v1beta1

type AuthenticationExecutionInfo struct {
	// Authentication Execution Info Alias.
	// +optional
	Alias string `json:"alias,omitempty"`
	// Authentication Execution Info Config.
	// +optional
	AuthenticationConfig string `json:"authenticationConfig,omitempty"`
	// True if Authentication Flow is enabled.
	// +optional
	AuthenticationFlow bool `json:"authenticationFlow,omitempty"`
	// True if Authentication Execution Info is configurable.
	// +optional
	Configurable bool `json:"configurable,omitempty"`
	// Authentication Execution Info Display Name.
	// +optional
	DisplayName string `json:"displayName,omitempty"`
	// Authentication Execution Info Flow ID.
	// +optional
	FlowID string `json:"flowId,omitempty"`
	// Authentication Execution Info ID.
	// +optional
	ID string `json:"id,omitempty"`
	// Authentication Execution Info Index.
	// +optional
	Index int32 `json:"index,omitempty"`
	// Authentication Execution Info Level.
	// +optional
	Level int32 `json:"level,omitempty"`
	// Authentication Execution Info Provider ID.
	// +optional
	ProviderID string `json:"providerId,omitempty"`
	// Authentication Execution Info Requirement.
	// +optional
	Requirement string `json:"requirement,omitempty"`
	// Authentication Execution Info Requirement Choices.
	// +optional
	RequirementChoices []string `json:"requirementChoices,omitempty"`
}

type AuthenticatorConfig struct {
	// Authenticator Config Alias.
	// +optional
	Alias string `json:"alias,omitempty"`
	// Authenticator config.
	// +optional
	Config map[string]string `json:"config,omitempty"`
	// Authenticator ID.
	// +optional
	ID string `json:"id,omitempty"`
}

type ClientMappingsRepresentation struct {
	// Client
	// +optional
	Client string `json:"client,omitempty"`

	// ID
	// +optional
	ID string `json:"id,omitempty"`

	// Mappings
	// +optional
	Mappings []RoleRepresentation `json:"mappings,omitempty"`
}

type FederatedIdentity struct {
	// Federated Identity Provider.
	// +optional
	IdentityProvider string `json:"identityProvider,omitempty"`
	// Federated Identity User ID.
	// +optional
	UserID string `json:"userId,omitempty"`
	// Federated Identity User Name.
	// +optional
	UserName string `json:"userName,omitempty"`
}

type KeycloakAPIAuthenticationExecution struct {
	// Authenticator
	Authenticator string `json:"authenticator,omitempty"`

	// Authenticator Config
	// +optional
	AuthenticatorConfig string `json:"authenticatorConfig,omitempty"`

	// Authenticator flow
	// +optional
	AuthenticatorFlow bool `json:"authenticatorFlow,omitempty"`

	// Flow Alias
	// +optional
	FlowAlias string `json:"flowAlias,omitempty"`

	// Priority
	// +optional
	Priority int32 `json:"priority,omitempty"`

	// Requirement [REQUIRED, OPTIONAL, ALTERNATIVE, DISABLED]
	Requirement string `json:"requirement,omitempty"`

	// User setup allowed
	// +optional
	UserSetupAllowed bool `json:"userSetupAllowed,omitempty"`
}

type KeycloakAPIAuthenticationFlow struct {
	// Alias
	Alias string `json:"alias"`

	// Authentication executions
	AuthenticationExecutions []KeycloakAPIAuthenticationExecution `json:"authenticationExecutions"`

	// Built in
	// +optional
	BuiltIn bool `json:"builtIn,omitempty"`

	// Description
	// +optional
	Description string `json:"description,omitempty"`

	// ID
	// +optional
	ID string `json:"id,omitempty"`

	// Provider ID
	// +optional
	ProviderID string `json:"providerId,omitempty"`

	// Top level
	// +optional
	TopLevel bool `json:"topLevel,omitempty"`
}

type KeycloakAPIAuthenticatorConfig struct {
	// Alias
	Alias string `json:"alias"`

