keycloak.oidc.GoogleIdentityProvider
Explore with Pulumi AI
Allows for creating and managing OIDC Identity Providers within Keycloak.
OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const google = new keycloak.oidc.GoogleIdentityProvider("google", {
realm: realm.id,
clientId: googleIdentityProviderClientId,
clientSecret: googleIdentityProviderClientSecret,
trustEmail: true,
hostedDomain: "example.com",
syncMode: "IMPORT",
extraConfig: {
myCustomConfigKey: "myValue",
},
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
google = keycloak.oidc.GoogleIdentityProvider("google",
realm=realm.id,
client_id=google_identity_provider_client_id,
client_secret=google_identity_provider_client_secret,
trust_email=True,
hosted_domain="example.com",
sync_mode="IMPORT",
extra_config={
"myCustomConfigKey": "myValue",
})
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
Realm: realm.ID(),
ClientId: pulumi.Any(googleIdentityProviderClientId),
ClientSecret: pulumi.Any(googleIdentityProviderClientSecret),
TrustEmail: pulumi.Bool(true),
HostedDomain: pulumi.String("example.com"),
SyncMode: pulumi.String("IMPORT"),
ExtraConfig: pulumi.StringMap{
"myCustomConfigKey": pulumi.String("myValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var google = new Keycloak.Oidc.GoogleIdentityProvider("google", new()
{
Realm = realm.Id,
ClientId = googleIdentityProviderClientId,
ClientSecret = googleIdentityProviderClientSecret,
TrustEmail = true,
HostedDomain = "example.com",
SyncMode = "IMPORT",
ExtraConfig =
{
{ "myCustomConfigKey", "myValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.GoogleIdentityProvider;
import com.pulumi.keycloak.oidc.GoogleIdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var google = new GoogleIdentityProvider("google", GoogleIdentityProviderArgs.builder()
.realm(realm.id())
.clientId(googleIdentityProviderClientId)
.clientSecret(googleIdentityProviderClientSecret)
.trustEmail(true)
.hostedDomain("example.com")
.syncMode("IMPORT")
.extraConfig(Map.of("myCustomConfigKey", "myValue"))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
google:
type: keycloak:oidc:GoogleIdentityProvider
properties:
realm: ${realm.id}
clientId: ${googleIdentityProviderClientId}
clientSecret: ${googleIdentityProviderClientSecret}
trustEmail: true
hostedDomain: example.com
syncMode: IMPORT
extraConfig:
myCustomConfigKey: myValue
Create GoogleIdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GoogleIdentityProvider(name: string, args: GoogleIdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def GoogleIdentityProvider(resource_name: str,
args: GoogleIdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GoogleIdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
realm: Optional[str] = None,
client_secret: Optional[str] = None,
gui_order: Optional[str] = None,
hosted_domain: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
hide_on_login_page: Optional[bool] = None,
authenticate_by_default: Optional[bool] = None,
link_only: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
add_read_token_role_on_create: Optional[bool] = None,
request_refresh_token: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
use_user_ip_param: Optional[bool] = None)
func NewGoogleIdentityProvider(ctx *Context, name string, args GoogleIdentityProviderArgs, opts ...ResourceOption) (*GoogleIdentityProvider, error)
public GoogleIdentityProvider(string name, GoogleIdentityProviderArgs args, CustomResourceOptions? opts = null)
public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args)
public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:GoogleIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var googleIdentityProviderResource = new Keycloak.Oidc.GoogleIdentityProvider("googleIdentityProviderResource", new()
{
ClientId = "string",
Realm = "string",
ClientSecret = "string",
GuiOrder = "string",
HostedDomain = "string",
DefaultScopes = "string",
DisableUserInfo = false,
Enabled = false,
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
AcceptsPromptNoneForwardFromClient = false,
HideOnLoginPage = false,
AuthenticateByDefault = false,
LinkOnly = false,
PostBrokerLoginFlowAlias = "string",
ProviderId = "string",
AddReadTokenRoleOnCreate = false,
RequestRefreshToken = false,
StoreToken = false,
SyncMode = "string",
TrustEmail = false,
UseUserIpParam = false,
});
example, err := oidc.NewGoogleIdentityProvider(ctx, "googleIdentityProviderResource", &oidc.GoogleIdentityProviderArgs{
ClientId: pulumi.String("string"),
Realm: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
GuiOrder: pulumi.String("string"),
HostedDomain: pulumi.String("string"),
DefaultScopes: pulumi.String("string"),
DisableUserInfo: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
AcceptsPromptNoneForwardFromClient: pulumi.Bool(false),
HideOnLoginPage: pulumi.Bool(false),
AuthenticateByDefault: pulumi.Bool(false),
LinkOnly: pulumi.Bool(false),
PostBrokerLoginFlowAlias: pulumi.String("string"),
ProviderId: pulumi.String("string"),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
RequestRefreshToken: pulumi.Bool(false),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
TrustEmail: pulumi.Bool(false),
UseUserIpParam: pulumi.Bool(false),
})
var googleIdentityProviderResource = new GoogleIdentityProvider("googleIdentityProviderResource", GoogleIdentityProviderArgs.builder()
.clientId("string")
.realm("string")
.clientSecret("string")
.guiOrder("string")
.hostedDomain("string")
.defaultScopes("string")
.disableUserInfo(false)
.enabled(false)
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.acceptsPromptNoneForwardFromClient(false)
.hideOnLoginPage(false)
.authenticateByDefault(false)
.linkOnly(false)
.postBrokerLoginFlowAlias("string")
.providerId("string")
.addReadTokenRoleOnCreate(false)
.requestRefreshToken(false)
.storeToken(false)
.syncMode("string")
.trustEmail(false)
.useUserIpParam(false)
.build());
google_identity_provider_resource = keycloak.oidc.GoogleIdentityProvider("googleIdentityProviderResource",
client_id="string",
realm="string",
client_secret="string",
gui_order="string",
hosted_domain="string",
default_scopes="string",
disable_user_info=False,
enabled=False,
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
accepts_prompt_none_forward_from_client=False,
hide_on_login_page=False,
authenticate_by_default=False,
link_only=False,
post_broker_login_flow_alias="string",
provider_id="string",
add_read_token_role_on_create=False,
request_refresh_token=False,
store_token=False,
sync_mode="string",
trust_email=False,
use_user_ip_param=False)
const googleIdentityProviderResource = new keycloak.oidc.GoogleIdentityProvider("googleIdentityProviderResource", {
clientId: "string",
realm: "string",
clientSecret: "string",
guiOrder: "string",
hostedDomain: "string",
defaultScopes: "string",
disableUserInfo: false,
enabled: false,
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
acceptsPromptNoneForwardFromClient: false,
hideOnLoginPage: false,
authenticateByDefault: false,
linkOnly: false,
postBrokerLoginFlowAlias: "string",
providerId: "string",
addReadTokenRoleOnCreate: false,
requestRefreshToken: false,
storeToken: false,
syncMode: "string",
trustEmail: false,
useUserIpParam: false,
});
type: keycloak:oidc:GoogleIdentityProvider
properties:
acceptsPromptNoneForwardFromClient: false
addReadTokenRoleOnCreate: false
authenticateByDefault: false
clientId: string
clientSecret: string
defaultScopes: string
disableUserInfo: false
enabled: false
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
guiOrder: string
hideOnLoginPage: false
hostedDomain: string
linkOnly: false
postBrokerLoginFlowAlias: string
providerId: string
realm: string
requestRefreshToken: false
storeToken: false
syncMode: string
trustEmail: false
useUserIpParam: false
GoogleIdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GoogleIdentityProvider resource accepts the following input properties:
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Accepts
Prompt boolNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - Hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - Request
Refresh boolToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Use
User boolIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Accepts
Prompt boolNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config map[string]string - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - Hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - Request
Refresh boolToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Use
User boolIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
- The name of the realm. This is unique across Keycloak.
- accepts
Prompt BooleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain String - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - request
Refresh BooleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User BooleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- client
Id string - The client or client identifier registered within the identity provider.
- client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm string
- The name of the realm. This is unique across Keycloak.
- accepts
Prompt booleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By booleanDefault - Enable/disable authenticate users by default.
