1. Packages
  2. Keycloak
  3. API Docs
  4. oidc
  5. IdentityProvider
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

keycloak.oidc.IdentityProvider

Explore with Pulumi AI

keycloak logo
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

    Allows for creating and managing OIDC Identity Providers within Keycloak.

    OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realmIdentityProvider", new()
        {
            Realm = realm.Id,
            Alias = "my-idp",
            AuthorizationUrl = "https://authorizationurl.com",
            ClientId = "clientID",
            ClientSecret = "clientSecret",
            TokenUrl = "https://tokenurl.com",
            ExtraConfig = 
            {
                { "clientAuthMethod", "client_secret_post" },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
    			Realm:            realm.ID(),
    			Alias:            pulumi.String("my-idp"),
    			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
    			ClientId:         pulumi.String("clientID"),
    			ClientSecret:     pulumi.String("clientSecret"),
    			TokenUrl:         pulumi.String("https://tokenurl.com"),
    			ExtraConfig: pulumi.AnyMap{
    				"clientAuthMethod": pulumi.Any("client_secret_post"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.oidc.IdentityProvider;
    import com.pulumi.keycloak.oidc.IdentityProviderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()        
                .realm(realm.id())
                .alias("my-idp")
                .authorizationUrl("https://authorizationurl.com")
                .clientId("clientID")
                .clientSecret("clientSecret")
                .tokenUrl("https://tokenurl.com")
                .extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    realm_identity_provider = keycloak.oidc.IdentityProvider("realmIdentityProvider",
        realm=realm.id,
        alias="my-idp",
        authorization_url="https://authorizationurl.com",
        client_id="clientID",
        client_secret="clientSecret",
        token_url="https://tokenurl.com",
        extra_config={
            "clientAuthMethod": "client_secret_post",
        })
    
    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realmIdentityProvider", {
        realm: realm.id,
        alias: "my-idp",
        authorizationUrl: "https://authorizationurl.com",
        clientId: "clientID",
        clientSecret: "clientSecret",
        tokenUrl: "https://tokenurl.com",
        extraConfig: {
            clientAuthMethod: "client_secret_post",
        },
    });
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      realmIdentityProvider:
        type: keycloak:oidc:IdentityProvider
        properties:
          realm: ${realm.id}
          alias: my-idp
          authorizationUrl: https://authorizationurl.com
          clientId: clientID
          clientSecret: clientSecret
          tokenUrl: https://tokenurl.com
          extraConfig:
            clientAuthMethod: client_secret_post
    

    Create IdentityProvider Resource

    new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
    @overload
    def IdentityProvider(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         accepts_prompt_none_forward_from_client: Optional[bool] = None,
                         add_read_token_role_on_create: Optional[bool] = None,
                         alias: Optional[str] = None,
                         authenticate_by_default: Optional[bool] = None,
                         authorization_url: Optional[str] = None,
                         backchannel_supported: Optional[bool] = None,
                         client_id: Optional[str] = None,
                         client_secret: Optional[str] = None,
                         default_scopes: Optional[str] = None,
                         disable_user_info: Optional[bool] = None,
                         display_name: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         extra_config: Optional[Mapping[str, Any]] = None,
                         first_broker_login_flow_alias: Optional[str] = None,
                         gui_order: Optional[str] = None,
                         hide_on_login_page: Optional[bool] = None,
                         issuer: Optional[str] = None,
                         jwks_url: Optional[str] = None,
                         link_only: Optional[bool] = None,
                         login_hint: Optional[str] = None,
                         logout_url: Optional[str] = None,
                         post_broker_login_flow_alias: Optional[str] = None,
                         provider_id: Optional[str] = None,
                         realm: Optional[str] = None,
                         store_token: Optional[bool] = None,
                         sync_mode: Optional[str] = None,
                         token_url: Optional[str] = None,
                         trust_email: Optional[bool] = None,
                         ui_locales: Optional[bool] = None,
                         user_info_url: Optional[str] = None,
                         validate_signature: Optional[bool] = None)
    @overload
    def IdentityProvider(resource_name: str,
                         args: IdentityProviderArgs,
                         opts: Optional[ResourceOptions] = None)
    func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
    public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
    public IdentityProvider(String name, IdentityProviderArgs args)
    public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
    
    type: keycloak:oidc:IdentityProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    IdentityProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The IdentityProvider resource accepts the following input properties:

    Alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    AuthorizationUrl string

    The Authorization Url.

    ClientId string

    The client or client identifier registered within the identity provider.

    ClientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    Realm string

    The name of the realm. This is unique across Keycloak.

    TokenUrl string

    The Token URL.

    AcceptsPromptNoneForwardFromClient bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    AddReadTokenRoleOnCreate bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    AuthenticateByDefault bool

    Enable/disable authenticate users by default.

