Docs Home
Auth0 v3.23.0 published on Wednesday, Jul 16, 2025 by Pulumi
auth0.ConnectionKeys
Explore with Pulumi AI
Client Assertion JWT is a more secure alternative to client secret authentication for OIDC and Okta Workforce connections. It uses a signed JWT instead of a shared secret to authenticate the client. The resource only supports key rotation. Use the auth0.ConnectionKeys data source to read existing keys. Removing the resource from configuration will NOT DELETE the key.
!> The triggers field is only a placeholder for an arbitrary map used to signal the provider to perform a key rotation whenever any update is made. If the resource is removed from the configuration, the keys will not be deleted.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as auth0 from "@pulumi/auth0";
const myClient = new auth0.Client("my_client", {name: "My-Auth0-Client"});
const oidc = new auth0.Connection("oidc", {
name: "OIDC-Connection",
strategy: "oidc",
options: {
clientId: myClient.id,
scopes: [
"ext_nested_groups",
"openid",
],
issuer: "https://example.com",
authorizationEndpoint: "https://example.com",
jwksUri: "https://example.com/jwks",
type: "front_channel",
discoveryUrl: "https://www.paypalobjects.com/.well-known/openid-configuration",
tokenEndpointAuthMethod: "private_key_jwt",
tokenEndpointAuthSigningAlg: "RS256",
},
});
// Resource used to rotate the keys for above OIDC connection
const myKeys = new auth0.ConnectionKeys("my_keys", {
connectionId: oidc.id,
triggers: {
version: "1",
date: "2023-10-01T00:00:00Z",
},
});
import pulumi
import pulumi_auth0 as auth0
my_client = auth0.Client("my_client", name="My-Auth0-Client")
oidc = auth0.Connection("oidc",
name="OIDC-Connection",
strategy="oidc",
options={
"client_id": my_client.id,
"scopes": [
"ext_nested_groups",
"openid",
],
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com",
"jwks_uri": "https://example.com/jwks",
"type": "front_channel",
"discovery_url": "https://www.paypalobjects.com/.well-known/openid-configuration",
"token_endpoint_auth_method": "private_key_jwt",
"token_endpoint_auth_signing_alg": "RS256",
})
# Resource used to rotate the keys for above OIDC connection
my_keys = auth0.ConnectionKeys("my_keys",
connection_id=oidc.id,
triggers={
"version": "1",
"date": "2023-10-01T00:00:00Z",
})
package main
import (
"github.com/pulumi/pulumi-auth0/sdk/v3/go/auth0"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myClient, err := auth0.NewClient(ctx, "my_client", &auth0.ClientArgs{
Name: pulumi.String("My-Auth0-Client"),
})
if err != nil {
return err
}
oidc, err := auth0.NewConnection(ctx, "oidc", &auth0.ConnectionArgs{
Name: pulumi.String("OIDC-Connection"),
Strategy: pulumi.String("oidc"),
Options: &auth0.ConnectionOptionsArgs{
ClientId: myClient.ID(),
Scopes: pulumi.StringArray{
pulumi.String("ext_nested_groups"),
pulumi.String("openid"),
},
Issuer: pulumi.String("https://example.com"),
AuthorizationEndpoint: pulumi.String("https://example.com"),
JwksUri: pulumi.String("https://example.com/jwks"),
Type: pulumi.String("front_channel"),
DiscoveryUrl: pulumi.String("https://www.paypalobjects.com/.well-known/openid-configuration"),
TokenEndpointAuthMethod: pulumi.String("private_key_jwt"),
TokenEndpointAuthSigningAlg: pulumi.String("RS256"),
},
})
if err != nil {
return err
}
// Resource used to rotate the keys for above OIDC connection
_, err = auth0.NewConnectionKeys(ctx, "my_keys", &auth0.ConnectionKeysArgs{
ConnectionId: oidc.ID(),
Triggers: pulumi.StringMap{
"version": pulumi.String("1"),
"date": pulumi.String("2023-10-01T00:00:00Z"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Auth0 = Pulumi.Auth0;
return await Deployment.RunAsync(() =>
{
var myClient = new Auth0.Client("my_client", new()
{
Name = "My-Auth0-Client",
});
var oidc = new Auth0.Connection("oidc", new()
{
Name = "OIDC-Connection",
Strategy = "oidc",
Options = new Auth0.Inputs.ConnectionOptionsArgs
{
ClientId = myClient.Id,
Scopes = new[]
{
"ext_nested_groups",
"openid",
},
Issuer = "https://example.com",
AuthorizationEndpoint = "https://example.com",
JwksUri = "https://example.com/jwks",
Type = "front_channel",
DiscoveryUrl = "https://www.paypalobjects.com/.well-known/openid-configuration",
TokenEndpointAuthMethod = "private_key_jwt",
TokenEndpointAuthSigningAlg = "RS256",
},
});
// Resource used to rotate the keys for above OIDC connection
var myKeys = new Auth0.ConnectionKeys("my_keys", new()
{
ConnectionId = oidc.Id,
Triggers =
{
{ "version", "1" },
{ "date", "2023-10-01T00:00:00Z" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.auth0.Client;
import com.pulumi.auth0.ClientArgs;
import com.pulumi.auth0.Connection;
import com.pulumi.auth0.ConnectionArgs;
import com.pulumi.auth0.inputs.ConnectionOptionsArgs;
import com.pulumi.auth0.ConnectionKeys;
