Add support for Standard Token Exchange configuration in OpenID Clients

- Introduced `StandardTokenExchangeEnabled` field to `OpenidClientAttributes` struct.
- Updated `ValidateOpenidClient` to enforce that standard token exchange cannot be enabled on public clients.

This enhancement enables managing the Standard Token Exchange setting for OpenID Clients through the Keycloak Terraform provider.

Signed-off-by: Sven-Torben Janus <[email protected]>

Author: sventorben

keycloak/openid_client.go

@@ -83,6 +83,7 @@ type OpenidClientAttributes struct {
 	Oauth2DeviceCodeLifespan              string                           `json:"oauth2.device.code.lifespan,omitempty"`
 	Oauth2DevicePollingInterval           string                           `json:"oauth2.device.polling.interval,omitempty"`
 	PostLogoutRedirectUris                types.KeycloakSliceHashDelimited `json:"post.logout.redirect.uris,omitempty"`
+	StandardTokenExchangeEnabled          types.KeycloakBoolQuoted         `json:"standard.token.exchange.enabled,omitempty"`
 }
 
 type OpenidAuthenticationFlowBindingOverrides struct {
@@ -125,6 +126,10 @@ func (keycloakClient *KeycloakClient) ValidateOpenidClient(ctx context.Context,
 		return fmt.Errorf("validation error: theme \"%s\" does not exist on the server", client.Attributes.LoginTheme)
 	}
 
+    if (client.Attributes.StandardTokenExchangeEnabled && client.PublicClient) {
+		return fmt.Errorf("validation error: standard token exchange cannot be enabled on public clients")
+	}
+	
 	return nil
 }