1. Packages
  2. Keycloak
  3. API Docs
  4. oidc
  5. IdentityProvider
Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi

keycloak.oidc.IdentityProvider

Explore with Pulumi AI

keycloak logo
Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi

    Allows for creating and managing OIDC Identity Providers within Keycloak.

    OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realmIdentityProvider", {
        realm: realm.id,
        alias: "my-idp",
        authorizationUrl: "https://authorizationurl.com",
        clientId: "clientID",
        clientSecret: "clientSecret",
        tokenUrl: "https://tokenurl.com",
        extraConfig: {
            clientAuthMethod: "client_secret_post",
        },
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    realm_identity_provider = keycloak.oidc.IdentityProvider("realmIdentityProvider",
        realm=realm.id,
        alias="my-idp",
        authorization_url="https://authorizationurl.com",
        client_id="clientID",
        client_secret="clientSecret",
        token_url="https://tokenurl.com",
        extra_config={
            "clientAuthMethod": "client_secret_post",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
    			Realm:            realm.ID(),
    			Alias:            pulumi.String("my-idp"),
    			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
    			ClientId:         pulumi.String("clientID"),
    			ClientSecret:     pulumi.String("clientSecret"),
    			TokenUrl:         pulumi.String("https://tokenurl.com"),
    			ExtraConfig: pulumi.Map{
    				"clientAuthMethod": pulumi.Any("client_secret_post"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realmIdentityProvider", new()
        {
            Realm = realm.Id,
            Alias = "my-idp",
            AuthorizationUrl = "https://authorizationurl.com",
            ClientId = "clientID",
            ClientSecret = "clientSecret",
            TokenUrl = "https://tokenurl.com",
            ExtraConfig = 
            {
                { "clientAuthMethod", "client_secret_post" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.oidc.IdentityProvider;
    import com.pulumi.keycloak.oidc.IdentityProviderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()        
                .realm(realm.id())
                .alias("my-idp")
                .authorizationUrl("https://authorizationurl.com")
                .clientId("clientID")
                .clientSecret("clientSecret")
                .tokenUrl("https://tokenurl.com")
                .extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
                .build());
    
        }
    }
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      realmIdentityProvider:
        type: keycloak:oidc:IdentityProvider
        properties:
          realm: ${realm.id}
          alias: my-idp
          authorizationUrl: https://authorizationurl.com
          clientId: clientID
          clientSecret: clientSecret
          tokenUrl: https://tokenurl.com
          extraConfig:
            clientAuthMethod: client_secret_post
    

    Create IdentityProvider Resource

    new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
    @overload
    def IdentityProvider(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         accepts_prompt_none_forward_from_client: Optional[bool] = None,
                         add_read_token_role_on_create: Optional[bool] = None,
                         alias: Optional[str] = None,
                         authenticate_by_default: Optional[bool] = None,
                         authorization_url: Optional[str] = None,
                         backchannel_supported: Optional[bool] = None,
                         client_id: Optional[str] = None,
                         client_secret: Optional[str] = None,
                         default_scopes: Optional[str] = None,
                         disable_user_info: Optional[bool] = None,
                         display_name: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         extra_config: Optional[Mapping[str, Any]] = None,
                         first_broker_login_flow_alias: Optional[str] = None,
                         gui_order: Optional[str] = None,
                         hide_on_login_page: Optional[bool] = None,
                         issuer: Optional[str] = None,
                         jwks_url: Optional[str] = None,
                         link_only: Optional[bool] = None,
                         login_hint: Optional[str] = None,
                         logout_url: Optional[str] = None,
                         post_broker_login_flow_alias: Optional[str] = None,
                         provider_id: Optional[str] = None,
                         realm: Optional[str] = None,
                         store_token: Optional[bool] = None,
                         sync_mode: Optional[str] = None,
                         token_url: Optional[str] = None,
                         trust_email: Optional[bool] = None,
                         ui_locales: Optional[bool] = None,
                         user_info_url: Optional[str] = None,
                         validate_signature: Optional[bool] = None)
    @overload
    def IdentityProvider(resource_name: str,
                         args: IdentityProviderArgs,
                         opts: Optional[ResourceOptions] = None)
    func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
    public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
    public IdentityProvider(String name, IdentityProviderArgs args)
    public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
    
    type: keycloak:oidc:IdentityProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    IdentityProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The IdentityProvider resource accepts the following input properties:

