Add support for Standard Token Exchange configuration in OpenID Clients

Introduced StandardTokenExchangeEnabled field to OpenidClientAttributes struct.
Updated ValidateOpenidClient to enforce that standard token exchange cannot be enabled on public clients.

This enhancement enables managing the Standard Token Exchange setting for OpenID Clients through the Keycloak Terraform provider.

Signed-off-by: Sven-Torben Janus <[email protected]>

Author: sventorben

keycloak/openid_client.go

@@ -83,6 +83,7 @@ type OpenidClientAttributes struct {
 	Oauth2DeviceCodeLifespan              string                           `json:"oauth2.device.code.lifespan,omitempty"`
 	Oauth2DevicePollingInterval           string                           `json:"oauth2.device.polling.interval,omitempty"`
 	PostLogoutRedirectUris                types.KeycloakSliceHashDelimited `json:"post.logout.redirect.uris,omitempty"`
+	StandardTokenExchangeEnabled          types.KeycloakBoolQuoted         `json:"standard.token.exchange.enabled,omitempty"`
 }
 
 type OpenidAuthenticationFlowBindingOverrides struct {
@@ -125,6 +126,10 @@ func (keycloakClient *KeycloakClient) ValidateOpenidClient(ctx context.Context,
 		return fmt.Errorf("validation error: theme \"%s\" does not exist on the server", client.Attributes.LoginTheme)
 	}
 
+	if client.Attributes.StandardTokenExchangeEnabled == true && client.PublicClient {
+		return fmt.Errorf("validation error: standard token exchange cannot be enabled on public clients")
+	}
+
 	return nil
 }