	// Config
	// +optional
	Config map[string]string `json:"config,omitempty"`

	// ID
	// +optional
	ID string `json:"id,omitempty"`
}

type KeycloakAPIClient struct {
	// Client ID. If not specified, automatically generated.
	// +optional
	ID string `json:"id,omitempty"`
	// Client ID.
	// +kubebuilder:validation:Required
	ClientID string `json:"clientId"`
	// Client name.
	// +optional
	Name string `json:"name,omitempty"`
	// Surrogate Authentication Required option.
	// +optional
	SurrogateAuthRequired bool `json:"surrogateAuthRequired,omitempty"`
	// Client enabled flag.
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// What Client authentication type to use.
	// +optional
	ClientAuthenticatorType string `json:"clientAuthenticatorType,omitempty"`
	// Client Secret. The Operator will automatically create a Secret based on this value.
	// +optional
	Secret string `json:"secret,omitempty"`
	// Application base URL.
	// +optional
	BaseURL string `json:"baseUrl,omitempty"`
	// Application Admin URL.
	// +optional
	AdminURL string `json:"adminUrl,omitempty"`
	// Application root URL.
	// +optional
	RootURL string `json:"rootUrl,omitempty"`
	// Client description.
	// +optional
	Description string `json:"description,omitempty"`
	// Default Client roles.
	// +optional
	DefaultRoles []string `json:"defaultRoles,omitempty"`
	// A list of valid Redirection URLs.
	// +optional
	RedirectUris []string `json:"redirectUris,omitempty"`
	// A list of valid Web Origins.
	// +optional
	WebOrigins []string `json:"webOrigins,omitempty"`
	// Not Before setting.
	// +optional
	NotBefore int `json:"notBefore,omitempty"`
	// True if a client supports only Bearer Tokens.
	// +optional
	BearerOnly bool `json:"bearerOnly,omitempty"`
	// True if Consent Screen is required.
	// +optional
	ConsentRequired bool `json:"consentRequired,omitempty"`
	// True if Standard flow is enabled.
	// +optional
	StandardFlowEnabled bool `json:"standardFlowEnabled"`
	// True if Implicit flow is enabled.
	// +optional
	ImplicitFlowEnabled bool `json:"implicitFlowEnabled"`
	// True if Direct Grant is enabled.
	// +optional
	DirectAccessGrantsEnabled bool `json:"directAccessGrantsEnabled"`
	// True if Service Accounts are enabled.
	// +optional
	ServiceAccountsEnabled bool `json:"serviceAccountsEnabled,omitempty"`
	// True if this is a public Client.
	// +optional
	PublicClient bool `json:"publicClient"`
	// True if this client supports Front Channel logout.
	// +optional
	FrontchannelLogout bool `json:"frontchannelLogout,omitempty"`
	// Protocol used for this Client.
	// +optional
	Protocol string `json:"protocol,omitempty"`
	// Client Attributes.
	// +optional
	Attributes map[string]string `json:"attributes,omitempty"`
	// True if Full Scope is allowed.
	// +optional
	FullScopeAllowed *bool `json:"fullScopeAllowed,omitempty"`
	// Node registration timeout.
	// +optional
	NodeReRegistrationTimeout int `json:"nodeReRegistrationTimeout,omitempty"`
	// Protocol Mappers.
	// +optional
	ProtocolMappers []KeycloakProtocolMapper `json:"protocolMappers,omitempty"`
	// True to use a Template Config.
	// +optional
	UseTemplateConfig bool `json:"useTemplateConfig,omitempty"`
	// True to use Template Scope.
	// +optional
	UseTemplateScope bool `json:"useTemplateScope,omitempty"`
	// True to use Template Mappers.
	// +optional
	UseTemplateMappers bool `json:"useTemplateMappers,omitempty"`
	// Access options.
	// +optional
	Access map[string]bool `json:"access,omitempty"`
	// A list of optional client scopes. Optional client scopes are
	// applied when issuing tokens for this client, but only when they
	// are requested by the scope parameter in the OpenID Connect
	// authorization request.
	// +optional
	OptionalClientScopes []string `json:"optionalClientScopes,omitempty"`
	// A list of default client scopes. Default client scopes are
	// always applied when issuing OpenID Connect tokens or SAML
	// assertions for this client.
	// +optional
	DefaultClientScopes []string `json:"defaultClientScopes,omitempty"`
	// True if fine-grained authorization support is enabled for this client.
	// +optional
	AuthorizationServicesEnabled bool `json:"authorizationServicesEnabled,omitempty"`
	// Authorization settings for this resource server.
	// +optional
	AuthorizationSettings *KeycloakResourceServer `json:"authorizationSettings,omitempty"`
	// Authentication Flow Binding Overrides.
	// +optional
	AuthenticationFlowBindingOverrides map[string]string `json:"authenticationFlowBindingOverrides,omitempty"`
	AlwaysDisplayInConsole             bool              `json:"alwaysDisplayInConsole,omitempty"`
}

type KeycloakAPIPasswordReset struct {
	// Password Reset Type.
	// +optional
	Type string `json:"type"`
	// Password Reset Value.
	// +optional
	Value string `json:"value"`
	// True if this Password Reset object is temporary.
	// +optional
	Temporary bool `json:"temporary"`
}

type KeycloakAPIRealm struct {
	// +kubebuilder:validation:Required
	// +optional
	ID string `json:"id,omitempty"`
	// Realm name.
	// +kubebuilder:validation:Required
	Realm string `json:"realm"`
	// Realm enabled flag.
	// +optional
	Enabled bool `json:"enabled"`
	// Realm display name.
	// +optional
	DisplayName string `json:"displayName"`
	// Realm HTML display name.
	// +optional
	DisplayNameHTML string `json:"displayNameHtml,omitempty"`
	// Realm Password Policy
	// +optional
	PasswordPolicy string `json:"passwordPolicy,omitempty"`
	// A set of Keycloak Users.
	// +optional
	Users []KeycloakAPIUser `json:"users,omitempty"`
	// A set of Keycloak Clients.
	// +optional
	Clients []KeycloakAPIClient `json:"clients,omitempty"`
	// A set of Identity Providers.
	// +optional
	IdentityProviders []KeycloakIdentityProvider `json:"identityProviders,omitempty"`
	// A set of Identity Provider Mappers.
	// +optional
	IdentityProviderMappers []KeycloakIdentityProviderMapper `json:"identityProviderMappers,omitempty"`
	// A set of Event Listeners.
	// +optional
	EventsListeners []string `json:"eventsListeners,omitempty"`
	// Enable events recording
	// TODO: change to values and use kubebuilder default annotation once supported
	// +optional
	EventsEnabled *bool `json:"eventsEnabled,omitempty"`

