1. Packages
  2. Keycloak
  3. API Docs
  4. oidc
  5. GoogleIdentityProvider
Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi

keycloak.oidc.GoogleIdentityProvider

Explore with Pulumi AI

keycloak logo
Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi

    Allows for creating and managing OIDC Identity Providers within Keycloak.

    OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const google = new keycloak.oidc.GoogleIdentityProvider("google", {
        realm: realm.id,
        clientId: _var.google_identity_provider_client_id,
        clientSecret: _var.google_identity_provider_client_secret,
        trustEmail: true,
        hostedDomain: "example.com",
        syncMode: "IMPORT",
        extraConfig: {
            myCustomConfigKey: "myValue",
        },
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    google = keycloak.oidc.GoogleIdentityProvider("google",
        realm=realm.id,
        client_id=var["google_identity_provider_client_id"],
        client_secret=var["google_identity_provider_client_secret"],
        trust_email=True,
        hosted_domain="example.com",
        sync_mode="IMPORT",
        extra_config={
            "myCustomConfigKey": "myValue",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
    			Realm:        realm.ID(),
    			ClientId:     pulumi.Any(_var.Google_identity_provider_client_id),
    			ClientSecret: pulumi.Any(_var.Google_identity_provider_client_secret),
    			TrustEmail:   pulumi.Bool(true),
    			HostedDomain: pulumi.String("example.com"),
    			SyncMode:     pulumi.String("IMPORT"),
    			ExtraConfig: pulumi.Map{
    				"myCustomConfigKey": pulumi.Any("myValue"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var google = new Keycloak.Oidc.GoogleIdentityProvider("google", new()
        {
            Realm = realm.Id,
            ClientId = @var.Google_identity_provider_client_id,
            ClientSecret = @var.Google_identity_provider_client_secret,
            TrustEmail = true,
            HostedDomain = "example.com",
            SyncMode = "IMPORT",
            ExtraConfig = 
            {
                { "myCustomConfigKey", "myValue" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.oidc.GoogleIdentityProvider;
    import com.pulumi.keycloak.oidc.GoogleIdentityProviderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var google = new GoogleIdentityProvider("google", GoogleIdentityProviderArgs.builder()        
                .realm(realm.id())
                .clientId(var_.google_identity_provider_client_id())
                .clientSecret(var_.google_identity_provider_client_secret())
                .trustEmail(true)
                .hostedDomain("example.com")
                .syncMode("IMPORT")
                .extraConfig(Map.of("myCustomConfigKey", "myValue"))
                .build());
    
        }
    }
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      google:
        type: keycloak:oidc:GoogleIdentityProvider
        properties:
          realm: ${realm.id}
          clientId: ${var.google_identity_provider_client_id}
          clientSecret: ${var.google_identity_provider_client_secret}
          trustEmail: true
          hostedDomain: example.com
          syncMode: IMPORT
          extraConfig:
            myCustomConfigKey: myValue
    

    Create GoogleIdentityProvider Resource

    new GoogleIdentityProvider(name: string, args: GoogleIdentityProviderArgs, opts?: CustomResourceOptions);
    @overload
    def GoogleIdentityProvider(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               accepts_prompt_none_forward_from_client: Optional[bool] = None,
                               add_read_token_role_on_create: Optional[bool] = None,
                               authenticate_by_default: Optional[bool] = None,
                               client_id: Optional[str] = None,
                               client_secret: Optional[str] = None,
                               default_scopes: Optional[str] = None,
                               disable_user_info: Optional[bool] = None,
                               enabled: Optional[bool] = None,
                               extra_config: Optional[Mapping[str, Any]] = None,
                               first_broker_login_flow_alias: Optional[str] = None,
                               gui_order: Optional[str] = None,
                               hide_on_login_page: Optional[bool] = None,
                               hosted_domain: Optional[str] = None,
                               link_only: Optional[bool] = None,
                               post_broker_login_flow_alias: Optional[str] = None,
                               provider_id: Optional[str] = None,
                               realm: Optional[str] = None,
                               request_refresh_token: Optional[bool] = None,
                               store_token: Optional[bool] = None,
                               sync_mode: Optional[str] = None,
                               trust_email: Optional[bool] = None,
                               use_user_ip_param: Optional[bool] = None)
    @overload
    def GoogleIdentityProvider(resource_name: str,
                               args: GoogleIdentityProviderArgs,
                               opts: Optional[ResourceOptions] = None)
    func NewGoogleIdentityProvider(ctx *Context, name string, args GoogleIdentityProviderArgs, opts ...ResourceOption) (*GoogleIdentityProvider, error)
    public GoogleIdentityProvider(string name, GoogleIdentityProviderArgs args, CustomResourceOptions? opts = null)
    public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args)
    public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args, CustomResourceOptions options)
    
    type: keycloak:oidc:GoogleIdentityProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args GoogleIdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args GoogleIdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args GoogleIdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args GoogleIdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args GoogleIdentityProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    GoogleIdentityProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The GoogleIdentityProvider resource accepts the following input properties:

