keycloak.oidc.IdentityProvider
Explore with Pulumi AI
Allows for creating and managing OIDC Identity Providers within Keycloak.
OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realm_identity_provider", {
realm: realm.id,
alias: "my-idp",
authorizationUrl: "https://authorizationurl.com",
clientId: "clientID",
clientSecret: "clientSecret",
tokenUrl: "https://tokenurl.com",
extraConfig: {
clientAuthMethod: "client_secret_post",
},
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realm_identity_provider",
realm=realm.id,
alias="my-idp",
authorization_url="https://authorizationurl.com",
client_id="clientID",
client_secret="clientSecret",
token_url="https://tokenurl.com",
extra_config={
"clientAuthMethod": "client_secret_post",
})
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = oidc.NewIdentityProvider(ctx, "realm_identity_provider", &oidc.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-idp"),
AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
ClientId: pulumi.String("clientID"),
ClientSecret: pulumi.String("clientSecret"),
TokenUrl: pulumi.String("https://tokenurl.com"),
ExtraConfig: pulumi.StringMap{
"clientAuthMethod": pulumi.String("client_secret_post"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realm_identity_provider", new()
{
Realm = realm.Id,
Alias = "my-idp",
AuthorizationUrl = "https://authorizationurl.com",
ClientId = "clientID",
ClientSecret = "clientSecret",
TokenUrl = "https://tokenurl.com",
ExtraConfig =
{
{ "clientAuthMethod", "client_secret_post" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-idp")
.authorizationUrl("https://authorizationurl.com")
.clientId("clientID")
.clientSecret("clientSecret")
.tokenUrl("https://tokenurl.com")
.extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmIdentityProvider:
type: keycloak:oidc:IdentityProvider
name: realm_identity_provider
properties:
realm: ${realm.id}
alias: my-idp
authorizationUrl: https://authorizationurl.com
clientId: clientID
clientSecret: clientSecret
tokenUrl: https://tokenurl.com
extraConfig:
clientAuthMethod: client_secret_post
Create IdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
args: IdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
token_url: Optional[str] = None,
alias: Optional[str] = None,
realm: Optional[str] = None,
authorization_url: Optional[str] = None,
client_secret: Optional[str] = None,
gui_order: Optional[str] = None,
login_hint: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
hide_on_login_page: Optional[bool] = None,
issuer: Optional[str] = None,
jwks_url: Optional[str] = None,
link_only: Optional[bool] = None,
backchannel_supported: Optional[bool] = None,
logout_url: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
add_read_token_role_on_create: Optional[bool] = None,
trust_email: Optional[bool] = None,
ui_locales: Optional[bool] = None,
user_info_url: Optional[str] = None,
validate_signature: Optional[bool] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var identityProviderResource = new Keycloak.Oidc.IdentityProvider("identityProviderResource", new()
{
ClientId = "string",
TokenUrl = "string",
Alias = "string",
Realm = "string",
AuthorizationUrl = "string",
ClientSecret = "string",
GuiOrder = "string",
LoginHint = "string",
DefaultScopes = "string",
DisableUserInfo = false,
DisplayName = "string",
Enabled = false,
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
AcceptsPromptNoneForwardFromClient = false,
HideOnLoginPage = false,
Issuer = "string",
JwksUrl = "string",
LinkOnly = false,
BackchannelSupported = false,
LogoutUrl = "string",
PostBrokerLoginFlowAlias = "string",
ProviderId = "string",
AuthenticateByDefault = false,
StoreToken = false,
SyncMode = "string",
AddReadTokenRoleOnCreate = false,
TrustEmail = false,
UiLocales = false,
UserInfoUrl = "string",
ValidateSignature = false,
});
example, err := oidc.NewIdentityProvider(ctx, "identityProviderResource", &oidc.IdentityProviderArgs{
ClientId: pulumi.String("string"),
TokenUrl: pulumi.String("string"),
Alias: pulumi.String("string"),
Realm: pulumi.String("string"),
AuthorizationUrl: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
GuiOrder: pulumi.String("string"),
LoginHint: pulumi.String("string"),
DefaultScopes: pulumi.String("string"),
DisableUserInfo: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
AcceptsPromptNoneForwardFromClient: pulumi.Bool(false),
HideOnLoginPage: pulumi.Bool(false),
Issuer: pulumi.String("string"),
JwksUrl: pulumi.String("string"),
LinkOnly: pulumi.Bool(false),
BackchannelSupported: pulumi.Bool(false),
LogoutUrl: pulumi.String("string"),
PostBrokerLoginFlowAlias: pulumi.String("string"),
ProviderId: pulumi.String("string"),
AuthenticateByDefault: pulumi.Bool(false),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
TrustEmail: pulumi.Bool(false),
UiLocales: pulumi.Bool(false),
UserInfoUrl: pulumi.String("string"),
ValidateSignature: pulumi.Bool(false),
})
var identityProviderResource = new IdentityProvider("identityProviderResource", IdentityProviderArgs.builder()
.clientId("string")
.tokenUrl("string")
.alias("string")
.realm("string")
.authorizationUrl("string")
.clientSecret("string")
.guiOrder("string")
.loginHint("string")
.defaultScopes("string")
.disableUserInfo(false)
.displayName("string")
.enabled(false)
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.acceptsPromptNoneForwardFromClient(false)
.hideOnLoginPage(false)
.issuer("string")
.jwksUrl("string")
.linkOnly(false)
.backchannelSupported(false)
.logoutUrl("string")
.postBrokerLoginFlowAlias("string")
.providerId("string")
.authenticateByDefault(false)
.storeToken(false)
.syncMode("string")
.addReadTokenRoleOnCreate(false)
.trustEmail(false)
.uiLocales(false)
.userInfoUrl("string")
.validateSignature(false)
.build());
identity_provider_resource = keycloak.oidc.IdentityProvider("identityProviderResource",
client_id="string",
token_url="string",
alias="string",
realm="string",
authorization_url="string",
client_secret="string",
gui_order="string",
login_hint="string",
default_scopes="string",
disable_user_info=False,
display_name="string",
enabled=False,