import com.pulumi.auth0.ConnectionKeysArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myClient = new Client("myClient", ClientArgs.builder()
.name("My-Auth0-Client")
.build());
var oidc = new Connection("oidc", ConnectionArgs.builder()
.name("OIDC-Connection")
.strategy("oidc")
.options(ConnectionOptionsArgs.builder()
.clientId(myClient.id())
.scopes(
"ext_nested_groups",
"openid")
.issuer("https://example.com")
.authorizationEndpoint("https://example.com")
.jwksUri("https://example.com/jwks")
.type("front_channel")
.discoveryUrl("https://www.paypalobjects.com/.well-known/openid-configuration")
.tokenEndpointAuthMethod("private_key_jwt")
.tokenEndpointAuthSigningAlg("RS256")
.build())
.build());
// Resource used to rotate the keys for above OIDC connection
var myKeys = new ConnectionKeys("myKeys", ConnectionKeysArgs.builder()
.connectionId(oidc.id())
.triggers(Map.ofEntries(
Map.entry("version", "1"),
Map.entry("date", "2023-10-01T00:00:00Z")
))
.build());
}
}
resources:
myClient:
type: auth0:Client
name: my_client
properties:
name: My-Auth0-Client
oidc:
type: auth0:Connection
properties:
name: OIDC-Connection
strategy: oidc
options:
clientId: ${myClient.id}
scopes:
- ext_nested_groups
- openid
issuer: https://example.com
authorizationEndpoint: https://example.com
jwksUri: https://example.com/jwks
type: front_channel
discoveryUrl: https://www.paypalobjects.com/.well-known/openid-configuration
tokenEndpointAuthMethod: private_key_jwt
tokenEndpointAuthSigningAlg: RS256
# Resource used to rotate the keys for above OIDC connection
myKeys:
type: auth0:ConnectionKeys
name: my_keys
properties:
connectionId: ${oidc.id}
triggers:
version: '1'
date: 2023-10-01T00:00:00Z
Create ConnectionKeys Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ConnectionKeys(name: string, args: ConnectionKeysArgs, opts?: CustomResourceOptions);@overload
def ConnectionKeys(resource_name: str,
args: ConnectionKeysArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ConnectionKeys(resource_name: str,
opts: Optional[ResourceOptions] = None,
connection_id: Optional[str] = None,
triggers: Optional[Mapping[str, str]] = None)func NewConnectionKeys(ctx *Context, name string, args ConnectionKeysArgs, opts ...ResourceOption) (*ConnectionKeys, error)public ConnectionKeys(string name, ConnectionKeysArgs args, CustomResourceOptions? opts = null)
public ConnectionKeys(String name, ConnectionKeysArgs args)
public ConnectionKeys(String name, ConnectionKeysArgs args, CustomResourceOptions options)
type: auth0:ConnectionKeys
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ConnectionKeysArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConnectionKeysArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConnectionKeysArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConnectionKeysArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConnectionKeysArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var connectionKeysResource = new Auth0.ConnectionKeys("connectionKeysResource", new()
{
ConnectionId = "string",
Triggers =
{
{ "string", "string" },
},
});
example, err := auth0.NewConnectionKeys(ctx, "connectionKeysResource", &auth0.ConnectionKeysArgs{
ConnectionId: pulumi.String("string"),
Triggers: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var connectionKeysResource = new ConnectionKeys("connectionKeysResource", ConnectionKeysArgs.builder()
.connectionId("string")
.triggers(Map.of("string", "string"))
.build());
connection_keys_resource = auth0.ConnectionKeys("connectionKeysResource",
connection_id="string",
triggers={
"string": "string",
})
const connectionKeysResource = new auth0.ConnectionKeys("connectionKeysResource", {
connectionId: "string",
triggers: {
string: "string",
},
});
type: auth0:ConnectionKeys
properties:
connectionId: string
triggers:
string: string
ConnectionKeys Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ConnectionKeys resource accepts the following input properties:
- Connection
Id string - Triggers Dictionary<string, string>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- Connection
Id string - Triggers map[string]string
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- connection
Id String - triggers Map<String,String>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- connection
Id string - triggers {[key: string]: string}
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- connection_
id str - triggers Mapping[str, str]
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- connection
Id String - triggers Map<String>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
Outputs
All input properties are implicitly available as output properties. Additionally, the ConnectionKeys resource produces the following output properties:
- Algorithm string
- The signing key algorithm.
- Cert string
- The public certificate of the signing key.
- Current bool
- True if the key is the current key.
- Current
Since string - The date and time when the key became the current key.
- Fingerprint string
- The certificate fingerprint.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Use string - The signing key use, whether for encryption or signing.
- Kid string
- The key ID of the signing key.
- Next bool
- True if the key is the next key.
- Pkcs string
- The public certificate of the signing key in PKCS7 format.
- Previous bool
- True if the key is the previous key.
- Subject
Dn string - The subject distinguished name (DN) of the certificate.
- Thumbprint string
- The certificate thumbprint.
- Algorithm string
- The signing key algorithm.
- Cert string
- The public certificate of the signing key.
- Current bool
- True if the key is the current key.
- Current
Since string - The date and time when the key became the current key.
- Fingerprint string
- The certificate fingerprint.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Use string - The signing key use, whether for encryption or signing.
- Kid string
- The key ID of the signing key.
- Next bool
- True if the key is the next key.
- Pkcs string
- The public certificate of the signing key in PKCS7 format.
- Previous bool
- True if the key is the previous key.
- Subject
Dn string - The subject distinguished name (DN) of the certificate.
- Thumbprint string
- The certificate thumbprint.
- algorithm String
- The signing key algorithm.
- cert String
- The public certificate of the signing key.
- current Boolean
- True if the key is the current key.
- current
Since String - The date and time when the key became the current key.
- fingerprint String
- The certificate fingerprint.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Use String - The signing key use, whether for encryption or signing.
- kid String
- The key ID of the signing key.
- next Boolean
- True if the key is the next key.
- pkcs String
- The public certificate of the signing key in PKCS7 format.
- previous Boolean
- True if the key is the previous key.
- subject
Dn String - The subject distinguished name (DN) of the certificate.
- thumbprint String
- The certificate thumbprint.
- algorithm string
- The signing key algorithm.
- cert string
- The public certificate of the signing key.
- current boolean
- True if the key is the current key.
- current
Since string - The date and time when the key became the current key.
- fingerprint string
- The certificate fingerprint.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Use string - The signing key use, whether for encryption or signing.
- kid string
- The key ID of the signing key.
- next boolean
- True if the key is the next key.
- pkcs string
- The public certificate of the signing key in PKCS7 format.
- previous boolean
- True if the key is the previous key.
- subject
Dn string - The subject distinguished name (DN) of the certificate.
- thumbprint string
- The certificate thumbprint.
- algorithm str
- The signing key algorithm.
- cert str
- The public certificate of the signing key.
- current bool
- True if the key is the current key.
- current_
since str - The date and time when the key became the current key.
- fingerprint str
- The certificate fingerprint.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
use str - The signing key use, whether for encryption or signing.
- kid str
- The key ID of the signing key.
- next bool
- True if the key is the next key.
- pkcs str
- The public certificate of the signing key in PKCS7 format.
- previous bool
- True if the key is the previous key.
- subject_
dn str - The subject distinguished name (DN) of the certificate.
- thumbprint str
- The certificate thumbprint.
- algorithm String
- The signing key algorithm.
- cert String
- The public certificate of the signing key.
- current Boolean
- True if the key is the current key.
- current
Since String - The date and time when the key became the current key.
- fingerprint String
- The certificate fingerprint.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Use String - The signing key use, whether for encryption or signing.
- kid String
- The key ID of the signing key.
- next Boolean
- True if the key is the next key.
- pkcs String
- The public certificate of the signing key in PKCS7 format.
- previous Boolean
- True if the key is the previous key.
- subject
Dn String - The subject distinguished name (DN) of the certificate.
- thumbprint String
- The certificate thumbprint.
Look up Existing ConnectionKeys Resource
Get an existing ConnectionKeys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ConnectionKeysState, opts?: CustomResourceOptions): ConnectionKeys@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
algorithm: Optional[str] = None,
cert: Optional[str] = None,
connection_id: Optional[str] = None,
current: Optional[bool] = None,
current_since: Optional[str] = None,
fingerprint: Optional[str] = None,
key_use: Optional[str] = None,
kid: Optional[str] = None,
next: Optional[bool] = None,
pkcs: Optional[str] = None,
previous: Optional[bool] = None,
subject_dn: Optional[str] = None,
thumbprint: Optional[str] = None,
triggers: Optional[Mapping[str, str]] = None) -> ConnectionKeysfunc GetConnectionKeys(ctx *Context, name string, id IDInput, state *ConnectionKeysState, opts ...ResourceOption) (*ConnectionKeys, error)public static ConnectionKeys Get(string name, Input<string> id, ConnectionKeysState? state, CustomResourceOptions? opts = null)public static ConnectionKeys get(String name, Output<String> id, ConnectionKeysState state, CustomResourceOptions options)resources: _: type: auth0:ConnectionKeys get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Algorithm string
- The signing key algorithm.
- Cert string
- The public certificate of the signing key.
- Connection
Id string - Current bool
- True if the key is the current key.
- Current
Since string - The date and time when the key became the current key.
- Fingerprint string
- The certificate fingerprint.
- Key
Use string - The signing key use, whether for encryption or signing.
- Kid string
- The key ID of the signing key.
- Next bool
- True if the key is the next key.
- Pkcs string
- The public certificate of the signing key in PKCS7 format.
- Previous bool
- True if the key is the previous key.
- Subject
Dn string - The subject distinguished name (DN) of the certificate.
- Thumbprint string
- The certificate thumbprint.
- Triggers Dictionary<string, string>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- Algorithm string
- The signing key algorithm.
- Cert string
- The public certificate of the signing key.
- Connection
Id string - Current bool
- True if the key is the current key.
- Current
Since string - The date and time when the key became the current key.
- Fingerprint string
- The certificate fingerprint.
- Key
Use string - The signing key use, whether for encryption or signing.
- Kid string
- The key ID of the signing key.
- Next bool
- True if the key is the next key.
- Pkcs string
- The public certificate of the signing key in PKCS7 format.
- Previous bool
- True if the key is the previous key.
- Subject
Dn string - The subject distinguished name (DN) of the certificate.
- Thumbprint string
- The certificate thumbprint.
- Triggers map[string]string
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- algorithm String
- The signing key algorithm.
- cert String
- The public certificate of the signing key.
- connection
Id String - current Boolean
- True if the key is the current key.
- current
Since String - The date and time when the key became the current key.
- fingerprint String
- The certificate fingerprint.
- key
Use String - The signing key use, whether for encryption or signing.
- kid String
- The key ID of the signing key.
- next Boolean
- True if the key is the next key.
- pkcs String
- The public certificate of the signing key in PKCS7 format.
- previous Boolean
- True if the key is the previous key.
- subject
Dn String - The subject distinguished name (DN) of the certificate.
- thumbprint String
- The certificate thumbprint.
- triggers Map<String,String>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- algorithm string
- The signing key algorithm.
- cert string
- The public certificate of the signing key.
- connection
Id string - current boolean
- True if the key is the current key.
- current
Since string - The date and time when the key became the current key.
- fingerprint string
- The certificate fingerprint.
- key
Use string - The signing key use, whether for encryption or signing.
- kid string
- The key ID of the signing key.
- next boolean
- True if the key is the next key.
- pkcs string
- The public certificate of the signing key in PKCS7 format.
- previous boolean
- True if the key is the previous key.
- subject
Dn string - The subject distinguished name (DN) of the certificate.
- thumbprint string
- The certificate thumbprint.
- triggers {[key: string]: string}
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- algorithm str
- The signing key algorithm.
- cert str
- The public certificate of the signing key.
- connection_
id str - current bool
- True if the key is the current key.
- current_
since str - The date and time when the key became the current key.
- fingerprint str
- The certificate fingerprint.
- key_
use str - The signing key use, whether for encryption or signing.
- kid str
- The key ID of the signing key.
- next bool
- True if the key is the next key.
- pkcs str
- The public certificate of the signing key in PKCS7 format.
- previous bool
- True if the key is the previous key.
- subject_
dn str - The subject distinguished name (DN) of the certificate.
- thumbprint str
- The certificate thumbprint.
- triggers Mapping[str, str]
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
- algorithm String
- The signing key algorithm.
- cert String
- The public certificate of the signing key.
- connection
Id String - current Boolean
- True if the key is the current key.
- current
Since String - The date and time when the key became the current key.
- fingerprint String
- The certificate fingerprint.
- key
Use String - The signing key use, whether for encryption or signing.
- kid String
- The key ID of the signing key.
- next Boolean
- True if the key is the next key.
- pkcs String
- The public certificate of the signing key in PKCS7 format.
- previous Boolean
- True if the key is the previous key.
- subject
Dn String - The subject distinguished name (DN) of the certificate.
- thumbprint String
- The certificate thumbprint.
- triggers Map<String>
- This is an arbitrary map, which when edited shall perform rotation of keys for the corresponding connection. It can host keys like version, timestamp of last rotation etc.The field has no association with API
Package Details
- Repository
- Auth0 pulumi/pulumi-auth0
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
auth0Terraform Provider.