	Groups []string `json:"groups,omitempty"`

	EnabledEventTypes []string `json:"enabledEventTypes,omitempty"`
	// Enable events recording
	// TODO: change to values and use kubebuilder default annotation once supported
	// +optional
	AdminEventsEnabled *bool `json:"adminEventsEnabled,omitempty"`
	// Enable admin events details
	// TODO: change to values and use kubebuilder default annotation once supported
	// +optional
	AdminEventsDetailsEnabled *bool `json:"adminEventsDetailsEnabled,omitempty"`

	// Client scopes
	// +optional
	ClientScopes []KeycloakClientScope `json:"clientScopes,omitempty"`

	// Default client scopes to add to all new clients
	// +optional
	DefaultDefaultClientScopes []string `json:"defaultDefaultClientScopes,omitempty"`

	// Authentication flows
	// +optional
	AuthenticationFlows []KeycloakAPIAuthenticationFlow `json:"authenticationFlows,omitempty"`

	// Authenticator config
	// +optional
	AuthenticatorConfig []KeycloakAPIAuthenticatorConfig `json:"authenticatorConfig,omitempty"`

	// Point keycloak to an external user provider to validate
	// credentials or pull in identity information.
	// +optional
	UserFederationProviders []KeycloakAPIUserFederationProvider `json:"userFederationProviders,omitempty"`

	// User federation mappers are extension points triggered by the
	// user federation at various points.
	// +optional
	UserFederationMappers []KeycloakAPIUserFederationMapper `json:"userFederationMappers,omitempty"`

	// User registration
	// +optional
	RegistrationAllowed *bool `json:"registrationAllowed,omitempty"`
	// Email as username
	// +optional
	RegistrationEmailAsUsername *bool `json:"registrationEmailAsUsername,omitempty"`
	// Edit username
	// +optional
	EditUsernameAllowed *bool `json:"editUsernameAllowed,omitempty"`
	// Forgot password
	// +optional
	ResetPasswordAllowed *bool `json:"resetPasswordAllowed,omitempty"`
	// Remember me
	// +optional
	RememberMe *bool `json:"rememberMe,omitempty"`
	// Verify email
	// +optional
	VerifyEmail *bool `json:"verifyEmail,omitempty"`
	// Login with email
	// +optional
	LoginWithEmailAllowed *bool `json:"loginWithEmailAllowed,omitempty"`
	// Duplicate emails
	// +optional
	DuplicateEmailsAllowed *bool `json:"duplicateEmailsAllowed,omitempty"`
	// Require SSL
	// +optional
	SslRequired string `json:"sslRequired,omitempty"`

	// Brute Force Detection
	// +optional
	BruteForceProtected *bool `json:"bruteForceProtected,omitempty"`
	// Permanent Lockout
	// +optional
	PermanentLockout *bool `json:"permanentLockout,omitempty"`
	// Max Login Failures
	// +optional
	FailureFactor *int32 `json:"failureFactor,omitempty"`
	// Wait Increment
	// +optional
	WaitIncrementSeconds *int32 `json:"waitIncrementSeconds,omitempty"`
	// Quick Login Check Milli Seconds
	// +optional
	QuickLoginCheckMilliSeconds *int64 `json:"quickLoginCheckMilliSeconds,omitempty"`
	// Minimum Quick Login Wait
	// +optional
	MinimumQuickLoginWaitSeconds *int32 `json:"minimumQuickLoginWaitSeconds,omitempty"`
	// Max Wait
	// +optional
	MaxFailureWaitSeconds *int32 `json:"maxFailureWaitSeconds,omitempty"`
	// Failure Reset Time
	// +optional
	MaxDeltaTimeSeconds *int32 `json:"maxDeltaTimeSeconds,omitempty"`

	// Email
	// +optional
	SMTPServer map[string]string `json:"smtpServer,omitempty"`

	// Login Theme
	// +optional
	LoginTheme string `json:"loginTheme,omitempty"`
	// Account Theme
	// +optional
	AccountTheme string `json:"accountTheme,omitempty"`
	// Admin Console Theme
	// +optional
	AdminTheme string `json:"adminTheme,omitempty"`
	// Email Theme
	// +optional
	EmailTheme string `json:"emailTheme,omitempty"`
	// Internationalization Enabled
	// +optional
	InternationalizationEnabled *bool `json:"internationalizationEnabled,omitempty"`
	// Supported Locales
	// +optional
	SupportedLocales []string `json:"supportedLocales,omitempty"`
	// Default Locale
	// +optional
	DefaultLocale string `json:"defaultLocale,omitempty"`

	// Roles
	// +optional
	Roles *RolesRepresentation `json:"roles,omitempty"`

	// Default role
	// +optional
	DefaultRole *RoleRepresentation `json:"defaultRole,omitempty"`

	// Scope Mappings
	// +optional
	ScopeMappings []ScopeMappingRepresentation `json:"scopeMappings,omitempty"`
	// Client Scope Mappings
	// +optional
	ClientScopeMappings map[string]ScopeMappingRepresentationArray `json:"clientScopeMappings,omitempty"`