- default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User booleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - enabled boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - link
Only boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - request
Refresh booleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User booleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- client_
id str - The client or client identifier registered within the identity provider.
- client_
secret str - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm str
- The name of the realm. This is unique across Keycloak.
- accepts_
prompt_ boolnone_ forward_ from_ client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- default_
scopes str - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable_
user_ boolinfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted_
domain str - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - link_
only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post_
broker_ strlogin_ flow_ alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - request_
refresh_ booltoken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use_
user_ boolip_ param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
- The name of the realm. This is unique across Keycloak.
- accepts
Prompt BooleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain String - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - request
Refresh BooleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User BooleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
Outputs
All input properties are implicitly available as output properties. Additionally, the GoogleIdentityProvider resource produces the following output properties:
- Alias string
- (Computed) The alias for the Google identity provider.
- Display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Alias string
- (Computed) The alias for the Google identity provider.
- Display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- alias String
- (Computed) The alias for the Google identity provider.
- display
Name String - (Computed) Display name for the Google identity provider in the GUI.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- alias string
- (Computed) The alias for the Google identity provider.
- display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- alias str
- (Computed) The alias for the Google identity provider.
- display_
name str - (Computed) Display name for the Google identity provider in the GUI.
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- alias String
- (Computed) The alias for the Google identity provider.
- display
Name String - (Computed) Display name for the Google identity provider in the GUI.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Look up Existing GoogleIdentityProvider Resource
Get an existing GoogleIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GoogleIdentityProviderState, opts?: CustomResourceOptions): GoogleIdentityProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
hosted_domain: Optional[str] = None,
internal_id: Optional[str] = None,
link_only: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
request_refresh_token: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
use_user_ip_param: Optional[bool] = None) -> GoogleIdentityProvider
func GetGoogleIdentityProvider(ctx *Context, name string, id IDInput, state *GoogleIdentityProviderState, opts ...ResourceOption) (*GoogleIdentityProvider, error)
public static GoogleIdentityProvider Get(string name, Input<string> id, GoogleIdentityProviderState? state, CustomResourceOptions? opts = null)
public static GoogleIdentityProvider get(String name, Output<String> id, GoogleIdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accepts
Prompt boolNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- (Computed) The alias for the Google identity provider.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - Hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Request
Refresh boolToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Use
User boolIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- Accepts
Prompt boolNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- (Computed) The alias for the Google identity provider.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config map[string]string - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - Hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Request
Refresh boolToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Use
User boolIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- accepts
Prompt BooleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- (Computed) The alias for the Google identity provider.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - (Computed) Display name for the Google identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain String - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- request
Refresh BooleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User BooleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- accepts
Prompt booleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias string
- (Computed) The alias for the Google identity provider.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- client
Id string - The client or client identifier registered within the identity provider.
- client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User booleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name string - (Computed) Display name for the Google identity provider in the GUI.
- enabled boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain string - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- link
Only boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - realm string
- The name of the realm. This is unique across Keycloak.
- request
Refresh booleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User booleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- accepts_
prompt_ boolnone_ forward_ from_ client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias str
- (Computed) The alias for the Google identity provider.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- client_
id str - The client or client identifier registered within the identity provider.
- client_
secret str - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default_
scopes str - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable_
user_ boolinfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display_
name str - (Computed) Display name for the Google identity provider in the GUI.
- enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted_
domain str - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - internal_
id str - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- link_
only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post_
broker_ strlogin_ flow_ alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - realm str
- The name of the realm. This is unique across Keycloak.
- request_
refresh_ booltoken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use_
user_ boolip_ param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
- accepts
Prompt BooleanNone Forward From Client - When
true
, unauthenticated requests withprompt=none
will be forwarded to Google instead of returning an error. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- (Computed) The alias for the Google identity provider.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid profile email
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - (Computed) Display name for the Google identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this identity provider will be hidden on the login page. Defaults tofalse
. - hosted
Domain String - Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When
*
is entered, an account from any domain can be used. - internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
google
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- request
Refresh BooleanToken - Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - use
User BooleanIp Param - Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
Import
Google Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.
Example:
bash
$ pulumi import keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider google_identity_provider my-realm/my-google-idp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.