    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthorizationUrl string
    The Authorization Url.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    Realm string
    The name of the realm. This is unique across Keycloak.
    TokenUrl string
    The Token URL.
    AcceptsPromptNoneForwardFromClient bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    BackchannelSupported bool
    Does the external IDP support backchannel logout? Defaults to true.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    Display name for the identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    Issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    JwksUrl string
    JSON Web Key Set URL.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Pass login hint to identity provider.
    LogoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UiLocales bool
    Pass current locale to identity provider. Defaults to false.
    UserInfoUrl string
    User Info URL.
    ValidateSignature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthorizationUrl string
    The Authorization Url.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    Realm string
    The name of the realm. This is unique across Keycloak.
    TokenUrl string
    The Token URL.
    AcceptsPromptNoneForwardFromClient bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    BackchannelSupported bool
    Does the external IDP support backchannel logout? Defaults to true.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    Display name for the identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    Issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    JwksUrl string
    JSON Web Key Set URL.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Pass login hint to identity provider.
    LogoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UiLocales bool
    Pass current locale to identity provider. Defaults to false.
    UserInfoUrl string
    User Info URL.
    ValidateSignature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authorizationUrl String
    The Authorization Url.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm String
    The name of the realm. This is unique across Keycloak.
    tokenUrl String
    The Token URL.
    acceptsPromptNoneForwardFromClient Boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout? Defaults to true.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    Display name for the identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    issuer String
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl String
    JSON Web Key Set URL.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Pass login hint to identity provider.
    logoutUrl String
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales Boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl String
    User Info URL.
    validateSignature Boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authorizationUrl string
    The Authorization Url.
    clientId string
    The client or client identifier registered within the identity provider.
    clientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm string
    The name of the realm. This is unique across Keycloak.
    tokenUrl string
    The Token URL.
    acceptsPromptNoneForwardFromClient boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    backchannelSupported boolean
    Does the external IDP support backchannel logout? Defaults to true.
    defaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName string
    Display name for the identity provider in the GUI.
    enabled boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl string
    JSON Web Key Set URL.
    linkOnly boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint string
    Pass login hint to identity provider.
    logoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl string
    User Info URL.
    validateSignature boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    alias str
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authorization_url str
    The Authorization Url.
    client_id str
    The client or client identifier registered within the identity provider.
    client_secret str
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm str
    The name of the realm. This is unique across Keycloak.
    token_url str
    The Token URL.
    accepts_prompt_none_forward_from_client bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    backchannel_supported bool
    Does the external IDP support backchannel logout? Defaults to true.
    default_scopes str
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disable_user_info bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    display_name str
    Display name for the identity provider in the GUI.
    enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    issuer str
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwks_url str
    JSON Web Key Set URL.
    link_only bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    login_hint str
    Pass login hint to identity provider.
    logout_url str
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    post_broker_login_flow_alias str
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    provider_id str
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ui_locales bool
    Pass current locale to identity provider. Defaults to false.
    user_info_url str
    User Info URL.
    validate_signature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authorizationUrl String
    The Authorization Url.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    realm String
    The name of the realm. This is unique across Keycloak.
    tokenUrl String
    The Token URL.
    acceptsPromptNoneForwardFromClient Boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout? Defaults to true.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    Display name for the identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    issuer String
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl String
    JSON Web Key Set URL.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Pass login hint to identity provider.
    logoutUrl String
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales Boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl String
    User Info URL.
    validateSignature Boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    id string
    The provider-assigned unique ID for this managed resource.
    internalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    id str
    The provider-assigned unique ID for this managed resource.
    internal_id str
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