	// Access Token Lifespan For Implicit Flow
	// +optional
	AccessTokenLifespanForImplicitFlow *int32 `json:"accessTokenLifespanForImplicitFlow,omitempty"`
	// Access Token Lifespan
	// +optional
	AccessTokenLifespan *int32 `json:"accessTokenLifespan,omitempty"`

	// User Managed Access Allowed
	// +optional
	UserManagedAccessAllowed *bool `json:"userManagedAccessAllowed,omitempty"`

	// OTP Policy Algorithm
	// +optional
	OtpPolicyAlgorithm string `json:"otpPolicyAlgorithm,omitempty"`

	// OTP Policy Digits
	// +optional
	OtpPolicyDigits *int32 `json:"otpPolicyDigits,omitempty"`

	// OTP Policy Initial Counter
	// +optional
	OtpPolicyInitialCounter *int32 `json:"otpPolicyInitialCounter,omitempty"`

	// OTP Policy Look Ahead Window
	// +optional
	OtpPolicyLookAheadWindow *int32 `json:"otpPolicyLookAheadWindow,omitempty"`

	// OTP Policy Period
	// +optional
	OtpPolicyPeriod *int32 `json:"otpPolicyPeriod,omitempty"`

	// OTP Policy Type
	// +optional
	OtpPolicyType string `json:"otpPolicyType,omitempty"`

	// OTP Supported Applications
	// +optional
	OtpSupportedApplications []string `json:"otpSupportedApplications,omitempty"`

	// Browser authentication flow
	// +optional
	BrowserFlow string `json:"browserFlow,omitempty"`

	// Direct Grant authentication flow
	// +optional
	DirectGrantFlow string `json:"directGrantFlow,omitempty"`

	// Client authentication flow
	// +optional
	ClientAuthenticationFlow string `json:"clientAuthenticationFlow,omitempty"`

	// Reset Credentials authentication flow
	// +optional
	ResetCredentialsFlow string `json:"resetCredentialsFlow,omitempty"`

	// Registration flow
	// +optional
	RegistrationFlow string `json:"registrationFlow,omitempty"`

	// Docker Authentication flow
	// +optional
	DockerAuthenticationFlow string `json:"dockerAuthenticationFlow,omitempty"`

	AccessCodeLifespan                  int32             `json:"accessCodeLifespan,omitempty"`
	AccessCodeLifespanLogin             int32             `json:"accessCodeLifespanLogin,omitempty"`
	AccessCodeLifespanUserAction        int32             `json:"accessCodeLifespanUserAction,omitempty"`
	ActionTokenGeneratedByAdminLifespan int32             `json:"actionTokenGeneratedByAdminLifespan,omitempty"`
	ActionTokenGeneratedByUserLifespan  int32             `json:"actionTokenGeneratedByUserLifespan,omitempty"`
	Attributes                          map[string]string `json:"attributes,omitempty"`
	BrowserSecurityHeaders              map[string]string `json:"browserSecurityHeaders,omitempty"`
	ClientOfflineSessionIdleTimeout     int32             `json:"clientOfflineSessionIdleTimeout,omitempty"`
	ClientOfflineSessionMaxLifespan     int32             `json:"clientOfflineSessionMaxLifespan,omitempty"`
	ClientSessionIdleTimeout            int32             `json:"clientSessionIdleTimeout,omitempty"`
	ClientSessionMaxLifespan            int32             `json:"clientSessionMaxLifespan,omitempty"`
	Components                          extv1.JSON        `json:"components,omitempty"`
	DefaultOptionalClientScopes         []string          `json:"defaultOptionalClientScopes,omitempty"`
	EventsExpiration                    int64             `json:"eventsExpiration,omitempty"`
	OfflineSessionIdleTimeout           int32             `json:"offlineSessionIdleTimeout,omitempty"`
	OfflineSessionMaxLifespan           int32             `json:"offlineSessionMaxLifespan,omitempty"`
	OfflineSessionMaxLifespanEnabled    bool              `json:"offlineSessionMaxLifespanEnabled,omitempty"`
	RefreshTokenMaxReuse                int32             `json:"refreshTokenMaxReuse,omitempty"`
	RequiredActions                     extv1.JSON        `json:"requiredActions,omitempty"`
	RevokeRefreshToken                  bool              `json:"revokeRefreshToken,omitempty"`

	SSOSessionIdleTimeout           int32 `json:"ssoSessionIdleTimeout,omitempty"`
	SSOSessionIdleTimeoutRememberMe int32 `json:"ssoSessionIdleTimeoutRememberMe,omitempty"`
	SSOSessionMaxLifespan           int32 `json:"ssoSessionMaxLifespan,omitempty"`
	SSOSessionMaxLifespanRememberMe int32 `json:"ssoSessionMaxLifespanRememberMe,omitempty"`