    BackchannelSupported bool

    Does the external IDP support backchannel logout? Defaults to true.

    DefaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    DisableUserInfo bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    DisplayName string

    Display name for the identity provider in the GUI.

    Enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    GuiOrder string

    A number defining the order of this identity provider in the GUI.

    HideOnLoginPage bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    Issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    JwksUrl string

    JSON Web Key Set URL.

    LinkOnly bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    LoginHint string

    Pass login hint to identity provider.

    LogoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    PostBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    ProviderId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    StoreToken bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    SyncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    TrustEmail bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    UiLocales bool

    Pass current locale to identity provider. Defaults to false.

    UserInfoUrl string

    User Info URL.

    ValidateSignature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    Alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    AuthorizationUrl string

    The Authorization Url.

    ClientId string

    The client or client identifier registered within the identity provider.

    ClientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    Realm string

    The name of the realm. This is unique across Keycloak.

    TokenUrl string

    The Token URL.

    AcceptsPromptNoneForwardFromClient bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    AddReadTokenRoleOnCreate bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    AuthenticateByDefault bool

    Enable/disable authenticate users by default.

    BackchannelSupported bool

    Does the external IDP support backchannel logout? Defaults to true.

    DefaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    DisableUserInfo bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    DisplayName string

    Display name for the identity provider in the GUI.

    Enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    GuiOrder string

    A number defining the order of this identity provider in the GUI.

    HideOnLoginPage bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    Issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    JwksUrl string

    JSON Web Key Set URL.

    LinkOnly bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    LoginHint string

    Pass login hint to identity provider.

    LogoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    PostBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    ProviderId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    StoreToken bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    SyncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    TrustEmail bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    UiLocales bool

    Pass current locale to identity provider. Defaults to false.

    UserInfoUrl string

    User Info URL.

    ValidateSignature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    alias String

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authorizationUrl String

    The Authorization Url.

    clientId String

    The client or client identifier registered within the identity provider.

    clientSecret String

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    realm String

    The name of the realm. This is unique across Keycloak.

    tokenUrl String

    The Token URL.

    acceptsPromptNoneForwardFromClient Boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate Boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    authenticateByDefault Boolean

    Enable/disable authenticate users by default.

    backchannelSupported Boolean

    Does the external IDP support backchannel logout? Defaults to true.

    defaultScopes String

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo Boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName String

    Display name for the identity provider in the GUI.

    enabled Boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder String

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage Boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    issuer String

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl String

    JSON Web Key Set URL.

    linkOnly Boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint String

    Pass login hint to identity provider.

    logoutUrl String

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias String

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId String

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    storeToken Boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode String

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    trustEmail Boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales Boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl String

    User Info URL.

    validateSignature Boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authorizationUrl string

    The Authorization Url.

    clientId string

    The client or client identifier registered within the identity provider.

    clientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    realm string

    The name of the realm. This is unique across Keycloak.

    tokenUrl string

    The Token URL.

    acceptsPromptNoneForwardFromClient boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    authenticateByDefault boolean

    Enable/disable authenticate users by default.

    backchannelSupported boolean

    Does the external IDP support backchannel logout? Defaults to true.

    defaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName string

    Display name for the identity provider in the GUI.

    enabled boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder string

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl string

    JSON Web Key Set URL.

    linkOnly boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint string

    Pass login hint to identity provider.

    logoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    storeToken boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    trustEmail boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl string

    User Info URL.

    validateSignature boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    alias str

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authorization_url str

    The Authorization Url.

    client_id str

    The client or client identifier registered within the identity provider.

    client_secret str

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    realm str

    The name of the realm. This is unique across Keycloak.

    token_url str

    The Token URL.

    accepts_prompt_none_forward_from_client bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    add_read_token_role_on_create bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    authenticate_by_default bool

    Enable/disable authenticate users by default.

    backchannel_supported bool

    Does the external IDP support backchannel logout? Defaults to true.

    default_scopes str

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disable_user_info bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    display_name str

    Display name for the identity provider in the GUI.

    enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    gui_order str

    A number defining the order of this identity provider in the GUI.

    hide_on_login_page bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    issuer str

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwks_url str

    JSON Web Key Set URL.

    link_only bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    login_hint str

    Pass login hint to identity provider.

    logout_url str

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    post_broker_login_flow_alias str

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    provider_id str

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    store_token bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    sync_mode str

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    trust_email bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    ui_locales bool

    Pass current locale to identity provider. Defaults to false.

    user_info_url str

    User Info URL.

    validate_signature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    alias String

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authorizationUrl String

    The Authorization Url.

    clientId String

    The client or client identifier registered within the identity provider.

    clientSecret String

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    realm String

    The name of the realm. This is unique across Keycloak.

