/pulumi/pkg/v3 v3.148.0/go.mod h1:xxL0LnlNmjotV8Kz3sKITKCQf+U72prabgt4NAlJfRk=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0 h1:tEw1FQOKoQVP7HfZWI9DJQl4ZvGaL1z2ixZdN2wGV/o=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
 github.com/pulumi/schema-tools v0.1.2 h1:Fd9xvUjgck4NA+7/jSk7InqCUT4Kj940+EcnbQKpfZo=
 github.com/pulumi/schema-tools v0.1.2/go.mod h1:62lgj52Tzq11eqWTIaKd+EVyYAu5dEcDJxMhTjvMO/k=
 github.com/pulumi/terraform-diff-reader v0.0.2 h1:kTE4nEXU3/SYXESvAIem+wyHMI3abqkI3OhJ0G04LLI=
diff --git a/sdk/go.mod b/sdk/go.mod
index 12be7bd6..213d68cb 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -6,7 +6,7 @@ toolchain go1.22.11
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.147.0
+	github.com/pulumi/pulumi/sdk/v3 v3.148.0
 )
 
 require (
diff --git a/sdk/go.sum b/sdk/go.sum
index ca1b54e6..7aed7195 100644
--- a/sdk/go.sum
+++ b/sdk/go.sum
@@ -148,8 +148,8 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.9.1 h1:HH5eEv8sgyxSpY5a8yePyqFXzA8cvBvapfH8457+mIs=
 github.com/pulumi/esc v0.9.1/go.mod h1:oEJ6bOsjYlQUpjf70GiX+CXn3VBmpwFDxUTlmtUN84c=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0 h1:8ZDZnEsCZa6shw1dwIDUssbYMooYyebhpmx5feuZCqM=
-github.com/pulumi/pulumi/sdk/v3 v3.147.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0 h1:tEw1FQOKoQVP7HfZWI9DJQl4ZvGaL1z2ixZdN2wGV/o=
+github.com/pulumi/pulumi/sdk/v3 v3.148.0/go.mod h1:+WC9aIDo8fMgd2g0jCHuZU2S/VYNLRAZ3QXt6YVgwaA=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
diff --git a/sdk/go/keycloak/identityProviderTokenExchangeScopePermission.go b/sdk/go/keycloak/identityProviderTokenExchangeScopePermission.go
index accd3f8d..b4b4f9cb 100644
--- a/sdk/go/keycloak/identityProviderTokenExchangeScopePermission.go
+++ b/sdk/go/keycloak/identityProviderTokenExchangeScopePermission.go
@@ -47,7 +47,7 @@ import (
 //			if err != nil {
 //				return err
 //			}
-//			_, err = openid.NewClient(ctx, "token-exchange_webapp_client", &openid.ClientArgs{
+//			token_exchangeWebappClient, err := openid.NewClient(ctx, "token-exchange_webapp_client", &openid.ClientArgs{
 //				RealmId:             tokenExchangeRealm.ID(),
 //				Name:                pulumi.String("webapp_client"),
 //				ClientId:            pulumi.String("webapp_client"),
diff --git a/sdk/java/build.gradle b/sdk/java/build.gradle
index 09719115..616de301 100644
--- a/sdk/java/build.gradle
+++ b/sdk/java/build.gradle
@@ -44,7 +44,7 @@ repositories {
 dependencies {
     implementation("com.google.code.findbugs:jsr305:3.0.2")
     implementation("com.google.code.gson:gson:2.8.9")
-    implementation("com.pulumi:pulumi:1.1.0")
+    implementation("com.pulumi:pulumi:1.3.0")
 }
 
 task sourcesJar(type: Jar) {
diff --git a/sdk/python/pulumi_keycloak/_utilities.py b/sdk/python/pulumi_keycloak/_utilities.py
index 3ce408d5..56d3cfb8 100644
--- a/sdk/python/pulumi_keycloak/_utilities.py
+++ b/sdk/python/pulumi_keycloak/_utilities.py
@@ -89,12 +89,16 @@ def _get_semver_version():
     elif pep440_version.pre_tag == 'rc':
         prerelease = f"rc.{pep440_version.pre}"
     elif pep440_version.dev is not None:
+        # PEP440 has explicit support for dev builds, while semver encodes them as "prerelease" versions. To bridge 
+        # between the two, we convert our dev build version into a prerelease tag. This matches what all of our other
+        # packages do when constructing their own semver string.
         prerelease = f"dev.{pep440_version.dev}"
+    elif pep440_version.local is not None:
+        # PEP440 only allows a small set of prerelease tags, so when converting an arbitrary prerelease,
+        # PypiVersion in /pkg/codegen/python/utilities.go converts it to a local version. Therefore, we need to
+        # do the reverse conversion here and set the local version as the prerelease tag.
+        prerelease = pep440_version.local
 
-    # The only significant difference between PEP440 and semver as it pertains to us is that PEP440 has explicit support
-    # for dev builds, while semver encodes them as "prerelease" versions. In order to bridge between the two, we convert
-    # our dev build version into a prerelease tag. This matches what all of our other packages do when constructing
-    # their own semver string.
     return SemverVersion(major=major, minor=minor, patch=patch, prerelease=prerelease)