	NotBefore int32 `json:"notBefore,omitempty"`

	WebAuthnPolicyAcceptableAaguids                           []string `json:"webAuthnPolicyAcceptableAaguids,omitempty"`
	WebAuthnPolicyAttestationConveyancePreference             string   `json:"webAuthnPolicyAttestationConveyancePreference,omitempty"`
	WebAuthnPolicyAuthenticatorAttachment                     string   `json:"webAuthnPolicyAuthenticatorAttachment,omitempty"`
	WebAuthnPolicyAvoidSameAuthenticatorRegister              bool     `json:"webAuthnPolicyAvoidSameAuthenticatorRegister,omitempty"`
	WebAuthnPolicyCreateTimeout                               int32    `json:"webAuthnPolicyCreateTimeout,omitempty"`
	WebAuthnPolicyPasswordlessAcceptableAaguids               []string `json:"webAuthnPolicyPasswordlessAcceptableAaguids,omitempty"`
	WebAuthnPolicyPasswordlessAttestationConveyancePreference string   `json:"webAuthnPolicyPasswordlessAttestationConveyancePreference,omitempty"`
	WebAuthnPolicyPasswordlessAuthenticatorAttachment         string   `json:"webAuthnPolicyPasswordlessAuthenticatorAttachment,omitempty"`
	WebAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister  bool     `json:"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister,omitempty"`
	WebAuthnPolicyPasswordlessCreateTimeout                   int32    `json:"webAuthnPolicyPasswordlessCreateTimeout,omitempty"`
	WebAuthnPolicyPasswordlessRequireResidentKey              string   `json:"webAuthnPolicyPasswordlessRequireResidentKey,omitempty"`
	WebAuthnPolicyPasswordlessRpEntityName                    string   `json:"webAuthnPolicyPasswordlessRpEntityName,omitempty"`
	WebAuthnPolicyPasswordlessRpId                            string   `json:"webAuthnPolicyPasswordlessRpId,omitempty"`
	WebAuthnPolicyPasswordlessSignatureAlgorithms             []string `json:"webAuthnPolicyPasswordlessSignatureAlgorithms,omitempty"`
	WebAuthnPolicyPasswordlessUserVerificationRequirement     string   `json:"webAuthnPolicyPasswordlessUserVerificationRequirement,omitempty"`
	WebAuthnPolicyRequireResidentKey                          string   `json:"webAuthnPolicyRequireResidentKey,omitempty"`
	WebAuthnPolicyRpEntityName                                string   `json:"webAuthnPolicyRpEntityName,omitempty"`
	WebAuthnPolicyRpId                                        string   `json:"webAuthnPolicyRpId,omitempty"`
	WebAuthnPolicySignatureAlgorithms                         []string `json:"webAuthnPolicySignatureAlgorithms,omitempty"`
	WebAuthnPolicyUserVerificationRequirement                 string   `json:"webAuthnPolicyUserVerificationRequirement,omitempty"`
}

type KeycloakAPIUser struct {
	// User ID.
	// +optional
	ID string `json:"id,omitempty"`
	// User Name.
	// +optional
	UserName string `json:"username,omitempty"`
	// First Name.
	// +optional
	FirstName string `json:"firstName,omitempty"`
	// Last Name.
	// +optional
	LastName string `json:"lastName,omitempty"`
	// Email.
	// +optional
	Email string `json:"email,omitempty"`
	// True if email has already been verified.
	// +optional
	EmailVerified bool `json:"emailVerified,omitempty"`
	// User enabled flag.
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// A set of Realm Roles.
	// +optional
	RealmRoles []string `json:"realmRoles,omitempty"`
	// A set of Client Roles.
	// +optional
	ClientRoles map[string][]string `json:"clientRoles,omitempty"`
	// A set of Required Actions.
	// +optional
	RequiredActions []string `json:"requiredActions,omitempty"`
	// A set of Groups.
	// +optional
	Groups []string `json:"groups,omitempty"`
	// A set of Federated Identities.
	// +optional
	FederatedIdentities []FederatedIdentity `json:"federatedIdentities,omitempty"`
	// A set of Credentials.
	// +optional
	Credentials []KeycloakCredential `json:"credentials,omitempty"`
	// A set of Attributes.
	// +optional
	Attributes map[string][]string `json:"attributes,omitempty"`
	NotBefore  int32               `json:"notBefore,omitempty"`

	DisableableCredentialTypes []string `json:"disableableCredentialTypes,omitempty"`
	ServiceAccountClientId     string   `json:"serviceAccountClientId,omitempty"`
	TOTP                       bool     `json:"totp,omitempty"`
}

type KeycloakAPIUserFederationMapper struct {
	// User federation mapper config.
	// +optional
	Config map[string]string `json:"config,omitempty"`

	// +optional
	Name string `json:"name,omitempty"`

	// +optional
	ID string `json:"id,omitempty"`

	// +optional
	FederationMapperType string `json:"federationMapperType,omitempty"`

	// The displayName for the user federation provider this mapper applies to.
	FederationProviderDisplayName string `json:"federationProviderDisplayName,omitempty"`
}

type KeycloakAPIUserFederationProvider struct {

	// +optional
	ChangedSyncPeriod *int32 `json:"changedSyncPeriod,omitempty"`

	// User federation provider config.
	// +optional
	Config map[string]string `json:"config,omitempty"`

	// The display name of this provider instance.
	// +optional
	DisplayName string `json:"displayName,omitempty"`

	// +optional
	FullSyncPeriod *int32 `json:"fullSyncPeriod,omitempty"`

	// The ID of this provider
	// +optional
	ID string `json:"id,omitempty"`

	// The priority of this provider when looking up users or adding a user.
	// +optional
	Priority *int32 `json:"priority,omitempty"`