    tokenUrl String

    The Token URL.

    acceptsPromptNoneForwardFromClient Boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate Boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    authenticateByDefault Boolean

    Enable/disable authenticate users by default.

    backchannelSupported Boolean

    Does the external IDP support backchannel logout? Defaults to true.

    defaultScopes String

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo Boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName String

    Display name for the identity provider in the GUI.

    enabled Boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder String

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage Boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    issuer String

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl String

    JSON Web Key Set URL.

    linkOnly Boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint String

    Pass login hint to identity provider.

    logoutUrl String

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias String

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId String

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    storeToken Boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode String

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    trustEmail Boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales Boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl String

    User Info URL.

    validateSignature Boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    InternalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Id string

    The provider-assigned unique ID for this managed resource.

    InternalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    id String

    The provider-assigned unique ID for this managed resource.

    internalId String

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    id string

    The provider-assigned unique ID for this managed resource.

    internalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    id str

    The provider-assigned unique ID for this managed resource.

    internal_id str

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    id String

    The provider-assigned unique ID for this managed resource.

    internalId String

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Look up Existing IdentityProvider Resource

    Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accepts_prompt_none_forward_from_client: Optional[bool] = None,
            add_read_token_role_on_create: Optional[bool] = None,
            alias: Optional[str] = None,
            authenticate_by_default: Optional[bool] = None,
            authorization_url: Optional[str] = None,
            backchannel_supported: Optional[bool] = None,
            client_id: Optional[str] = None,
            client_secret: Optional[str] = None,
            default_scopes: Optional[str] = None,
            disable_user_info: Optional[bool] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            extra_config: Optional[Mapping[str, Any]] = None,
            first_broker_login_flow_alias: Optional[str] = None,
            gui_order: Optional[str] = None,
            hide_on_login_page: Optional[bool] = None,
            internal_id: Optional[str] = None,
            issuer: Optional[str] = None,
            jwks_url: Optional[str] = None,
            link_only: Optional[bool] = None,
            login_hint: Optional[str] = None,
            logout_url: Optional[str] = None,
            post_broker_login_flow_alias: Optional[str] = None,
            provider_id: Optional[str] = None,
            realm: Optional[str] = None,
            store_token: Optional[bool] = None,
            sync_mode: Optional[str] = None,
            token_url: Optional[str] = None,
            trust_email: Optional[bool] = None,
            ui_locales: Optional[bool] = None,
            user_info_url: Optional[str] = None,
            validate_signature: Optional[bool] = None) -> IdentityProvider
    func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
    public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
    public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AcceptsPromptNoneForwardFromClient bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    AddReadTokenRoleOnCreate bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    Alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    AuthenticateByDefault bool

    Enable/disable authenticate users by default.

    AuthorizationUrl string

    The Authorization Url.

    BackchannelSupported bool

    Does the external IDP support backchannel logout? Defaults to true.

    ClientId string

    The client or client identifier registered within the identity provider.

    ClientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    DefaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    DisableUserInfo bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    DisplayName string

    Display name for the identity provider in the GUI.

    Enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    GuiOrder string

    A number defining the order of this identity provider in the GUI.

    HideOnLoginPage bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    InternalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    JwksUrl string

    JSON Web Key Set URL.

    LinkOnly bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    LoginHint string

    Pass login hint to identity provider.

    LogoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    PostBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    ProviderId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    Realm string

    The name of the realm. This is unique across Keycloak.

    StoreToken bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    SyncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    TokenUrl string

    The Token URL.

    TrustEmail bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    UiLocales bool

    Pass current locale to identity provider. Defaults to false.

    UserInfoUrl string

    User Info URL.

    ValidateSignature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    AcceptsPromptNoneForwardFromClient bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    AddReadTokenRoleOnCreate bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    Alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    AuthenticateByDefault bool

    Enable/disable authenticate users by default.

    AuthorizationUrl string

    The Authorization Url.

    BackchannelSupported bool

    Does the external IDP support backchannel logout? Defaults to true.

    ClientId string

    The client or client identifier registered within the identity provider.

    ClientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    DefaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    DisableUserInfo bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    DisplayName string

    Display name for the identity provider in the GUI.

    Enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    GuiOrder string

    A number defining the order of this identity provider in the GUI.

    HideOnLoginPage bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    InternalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    JwksUrl string

    JSON Web Key Set URL.

    LinkOnly bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    LoginHint string

    Pass login hint to identity provider.

    LogoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    PostBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    ProviderId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    Realm string

    The name of the realm. This is unique across Keycloak.

    StoreToken bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    SyncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    TokenUrl string

    The Token URL.

    TrustEmail bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    UiLocales bool

    Pass current locale to identity provider. Defaults to false.

    UserInfoUrl string

    User Info URL.