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
accepts_prompt_none_forward_from_client=False,
hide_on_login_page=False,
issuer="string",
jwks_url="string",
link_only=False,
backchannel_supported=False,
logout_url="string",
post_broker_login_flow_alias="string",
provider_id="string",
authenticate_by_default=False,
store_token=False,
sync_mode="string",
add_read_token_role_on_create=False,
trust_email=False,
ui_locales=False,
user_info_url="string",
validate_signature=False)
const identityProviderResource = new keycloak.oidc.IdentityProvider("identityProviderResource", {
clientId: "string",
tokenUrl: "string",
alias: "string",
realm: "string",
authorizationUrl: "string",
clientSecret: "string",
guiOrder: "string",
loginHint: "string",
defaultScopes: "string",
disableUserInfo: false,
displayName: "string",
enabled: false,
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
acceptsPromptNoneForwardFromClient: false,
hideOnLoginPage: false,
issuer: "string",
jwksUrl: "string",
linkOnly: false,
backchannelSupported: false,
logoutUrl: "string",
postBrokerLoginFlowAlias: "string",
providerId: "string",
authenticateByDefault: false,
storeToken: false,
syncMode: "string",
addReadTokenRoleOnCreate: false,
trustEmail: false,
uiLocales: false,
userInfoUrl: "string",
validateSignature: false,
});
type: keycloak:oidc:IdentityProvider
properties:
acceptsPromptNoneForwardFromClient: false
addReadTokenRoleOnCreate: false
alias: string
authenticateByDefault: false
authorizationUrl: string
backchannelSupported: false
clientId: string
clientSecret: string
defaultScopes: string
disableUserInfo: false
displayName: string
enabled: false
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
guiOrder: string
hideOnLoginPage: false
issuer: string
jwksUrl: string
linkOnly: false
loginHint: string
logoutUrl: string
postBrokerLoginFlowAlias: string
providerId: string
realm: string
storeToken: false
syncMode: string
tokenUrl: string
trustEmail: false
uiLocales: false
userInfoUrl: string
validateSignature: false
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IdentityProvider resource accepts the following input properties:
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
- The Authorization Url.
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Token
Url string - The Token URL.
- Accepts
Prompt boolNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Backchannel
Supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - Display name for the identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - Issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string - JSON Web Key Set URL.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Pass login hint to identity provider.
- Logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Ui
Locales bool - Pass current locale to identity provider. Defaults to
false
. - User
Info stringUrl - User Info URL.
- Validate
Signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
- The Authorization Url.
- Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Token
Url string - The Token URL.
- Accepts
Prompt boolNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Backchannel
Supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - Display name for the identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config map[string]string - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - Issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string - JSON Web Key Set URL.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Pass login hint to identity provider.
- Logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Ui
Locales bool - Pass current locale to identity provider. Defaults to
false
. - User
Info stringUrl - User Info URL.
- Validate
Signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- String
- The Authorization Url.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
- The name of the realm. This is unique across Keycloak.
- token
Url String - The Token URL.
- accepts
Prompt BooleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout? Defaults to
true
. - default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - Display name for the identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - issuer String
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String - JSON Web Key Set URL.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Pass login hint to identity provider.
- logout
Url String - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales Boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info StringUrl - User Info URL.
- validate
Signature Boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
- The Authorization Url.
- client
Id string - The client or client identifier registered within the identity provider.
- client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm string
- The name of the realm. This is unique across Keycloak.
- token
Url string - The Token URL.
- accepts
Prompt booleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By booleanDefault - Enable/disable authenticate users by default.
- backchannel
Supported boolean - Does the external IDP support backchannel logout? Defaults to
true
. - default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User booleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name string - Display name for the identity provider in the GUI.
- enabled boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url string - JSON Web Key Set URL.
- link
Only boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint string - Pass login hint to identity provider.
- logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info stringUrl - User Info URL.
- validate
Signature boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias str
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- str
- The Authorization Url.
- client_
id str - The client or client identifier registered within the identity provider.
- client_
secret str - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm str
- The name of the realm. This is unique across Keycloak.
- token_
url str - The Token URL.
- accepts_
prompt_ boolnone_ forward_ from_ client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- backchannel_
supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - default_
scopes str - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable_
user_ boolinfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display_
name str - Display name for the identity provider in the GUI.
- enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - issuer str
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks_
url str - JSON Web Key Set URL.
- link_
only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login_
hint str - Pass login hint to identity provider.
- logout_
url str - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post_
broker_ strlogin_ flow_ alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui_
locales bool - Pass current locale to identity provider. Defaults to
false
. - user_
info_ strurl - User Info URL.
- validate_
signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- String
- The Authorization Url.
- client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
- The name of the realm. This is unique across Keycloak.
- token
Url String - The Token URL.
- accepts
Prompt BooleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout? Defaults to
true
. - default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - Display name for the identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - issuer String
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String - JSON Web Key Set URL.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Pass login hint to identity provider.
- logout
Url String - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales Boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info StringUrl - User Info URL.
- validate
Signature Boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Look up Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
authorization_url: Optional[str] = None,
backchannel_supported: Optional[bool] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
issuer: Optional[str] = None,
jwks_url: Optional[str] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
logout_url: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
token_url: Optional[str] = None,
trust_email: Optional[bool] = None,
ui_locales: Optional[bool] = None,
user_info_url: Optional[str] = None,
validate_signature: Optional[bool] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accepts
Prompt boolNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- string
- The Authorization Url.
- Backchannel
Supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - Display name for the identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string - JSON Web Key Set URL.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Pass login hint to identity provider.
- Logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Token
Url string - The Token URL.
- Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Ui
Locales bool - Pass current locale to identity provider. Defaults to
false
. - User
Info stringUrl - User Info URL.
- Validate
Signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- Accepts
Prompt boolNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- string
- The Authorization Url.
- Backchannel
Supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - Client
Id string - The client or client identifier registered within the identity provider.
- Client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - Disable
User boolInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - Display
Name string - Display name for the identity provider in the GUI.
- Enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - Extra
Config map[string]string - First
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - Internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string - JSON Web Key Set URL.
- Link
Only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Pass login hint to identity provider.
- Logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - Token
Url string - The Token URL.
- Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Ui
Locales bool - Pass current locale to identity provider. Defaults to
false
. - User
Info stringUrl - User Info URL.
- Validate
Signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt BooleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- String
- The Authorization Url.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout? Defaults to
true
. - client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - Display name for the identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer String
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String - JSON Web Key Set URL.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Pass login hint to identity provider.
- logout
Url String - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - token
Url String - The Token URL.
- trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales Boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info StringUrl - User Info URL.
- validate
Signature Boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt booleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- string
- The Authorization Url.
- backchannel
Supported boolean - Does the external IDP support backchannel logout? Defaults to
true
. - client
Id string - The client or client identifier registered within the identity provider.
- client
Secret string - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes string - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User booleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name string - Display name for the identity provider in the GUI.
- enabled boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - internal
Id string - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer string
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url string - JSON Web Key Set URL.
- link
Only boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint string - Pass login hint to identity provider.
- logout
Url string - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker stringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - realm string
- The name of the realm. This is unique across Keycloak.
- store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - token
Url string - The Token URL.
- trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info stringUrl - User Info URL.
- validate
Signature boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts_
prompt_ boolnone_ forward_ from_ client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias str
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- str
- The Authorization Url.
- backchannel_
supported bool - Does the external IDP support backchannel logout? Defaults to
true
. - client_
id str - The client or client identifier registered within the identity provider.
- client_
secret str - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default_
scopes str - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable_
user_ boolinfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display_
name str - Display name for the identity provider in the GUI.
- enabled bool
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - internal_
id str - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer str
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks_
url str - JSON Web Key Set URL.
- link_
only bool - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login_
hint str - Pass login hint to identity provider.
- logout_
url str - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post_
broker_ strlogin_ flow_ alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - realm str
- The name of the realm. This is unique across Keycloak.
- store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - token_
url str - The Token URL.
- trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui_
locales bool - Pass current locale to identity provider. Defaults to
false
. - user_
info_ strurl - User Info URL.
- validate_
signature bool - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt BooleanNone Forward From Client - When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
. - add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- String
- The Authorization Url.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout? Defaults to
true
. - client
Id String - The client or client identifier registered within the identity provider.
- client
Secret String - The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String - The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
. - disable
User BooleanInfo - When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
. - display
Name String - Display name for the identity provider in the GUI.
- enabled Boolean
- When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
. - extra
Config Map<String> - first
Broker StringLogin Flow Alias - The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
. - gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
. - internal
Id String - (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer String
- The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String - JSON Web Key Set URL.
- link
Only Boolean - When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Pass login hint to identity provider.
- logout
Url String - The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias - The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String - The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
. - token
Url String - The Token URL.
- trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - ui
Locales Boolean - Pass current locale to identity provider. Defaults to
false
. - user
Info StringUrl - User Info URL.
- validate
Signature Boolean - Enable/disable signature validation of external IDP signatures. Defaults to
false
.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}
, where idp_alias
is the identity provider alias.
Example:
bash
$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.