	// The name of the user provider, such as "ldap", "kerberos" or a custom SPI.
	// +optional
	ProviderName string `json:"providerName,omitempty"`
}

type KeycloakClient struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec KeycloakClientSpec `json:"spec,omitempty"`
}

type KeycloakClientList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakClient `json:"items"`
}

type KeycloakClientScope struct {
	// +optional
	Attributes map[string]string `json:"attributes,omitempty"`
	// +optional
	Description string `json:"description,omitempty"`
	// +optional
	ID string `json:"id,omitempty"`
	// +optional
	Name string `json:"name,omitempty"`
	// +optional
	Protocol string `json:"protocol,omitempty"`
	// Protocol Mappers.
	// +optional
	ProtocolMappers []KeycloakProtocolMapper `json:"protocolMappers,omitempty"`
}

type KeycloakClientSpec struct {
	// Selector for looking up KeycloakRealm Custom Resources.
	// +kubebuilder:validation:Required
	// This field is deprecated
	RealmSelector *metav1.LabelSelector `json:"realmSelector"`
	// Keycloak Client REST object.
	// +kubebuilder:validation:Required
	Client KeycloakAPIClient `json:"client"`
}

type KeycloakCredential struct {
	// Credential Type.
	// +optional
	Type string `json:"type,omitempty"`
	// Credential Value.
	// +optional
	Value string `json:"value,omitempty"`
	// True if this credential object is temporary.
	// +optional
	Temporary bool `json:"temporary,omitempty"`
}

type KeycloakIdentityProvider struct {
	// Identity Provider Alias.
	// +optional
	Alias string `json:"alias,omitempty"`
	// Identity Provider Display Name.
	// +optional
	DisplayName string `json:"displayName,omitempty"`
	// Identity Provider Internal ID.
	// +optional
	InternalID string `json:"internalId,omitempty"`
	// Identity Provider ID.
	// +optional
	ProviderID string `json:"providerId,omitempty"`
	// Identity Provider enabled flag.
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// Identity Provider Trust Email.
	// +optional
	TrustEmail bool `json:"trustEmail,omitempty"`
	// Identity Provider Store to Token.
	// +optional
	StoreToken bool `json:"storeToken,omitempty"`
	// Adds Read Token role when creating this Identity Provider.
	// +optional
	AddReadTokenRoleOnCreate bool `json:"addReadTokenRoleOnCreate,omitempty"`
	// Identity Provider First Broker Login Flow Alias.
	// +optional
	FirstBrokerLoginFlowAlias string `json:"firstBrokerLoginFlowAlias,omitempty"`
	// Identity Provider Post Broker Login Flow Alias.
	// +optional
	PostBrokerLoginFlowAlias string `json:"postBrokerLoginFlowAlias,omitempty"`
	// Identity Provider Link Only setting.
	// +optional
	LinkOnly bool `json:"linkOnly,omitempty"`
	// Identity Provider config.
	// +optional
	Config map[string]string `json:"config,omitempty"`
}

type KeycloakIdentityProviderMapper struct {
	ID   string `json:"id,omitempty"`
	Name string `json:"name,omitempty"`
	// Identity Provider Alias.
	// +optional
	IdentityProviderAlias string `json:"identityProviderAlias,omitempty"`
	// Identity Provider Mapper.
	// +optional
	IdentityProviderMapper string `json:"identityProviderMapper,omitempty"`
	// Identity Provider Mapper config.
	// +optional
	Config map[string]string `json:"config,omitempty"`
}

type KeycloakPolicy struct {
	// Config.
	// +optional
	Config map[string]string `json:"config,omitempty"`
	// The decision strategy dictates how the policies associated with a given permission are evaluated and how
	// a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive
	// decision in order for the final decision to be also positive. 'Unanimous' means that all policies must
	// evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means
	// that the number of positive decisions must be greater than the number of negative decisions. If the number
	// of positive and negative is the same, the final decision will be negative.
	// +optional
	DecisionStrategy string `json:"decisionStrategy,omitempty"`
	// A description for this policy.
	// +optional
	Description string `json:"description,omitempty"`
	// ID.
	// +optional
	ID string `json:"id,omitempty"`
	// The logic dictates how the policy decision should be made. If 'Positive', the resulting effect
	// (permit or deny) obtained during the evaluation of this policy will be used to perform a decision.
	// If 'Negative', the resulting effect will be negated, in other words, a permit becomes a deny and vice-versa.
	// +optional
	Logic string `json:"logic,omitempty"`
	// The name of this policy.
	// +optional
	Name string `json:"name,omitempty"`
	// Owner.
	// +optional
	Owner string `json:"owner,omitempty"`
	// Policies.
	// +optional
	Policies []string `json:"policies,omitempty"`
	// Resources.
	// +optional
	Resources []string `json:"resources,omitempty"`
	// Resources Data.
	// +optional
	ResourcesData []KeycloakResource `json:"resourcesData,omitempty"`
	// Scopes.
	// +optional
	Scopes []string `json:"scopes,omitempty"`
	// Type.
	// +optional
	Type string `json:"type,omitempty"`
	// Scopes Data.
	// +optional
	ScopesData []apiextensionsv1.JSON `json:"scopesData,omitempty"`
}