    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    Realm string
    The name of the realm. This is unique across Keycloak.
    AcceptsPromptNoneForwardFromClient bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    HostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    RequestRefreshToken bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UseUserIpParam bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    Realm string
    The name of the realm. This is unique across Keycloak.
    AcceptsPromptNoneForwardFromClient bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    HostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    RequestRefreshToken bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UseUserIpParam bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm String
    The name of the realm. This is unique across Keycloak.
    acceptsPromptNoneForwardFromClient Boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain String
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    requestRefreshToken Boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam Boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    clientId string
    The client or client identifier registered within the identity provider.
    clientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm string
    The name of the realm. This is unique across Keycloak.
    acceptsPromptNoneForwardFromClient boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    defaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    enabled boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    linkOnly boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    requestRefreshToken boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    client_id str
    The client or client identifier registered within the identity provider.
    client_secret str
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm str
    The name of the realm. This is unique across Keycloak.
    accepts_prompt_none_forward_from_client bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    default_scopes str
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disable_user_info bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hosted_domain str
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    link_only bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    post_broker_login_flow_alias str
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    provider_id str
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    request_refresh_token bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    use_user_ip_param bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm String
    The name of the realm. This is unique across Keycloak.
    acceptsPromptNoneForwardFromClient Boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain String
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    requestRefreshToken Boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam Boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the GoogleIdentityProvider resource produces the following output properties:

    Alias string
    (Computed) The alias for the Google identity provider.
    DisplayName string
    (Computed) Display name for the Google identity provider in the GUI.
    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    Alias string
    (Computed) The alias for the Google identity provider.
    DisplayName string
    (Computed) Display name for the Google identity provider in the GUI.
    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    alias String
    (Computed) The alias for the Google identity provider.
    displayName String
    (Computed) Display name for the Google identity provider in the GUI.
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    alias string
    (Computed) The alias for the Google identity provider.
    displayName string
    (Computed) Display name for the Google identity provider in the GUI.
    id string
    The provider-assigned unique ID for this managed resource.
    internalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    alias str
    (Computed) The alias for the Google identity provider.
    display_name str
    (Computed) Display name for the Google identity provider in the GUI.
    id str
    The provider-assigned unique ID for this managed resource.
    internal_id str
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    alias String
    (Computed) The alias for the Google identity provider.
    displayName String
    (Computed) Display name for the Google identity provider in the GUI.
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Look up Existing GoogleIdentityProvider Resource

    Get an existing GoogleIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: GoogleIdentityProviderState, opts?: CustomResourceOptions): GoogleIdentityProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accepts_prompt_none_forward_from_client: Optional[bool] = None,
            add_read_token_role_on_create: Optional[bool] = None,
            alias: Optional[str] = None,
            authenticate_by_default: Optional[bool] = None,
            client_id: Optional[str] = None,
            client_secret: Optional[str] = None,
            default_scopes: Optional[str] = None,
            disable_user_info: Optional[bool] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            extra_config: Optional[Mapping[str, Any]] = None,
            first_broker_login_flow_alias: Optional[str] = None,
            gui_order: Optional[str] = None,
            hide_on_login_page: Optional[bool] = None,
            hosted_domain: Optional[str] = None,
            internal_id: Optional[str] = None,
            link_only: Optional[bool] = None,
            post_broker_login_flow_alias: Optional[str] = None,
            provider_id: Optional[str] = None,
            realm: Optional[str] = None,
            request_refresh_token: Optional[bool] = None,
            store_token: Optional[bool] = None,
            sync_mode: Optional[str] = None,
            trust_email: Optional[bool] = None,
            use_user_ip_param: Optional[bool] = None) -> GoogleIdentityProvider
    func GetGoogleIdentityProvider(ctx *Context, name string, id IDInput, state *GoogleIdentityProviderState, opts ...ResourceOption) (*GoogleIdentityProvider, error)
    public static GoogleIdentityProvider Get(string name, Input<string> id, GoogleIdentityProviderState? state, CustomResourceOptions? opts = null)
    public static GoogleIdentityProvider get(String name, Output<String> id, GoogleIdentityProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AcceptsPromptNoneForwardFromClient bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    (Computed) The alias for the Google identity provider.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    (Computed) Display name for the Google identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    HostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    RequestRefreshToken bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UseUserIpParam bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    AcceptsPromptNoneForwardFromClient bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    (Computed) The alias for the Google identity provider.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    (Computed) Display name for the Google identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    HostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    RequestRefreshToken bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UseUserIpParam bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    acceptsPromptNoneForwardFromClient Boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    (Computed) The alias for the Google identity provider.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    (Computed) Display name for the Google identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain String
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    requestRefreshToken Boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam Boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    acceptsPromptNoneForwardFromClient boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias string
    (Computed) The alias for the Google identity provider.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    clientId string
    The client or client identifier registered within the identity provider.
    clientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName string
    (Computed) Display name for the Google identity provider in the GUI.
    enabled boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain string
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    internalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    linkOnly boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId string
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    realm string
    The name of the realm. This is unique across Keycloak.
    requestRefreshToken boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    accepts_prompt_none_forward_from_client bool
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias str
    (Computed) The alias for the Google identity provider.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    client_id str
    The client or client identifier registered within the identity provider.
    client_secret str
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    default_scopes str
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disable_user_info bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    display_name str
    (Computed) Display name for the Google identity provider in the GUI.
    enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hosted_domain str
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    internal_id str
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    link_only bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    post_broker_login_flow_alias str
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    provider_id str
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    realm str
    The name of the realm. This is unique across Keycloak.
    request_refresh_token bool
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    use_user_ip_param bool
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
    acceptsPromptNoneForwardFromClient Boolean
    When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    (Computed) The alias for the Google identity provider.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    (Computed) Display name for the Google identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this identity provider will be hidden on the login page. Defaults to false.
    hostedDomain String
    Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    requestRefreshToken Boolean
    Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    useUserIpParam Boolean
    Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

    Import

    Google Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

    Example:

    bash

    $ pulumi import keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider google_identity_provider my-realm/my-google-idp
    

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi