# PAR policy - applies PAR profile to clients 
resource "keycloak_realm_client_policy_profile_policy" "par_policy" {
  realm_id    = keycloak_realm.myrealm.id
  name        = "PAR policy"
  description = "Enforces PAR for clients with device-in-pool scope"
  enabled     = true
  profiles    = [keycloak_realm_client_policy_profile.par_profile.name]

  condition {
    name = "client-roles"
    configuration = {
      "is-negative-logic" = "false"
      "roles"             = "requires-par-role"  #<-- THIS IS A BUG. SHOULD BE ARRAY
    }
  }

}

╷
│ Error: error sending GET request to //admin/realms/somerealm/clients/41234533-34ee-4ed3-8b6e-7359aec02599: 500 Internal Server Error. Response body: {"error":"unknown_error","error_description":"Cannot parse the JSON"}

[org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-288) Uncaught server error: java.lang.IllegalArgumentException: Cannot construct instance of `java.util.ArrayList` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('requires-par-role')
keycloak-1  |  at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.keycloak.services.clientpolicy.condition.ClientRolesCondition$Configuration["roles"])