type KeycloakProtocolMapper struct {
	// Protocol Mapper ID.
	// +optional
	ID string `json:"id,omitempty"`
	// Protocol Mapper Name.
	// +optional
	Name string `json:"name,omitempty"`
	// Protocol to use.
	// +optional
	Protocol string `json:"protocol,omitempty"`
	// Protocol Mapper to use
	// +optional
	ProtocolMapper string `json:"protocolMapper,omitempty"`
	// True if Consent Screen is required.
	// +optional
	ConsentRequired bool `json:"consentRequired,omitempty"`
	// Text to use for displaying Consent Screen.
	// +optional
	ConsentText string `json:"consentText,omitempty"`
	// Config options.
	// +optional
	Config map[string]string `json:"config,omitempty"`
}

type KeycloakRealm struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KeycloakRealmSpec   `json:"spec,omitempty"`
	Status KeycloakRealmStatus `json:"status,omitempty"`
}

type KeycloakRealmList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakRealm `json:"items"`
}

type KeycloakRealmSpec struct {
	// +required
	Address string `json:"address,omitempty"`

	// Contains a credentials set of a user with enough permission to manage keycloak
	// +optional
	AuthSecret *SecretReference `json:"authSecret,omitempty"`

	// Interval reconciliation
	// +optional
	Interval *metav1.Duration `json:"interval,omitempty"`

	// Suspend reconciliation
	// +optional
	Suspend bool `json:"suspend,omitempty"`

	// Version is the keycloak version
	// +required
	Version string `json:"version"`

	// Realm is the unstructured keycloak realm representation
	// +required
	Realm KeycloakAPIRealm `json:"realm"`

	// ResourceSelector defines a selector to select keycloak resources associated with this realm
	ResourceSelector *metav1.LabelSelector `json:"resourceSelector,omitempty"`
}

type KeycloakRealmStatus struct {
	// Conditions holds the conditions for the KeycloakRealm.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// ObservedGeneration is the last generation reconciled by the controller
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// LastExececutionOutput failed requests
	// +optional
	LastExececutionOutput string `json:"lastExececutionOutput,omitempty"`

	// LastReconcileDuration is the total time the reconcile of the realm took
	LastReconcileDuration metav1.Duration `json:"lastReconcileDuration,omitempty"`

	// LastFailedRequests failed requests
	// +optional
	LastFailedRequests []RequestStatus `json:"lastFailedRequests,omitempty"`

	// SubResourceCatalog holds references to all sub resources including KeycloakClient and KeycloakUser associated with this realm
	SubResourceCatalog []ResourceReference `json:"subResourceCatalog,omitempty"`
}

type KeycloakResource struct {
	// ID.
	// +optional
	ID string `json:"_id,omitempty"`
	// The attributes associated with the resource.
	// +optional
	Attributes map[string]string `json:"attributes,omitempty"`
	// A unique name for this resource. The name can be used to uniquely identify a resource, useful when
	// querying for a specific resource.
	// +optional
	DisplayName string `json:"displayName,omitempty"`
	// An URI pointing to an icon.
	// +optional
	IconURI string `json:"icon_uri,omitempty"`
	// A unique name for this resource. The name can be used to uniquely identify a resource, useful when
	// querying for a specific resource.
	// +optional
	Name string `json:"name,omitempty"`
	// True if the access to this resource can be managed by the resource owner.
	// +optional
	OwnerManagedAccess bool `json:"ownerManagedAccess,omitempty"`
	// The type of this resource. It can be used to group different resource instances with the same type.
	// +optional
	Type string `json:"type,omitempty"`
	// Set of URIs which are protected by resource.
	// +optional
	Uris []string `json:"uris,omitempty"`
	// The scopes associated with this resource.
	// +optional
	Scopes []apiextensionsv1.JSON `json:"scopes,omitempty"`
}

type KeycloakResourceServer struct {
	// True if resources should be managed remotely by the resource server.
	// +optional
	AllowRemoteResourceManagement bool `json:"allowRemoteResourceManagement,omitempty"`
	// Client ID.
	// +optional
	ClientID string `json:"clientId,omitempty"`
	// The decision strategy dictates how permissions are evaluated and how a
	// final decision is obtained. 'Affirmative' means that at least one
	// permission must evaluate to a positive decision in order to grant access
	// to a resource and its scopes. 'Unanimous' means that all permissions must
	// evaluate to a positive decision in order for the final decision to be also positive.
	// +optional
	DecisionStrategy string `json:"decisionStrategy,omitempty"`
	// ID.
	// +optional
	ID string `json:"id,omitempty"`
	// Name.
	// +optional
	Name string `json:"name,omitempty"`
	// Policies.
	// +optional
	Policies []KeycloakPolicy `json:"policies,omitempty"`
	// The policy enforcement mode dictates how policies are enforced when evaluating authorization requests.
	// 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource.
	// 'Permissive' means requests are allowed even when there is no policy associated with a given resource.
	// 'Disabled' completely disables the evaluation of policies and allows access to any resource.
	// +optional
	PolicyEnforcementMode string `json:"policyEnforcementMode,omitempty"`
	// Resources.
	// +optional
	Resources []KeycloakResource `json:"resources,omitempty"`
	// Authorization Scopes.
	// +optional
	Scopes []KeycloakScope `json:"scopes,omitempty"`
}