    ValidateSignature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    acceptsPromptNoneForwardFromClient Boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate Boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    alias String

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authenticateByDefault Boolean

    Enable/disable authenticate users by default.

    authorizationUrl String

    The Authorization Url.

    backchannelSupported Boolean

    Does the external IDP support backchannel logout? Defaults to true.

    clientId String

    The client or client identifier registered within the identity provider.

    clientSecret String

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    defaultScopes String

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo Boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName String

    Display name for the identity provider in the GUI.

    enabled Boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder String

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage Boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    internalId String

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    issuer String

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl String

    JSON Web Key Set URL.

    linkOnly Boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint String

    Pass login hint to identity provider.

    logoutUrl String

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias String

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId String

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    realm String

    The name of the realm. This is unique across Keycloak.

    storeToken Boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode String

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    tokenUrl String

    The Token URL.

    trustEmail Boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales Boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl String

    User Info URL.

    validateSignature Boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    acceptsPromptNoneForwardFromClient boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    alias string

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authenticateByDefault boolean

    Enable/disable authenticate users by default.

    authorizationUrl string

    The Authorization Url.

    backchannelSupported boolean

    Does the external IDP support backchannel logout? Defaults to true.

    clientId string

    The client or client identifier registered within the identity provider.

    clientSecret string

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    defaultScopes string

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName string

    Display name for the identity provider in the GUI.

    enabled boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder string

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    internalId string

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    issuer string

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl string

    JSON Web Key Set URL.

    linkOnly boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint string

    Pass login hint to identity provider.

    logoutUrl string

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias string

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId string

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    realm string

    The name of the realm. This is unique across Keycloak.

    storeToken boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode string

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    tokenUrl string

    The Token URL.

    trustEmail boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl string

    User Info URL.

    validateSignature boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    accepts_prompt_none_forward_from_client bool

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    add_read_token_role_on_create bool

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    alias str

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authenticate_by_default bool

    Enable/disable authenticate users by default.

    authorization_url str

    The Authorization Url.

    backchannel_supported bool

    Does the external IDP support backchannel logout? Defaults to true.

    client_id str

    The client or client identifier registered within the identity provider.

    client_secret str

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    default_scopes str

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disable_user_info bool

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    display_name str

    Display name for the identity provider in the GUI.

    enabled bool

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    gui_order str

    A number defining the order of this identity provider in the GUI.

    hide_on_login_page bool

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    internal_id str

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    issuer str

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwks_url str

    JSON Web Key Set URL.

    link_only bool

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    login_hint str

    Pass login hint to identity provider.

    logout_url str

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    post_broker_login_flow_alias str

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    provider_id str

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    realm str

    The name of the realm. This is unique across Keycloak.

    store_token bool

    When true, tokens will be stored after authenticating users. Defaults to true.

    sync_mode str

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    token_url str

    The Token URL.

    trust_email bool

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    ui_locales bool

    Pass current locale to identity provider. Defaults to false.

    user_info_url str

    User Info URL.

    validate_signature bool

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    acceptsPromptNoneForwardFromClient Boolean

    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

    addReadTokenRoleOnCreate Boolean

    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

    alias String

    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

    authenticateByDefault Boolean

    Enable/disable authenticate users by default.

    authorizationUrl String

    The Authorization Url.

    backchannelSupported Boolean

    Does the external IDP support backchannel logout? Defaults to true.

    clientId String

    The client or client identifier registered within the identity provider.

    clientSecret String

    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

    defaultScopes String

    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

    disableUserInfo Boolean

    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

    displayName String

    Display name for the identity provider in the GUI.

    enabled Boolean

    When true, users will be able to log in to this realm using this identity provider. Defaults to true.

    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String

    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

    guiOrder String

    A number defining the order of this identity provider in the GUI.

    hideOnLoginPage Boolean

    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

    internalId String

    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    issuer String

    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

    jwksUrl String

    JSON Web Key Set URL.

    linkOnly Boolean

    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

    loginHint String

    Pass login hint to identity provider.

    logoutUrl String

    The Logout URL is the end session endpoint to use to logout user from external identity provider.

    postBrokerLoginFlowAlias String

    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

    providerId String

    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

    realm String

    The name of the realm. This is unique across Keycloak.

    storeToken Boolean

    When true, tokens will be stored after authenticating users. Defaults to true.

    syncMode String

    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

    tokenUrl String

    The Token URL.

    trustEmail Boolean

    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

    uiLocales Boolean

    Pass current locale to identity provider. Defaults to false.

    userInfoUrl String

    User Info URL.

    validateSignature Boolean

    Enable/disable signature validation of external IDP signatures. Defaults to false.

    Import

    Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Examplebash

     $ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp
    

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the keycloak Terraform Provider.

    keycloak logo
    Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi