keycloak.oidc.GoogleIdentityProvider

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var google = new Keycloak.Oidc.GoogleIdentityProvider("google", new()
    {
        Realm = realm.Id,
        ClientId = @var.Google_identity_provider_client_id,
        ClientSecret = @var.Google_identity_provider_client_secret,
        TrustEmail = true,
        HostedDomain = "example.com",
        SyncMode = "IMPORT",
        ExtraConfig = 
        {
            { "myCustomConfigKey", "myValue" },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
			Realm:        realm.ID(),
			ClientId:     pulumi.Any(_var.Google_identity_provider_client_id),
			ClientSecret: pulumi.Any(_var.Google_identity_provider_client_secret),
			TrustEmail:   pulumi.Bool(true),
			HostedDomain: pulumi.String("example.com"),
			SyncMode:     pulumi.String("IMPORT"),
			ExtraConfig: pulumi.AnyMap{
				"myCustomConfigKey": pulumi.Any("myValue"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.GoogleIdentityProvider;
import com.pulumi.keycloak.oidc.GoogleIdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var google = new GoogleIdentityProvider("google", GoogleIdentityProviderArgs.builder()        
            .realm(realm.id())
            .clientId(var_.google_identity_provider_client_id())
            .clientSecret(var_.google_identity_provider_client_secret())
            .trustEmail(true)
            .hostedDomain("example.com")
            .syncMode("IMPORT")
            .extraConfig(Map.of("myCustomConfigKey", "myValue"))
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
google = keycloak.oidc.GoogleIdentityProvider("google",
    realm=realm.id,
    client_id=var["google_identity_provider_client_id"],
    client_secret=var["google_identity_provider_client_secret"],
    trust_email=True,
    hosted_domain="example.com",
    sync_mode="IMPORT",
    extra_config={
        "myCustomConfigKey": "myValue",
    })
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const google = new keycloak.oidc.GoogleIdentityProvider("google", {
    realm: realm.id,
    clientId: _var.google_identity_provider_client_id,
    clientSecret: _var.google_identity_provider_client_secret,
    trustEmail: true,
    hostedDomain: "example.com",
    syncMode: "IMPORT",
    extraConfig: {
        myCustomConfigKey: "myValue",
    },
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  google:
    type: keycloak:oidc:GoogleIdentityProvider
    properties:
      realm: ${realm.id}
      clientId: ${var.google_identity_provider_client_id}
      clientSecret: ${var.google_identity_provider_client_secret}
      trustEmail: true
      hostedDomain: example.com
      syncMode: IMPORT
      extraConfig:
        myCustomConfigKey: myValue

Create GoogleIdentityProvider Resource

new GoogleIdentityProvider(name: string, args: GoogleIdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def GoogleIdentityProvider(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           accepts_prompt_none_forward_from_client: Optional[bool] = None,
                           add_read_token_role_on_create: Optional[bool] = None,
                           authenticate_by_default: Optional[bool] = None,
                           client_id: Optional[str] = None,
                           client_secret: Optional[str] = None,
                           default_scopes: Optional[str] = None,
                           disable_user_info: Optional[bool] = None,
                           enabled: Optional[bool] = None,
                           extra_config: Optional[Mapping[str, Any]] = None,
                           first_broker_login_flow_alias: Optional[str] = None,
                           gui_order: Optional[str] = None,
                           hide_on_login_page: Optional[bool] = None,
                           hosted_domain: Optional[str] = None,
                           link_only: Optional[bool] = None,
                           post_broker_login_flow_alias: Optional[str] = None,
                           provider_id: Optional[str] = None,
                           realm: Optional[str] = None,
                           request_refresh_token: Optional[bool] = None,
                           store_token: Optional[bool] = None,
                           sync_mode: Optional[str] = None,
                           trust_email: Optional[bool] = None,
                           use_user_ip_param: Optional[bool] = None)
@overload
def GoogleIdentityProvider(resource_name: str,
                           args: GoogleIdentityProviderArgs,
                           opts: Optional[ResourceOptions] = None)
func NewGoogleIdentityProvider(ctx *Context, name string, args GoogleIdentityProviderArgs, opts ...ResourceOption) (*GoogleIdentityProvider, error)
public GoogleIdentityProvider(string name, GoogleIdentityProviderArgs args, CustomResourceOptions? opts = null)
public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args)
public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:GoogleIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args GoogleIdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args GoogleIdentityProviderArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args GoogleIdentityProviderArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args GoogleIdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args GoogleIdentityProviderArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

GoogleIdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The GoogleIdentityProvider resource accepts the following input properties:

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

Realm string

The name of the realm. This is unique across Keycloak.

AcceptsPromptNoneForwardFromClient bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this identity provider will be hidden on the login page. Defaults to false.

HostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

RequestRefreshToken bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UseUserIpParam bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

Realm string

The name of the realm. This is unique across Keycloak.

AcceptsPromptNoneForwardFromClient bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this identity provider will be hidden on the login page. Defaults to false.

HostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

RequestRefreshToken bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UseUserIpParam bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm String

The name of the realm. This is unique across Keycloak.

acceptsPromptNoneForwardFromClient Boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain String

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

requestRefreshToken Boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam Boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId string

The client or client identifier registered within the identity provider.

clientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm string

The name of the realm. This is unique across Keycloak.

acceptsPromptNoneForwardFromClient boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault boolean

Enable/disable authenticate users by default.

defaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

enabled boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder string

A number defining the order of this identity provider in the GUI.

hideOnLoginPage boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

linkOnly boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

requestRefreshToken boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

client_id str

The client or client identifier registered within the identity provider.

client_secret str

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm str

The name of the realm. This is unique across Keycloak.

accepts_prompt_none_forward_from_client bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

add_read_token_role_on_create bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticate_by_default bool

Enable/disable authenticate users by default.

default_scopes str

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disable_user_info bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extra_config Mapping[str, Any]
first_broker_login_flow_alias str

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

gui_order str

A number defining the order of this identity provider in the GUI.

hide_on_login_page bool

When true, this identity provider will be hidden on the login page. Defaults to false.

hosted_domain str

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

link_only bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

post_broker_login_flow_alias str

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

provider_id str

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

request_refresh_token bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

store_token bool

When true, tokens will be stored after authenticating users. Defaults to true.

sync_mode str

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trust_email bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

use_user_ip_param bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm String

The name of the realm. This is unique across Keycloak.

acceptsPromptNoneForwardFromClient Boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<Any>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain String

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

requestRefreshToken Boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam Boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

Outputs

All input properties are implicitly available as output properties. Additionally, the GoogleIdentityProvider resource produces the following output properties:

Alias string

(Computed) The alias for the Google identity provider.

DisplayName string

(Computed) Display name for the Google identity provider in the GUI.

Id string

The provider-assigned unique ID for this managed resource.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Alias string

(Computed) The alias for the Google identity provider.

DisplayName string

(Computed) Display name for the Google identity provider in the GUI.

Id string

The provider-assigned unique ID for this managed resource.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias String

(Computed) The alias for the Google identity provider.

displayName String

(Computed) Display name for the Google identity provider in the GUI.

id String

The provider-assigned unique ID for this managed resource.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias string

(Computed) The alias for the Google identity provider.

displayName string

(Computed) Display name for the Google identity provider in the GUI.

id string

The provider-assigned unique ID for this managed resource.

internalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias str

(Computed) The alias for the Google identity provider.

display_name str

(Computed) Display name for the Google identity provider in the GUI.

id str

The provider-assigned unique ID for this managed resource.

internal_id str

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias String

(Computed) The alias for the Google identity provider.

displayName String

(Computed) Display name for the Google identity provider in the GUI.

id String

The provider-assigned unique ID for this managed resource.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Look up Existing GoogleIdentityProvider Resource

Get an existing GoogleIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: GoogleIdentityProviderState, opts?: CustomResourceOptions): GoogleIdentityProvider
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accepts_prompt_none_forward_from_client: Optional[bool] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        default_scopes: Optional[str] = None,
        disable_user_info: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        hosted_domain: Optional[str] = None,
        internal_id: Optional[str] = None,
        link_only: Optional[bool] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        request_refresh_token: Optional[bool] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        trust_email: Optional[bool] = None,
        use_user_ip_param: Optional[bool] = None) -> GoogleIdentityProvider
func GetGoogleIdentityProvider(ctx *Context, name string, id IDInput, state *GoogleIdentityProviderState, opts ...ResourceOption) (*GoogleIdentityProvider, error)
public static GoogleIdentityProvider Get(string name, Input<string> id, GoogleIdentityProviderState? state, CustomResourceOptions? opts = null)
public static GoogleIdentityProvider get(String name, Output<String> id, GoogleIdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AcceptsPromptNoneForwardFromClient bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

Alias string

(Computed) The alias for the Google identity provider.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

(Computed) Display name for the Google identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this identity provider will be hidden on the login page. Defaults to false.

HostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

Realm string

The name of the realm. This is unique across Keycloak.

RequestRefreshToken bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UseUserIpParam bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

AcceptsPromptNoneForwardFromClient bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

Alias string

(Computed) The alias for the Google identity provider.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

(Computed) Display name for the Google identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this identity provider will be hidden on the login page. Defaults to false.

HostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

Realm string

The name of the realm. This is unique across Keycloak.

RequestRefreshToken bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UseUserIpParam bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient Boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias String

(Computed) The alias for the Google identity provider.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

(Computed) Display name for the Google identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain String

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

realm String

The name of the realm. This is unique across Keycloak.

requestRefreshToken Boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam Boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias string

(Computed) The alias for the Google identity provider.

authenticateByDefault boolean

Enable/disable authenticate users by default.

clientId string

The client or client identifier registered within the identity provider.

clientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName string

(Computed) Display name for the Google identity provider in the GUI.

enabled boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder string

A number defining the order of this identity provider in the GUI.

hideOnLoginPage boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain string

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

internalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

linkOnly boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId string

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

realm string

The name of the realm. This is unique across Keycloak.

requestRefreshToken boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

accepts_prompt_none_forward_from_client bool

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

add_read_token_role_on_create bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias str

(Computed) The alias for the Google identity provider.

authenticate_by_default bool

Enable/disable authenticate users by default.

client_id str

The client or client identifier registered within the identity provider.

client_secret str

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

default_scopes str

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disable_user_info bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

display_name str

(Computed) Display name for the Google identity provider in the GUI.

enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extra_config Mapping[str, Any]
first_broker_login_flow_alias str

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

gui_order str

A number defining the order of this identity provider in the GUI.

hide_on_login_page bool

When true, this identity provider will be hidden on the login page. Defaults to false.

hosted_domain str

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

internal_id str

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

link_only bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

post_broker_login_flow_alias str

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

provider_id str

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

realm str

The name of the realm. This is unique across Keycloak.

request_refresh_token bool

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

store_token bool

When true, tokens will be stored after authenticating users. Defaults to true.

sync_mode str

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trust_email bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

use_user_ip_param bool

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient Boolean

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias String

(Computed) The alias for the Google identity provider.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

(Computed) Display name for the Google identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<Any>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this identity provider will be hidden on the login page. Defaults to false.

hostedDomain String

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

realm String

The name of the realm. This is unique across Keycloak.

requestRefreshToken Boolean

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

useUserIpParam Boolean

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

Import

This resource does not yet support importing.

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.