type KeycloakScope struct {
	// A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying
	// for a specific scope.
	// +optional
	DisplayName string `json:"displayName,omitempty"`
	// An URI pointing to an icon.
	// +optional
	IconURI string `json:"iconUri,omitempty"`
	// ID.
	// +optional
	ID string `json:"id,omitempty"`
	// A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying
	// for a specific scope.
	// +optional
	Name string `json:"name,omitempty"`
	// Policies.
	// +optional
	Policies []KeycloakPolicy `json:"policies,omitempty"`
	// Resources.
	// +optional
	Resources []KeycloakResource `json:"resources,omitempty"`
}

type KeycloakUser struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec KeycloakUserSpec `json:"spec,omitempty"`
}

type KeycloakUserList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KeycloakUser `json:"items"`
}

type KeycloakUserRole struct {
	ID          string `json:"id,omitempty"`
	Name        string `json:"name,omitempty"`
	Description string `json:"description,omitempty"`
	Composite   bool   `json:"composite,omitempty"`
	ClientRole  bool   `json:"clientRole,omitempty"`
	ContainerID string `json:"containerId,omitempty"`
}

type KeycloakUserSpec struct {
	// Selector for looking up KeycloakUser Custom Resources.
	// +kubebuilder:validation:Required
	// This field is deprecated
	RealmSelector *metav1.LabelSelector `json:"realmSelector,omitempty"`
	// Keycloak User REST object.
	// +kubebuilder:validation:Required
	User KeycloakAPIUser `json:"user"`
}

type MappingsRepresentation struct {
	// Client Mappings
	// +optional
	ClientMappings map[string]ClientMappingsRepresentation `json:"clientMappings,omitempty"`

	// Realm Mappings
	// +optional
	RealmMappings []RoleRepresentation `json:"realmMappings,omitempty"`
}

type RedirectorIdentityProviderOverride struct {
	// Identity Provider to be overridden.
	IdentityProvider string `json:"identityProvider"`
	// Flow to be overridden.
	// +optional
	ForFlow string `json:"forFlow,omitempty"`
}

type RequestStatus struct {
	URL          string `json:"url,omitempty"`
	Verb         string `json:"verb,omitempty"`
	ResponseCode int    `json:"responseCode,omitempty"`
	ResponseBody string `json:"responseBody,omitempty"`
	Error        string `json:"error,omitempty"`
}

type ResourceReference struct {
	Kind       string `json:"kind,omitempty"`
	Name       string `json:"name,omitempty"`
	APIVersion string `json:"apiVersion,omitempty"`
}

type RoleRepresentation struct {
	// Role Attributes
	// +optional
	Attributes map[string][]string `json:"attributes,omitempty"`

	// Client Role
	// +optional
	ClientRole *bool `json:"clientRole,omitempty"`

	// Composite
	// +optional
	Composite *bool `json:"composite,omitempty"`

	// Composites
	// +optional
	Composites *RoleRepresentationComposites `json:"composites,omitempty"`

	// Container Id
	// +optional
	ContainerID string `json:"containerId,omitempty"`

	// Description
	// +optional
	Description string `json:"description,omitempty"`

	// Id
	// +optional
	ID string `json:"id,omitempty"`

	// Name
	Name string `json:"name"`
}

type RoleRepresentationArray []RoleRepresentation

type RoleRepresentationComposites struct {
	// Map client => []role
	// +optional
	Client map[string][]string `json:"client,omitempty"`

	// Realm roles
	// +optional
	Realm []string `json:"realm,omitempty"`
}

type RolesRepresentation struct {
	// Client Roles
	// +optional
	Client map[string]RoleRepresentationArray `json:"client,omitempty"`

	// Realm Roles
	// +optional
	Realm []RoleRepresentation `json:"realm,omitempty"`
}

type ScopeMappingRepresentation struct {
	// Client
	// +optional
	Client string `json:"client,omitempty"`

	// Client Scope
	// +optional
	ClientScope string `json:"clientScope,omitempty"`

	// Roles
	// +optional
	Roles []string `json:"roles,omitempty"`

	// Self
	// +optional
	Self string `json:"self,omitempty"`
}

type ScopeMappingRepresentationArray []ScopeMappingRepresentation

type SecretReference struct {
	// Name referrs to the name of the secret, must be located whithin the same namespace
	// +required
	Name string `json:"name"`

	// Namespace, by default the same namespace is used.
	// +optional
	Namespace string `json:"namespace,omitempty"`

	// +optional
	// +kubebuilder:default:=username
	UserField string `json:"userField"`

	// +optional
	// +kubebuilder:default:=password
	PasswordField string `json:"passwordField"`
}

type TokenResponse struct {
	// Token Response Access Token.
	// +optional
	AccessToken string `json:"access_token"`
	// Token Response Expired In setting.
	// +optional
	ExpiresIn int `json:"expires_in"`
	// Token Response Refresh Expires In setting.
	// +optional
	RefreshExpiresIn int `json:"refresh_expires_in"`
	// Token Response Refresh Token.
	// +optional
	RefreshToken string `json:"refresh_token"`
	// Token Response Token Type.
	// +optional
	TokenType string `json:"token_type"`
	// Token Response Not Before Policy setting.
	// +optional
	NotBeforePolicy int `json:"not-before-policy"`
	// Token Response Session State.
	// +optional
	SessionState string `json:"session_state"`
	// Token Response Error.
	// +optional
	Error string `json:"error"`
	// Token Response Error Description.
	// +optional
	ErrorDescription string `json:"error_description"`
}