    Look up Existing IdentityProvider Resource

    Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accepts_prompt_none_forward_from_client: Optional[bool] = None,
            add_read_token_role_on_create: Optional[bool] = None,
            alias: Optional[str] = None,
            authenticate_by_default: Optional[bool] = None,
            authorization_url: Optional[str] = None,
            backchannel_supported: Optional[bool] = None,
            client_id: Optional[str] = None,
            client_secret: Optional[str] = None,
            default_scopes: Optional[str] = None,
            disable_user_info: Optional[bool] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            extra_config: Optional[Mapping[str, Any]] = None,
            first_broker_login_flow_alias: Optional[str] = None,
            gui_order: Optional[str] = None,
            hide_on_login_page: Optional[bool] = None,
            internal_id: Optional[str] = None,
            issuer: Optional[str] = None,
            jwks_url: Optional[str] = None,
            link_only: Optional[bool] = None,
            login_hint: Optional[str] = None,
            logout_url: Optional[str] = None,
            post_broker_login_flow_alias: Optional[str] = None,
            provider_id: Optional[str] = None,
            realm: Optional[str] = None,
            store_token: Optional[bool] = None,
            sync_mode: Optional[str] = None,
            token_url: Optional[str] = None,
            trust_email: Optional[bool] = None,
            ui_locales: Optional[bool] = None,
            user_info_url: Optional[str] = None,
            validate_signature: Optional[bool] = None) -> IdentityProvider
    func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
    public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
    public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AcceptsPromptNoneForwardFromClient bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthorizationUrl string
    The Authorization Url.
    BackchannelSupported bool
    Does the external IDP support backchannel logout? Defaults to true.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    Display name for the identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig Dictionary<string, object>
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    Issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    JwksUrl string
    JSON Web Key Set URL.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Pass login hint to identity provider.
    LogoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TokenUrl string
    The Token URL.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UiLocales bool
    Pass current locale to identity provider. Defaults to false.
    UserInfoUrl string
    User Info URL.
    ValidateSignature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    AcceptsPromptNoneForwardFromClient bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthorizationUrl string
    The Authorization Url.
    BackchannelSupported bool
    Does the external IDP support backchannel logout? Defaults to true.
    ClientId string
    The client or client identifier registered within the identity provider.
    ClientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    DefaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    DisableUserInfo bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    DisplayName string
    Display name for the identity provider in the GUI.
    Enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    ExtraConfig map[string]interface{}
    FirstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    InternalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    Issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    JwksUrl string
    JSON Web Key Set URL.
    LinkOnly bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Pass login hint to identity provider.
    LogoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    PostBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    ProviderId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    TokenUrl string
    The Token URL.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    UiLocales bool
    Pass current locale to identity provider. Defaults to false.
    UserInfoUrl string
    User Info URL.
    ValidateSignature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    acceptsPromptNoneForwardFromClient Boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authorizationUrl String
    The Authorization Url.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout? Defaults to true.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    Display name for the identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<String,Object>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    issuer String
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl String
    JSON Web Key Set URL.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Pass login hint to identity provider.
    logoutUrl String
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    tokenUrl String
    The Token URL.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales Boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl String
    User Info URL.
    validateSignature Boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    acceptsPromptNoneForwardFromClient boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    authorizationUrl string
    The Authorization Url.
    backchannelSupported boolean
    Does the external IDP support backchannel logout? Defaults to true.
    clientId string
    The client or client identifier registered within the identity provider.
    clientSecret string
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes string
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName string
    Display name for the identity provider in the GUI.
    enabled boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig {[key: string]: any}
    firstBrokerLoginFlowAlias string
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    internalId string
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    issuer string
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl string
    JSON Web Key Set URL.
    linkOnly boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint string
    Pass login hint to identity provider.
    logoutUrl string
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias string
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId string
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    realm string
    The name of the realm. This is unique across Keycloak.
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    tokenUrl string
    The Token URL.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl string
    User Info URL.
    validateSignature boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    accepts_prompt_none_forward_from_client bool
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias str
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    authorization_url str
    The Authorization Url.
    backchannel_supported bool
    Does the external IDP support backchannel logout? Defaults to true.
    client_id str
    The client or client identifier registered within the identity provider.
    client_secret str
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    default_scopes str
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disable_user_info bool
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    display_name str
    Display name for the identity provider in the GUI.
    enabled bool
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extra_config Mapping[str, Any]
    first_broker_login_flow_alias str
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    internal_id str
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    issuer str
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwks_url str
    JSON Web Key Set URL.
    link_only bool
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    login_hint str
    Pass login hint to identity provider.
    logout_url str
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    post_broker_login_flow_alias str
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    provider_id str
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    realm str
    The name of the realm. This is unique across Keycloak.
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    token_url str
    The Token URL.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ui_locales bool
    Pass current locale to identity provider. Defaults to false.
    user_info_url str
    User Info URL.
    validate_signature bool
    Enable/disable signature validation of external IDP signatures. Defaults to false.
    acceptsPromptNoneForwardFromClient Boolean
    When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authorizationUrl String
    The Authorization Url.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout? Defaults to true.
    clientId String
    The client or client identifier registered within the identity provider.
    clientSecret String
    The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
    defaultScopes String
    The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
    disableUserInfo Boolean
    When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
    displayName String
    Display name for the identity provider in the GUI.
    enabled Boolean
    When true, users will be able to log in to this realm using this identity provider. Defaults to true.
    extraConfig Map<Any>
    firstBrokerLoginFlowAlias String
    The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
    internalId String
    (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
    issuer String
    The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
    jwksUrl String
    JSON Web Key Set URL.
    linkOnly Boolean
    When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Pass login hint to identity provider.
    logoutUrl String
    The Logout URL is the end session endpoint to use to logout user from external identity provider.
    postBrokerLoginFlowAlias String
    The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
    providerId String
    The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
    tokenUrl String
    The Token URL.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    uiLocales Boolean
    Pass current locale to identity provider. Defaults to false.
    userInfoUrl String
    User Info URL.
    validateSignature Boolean
    Enable/disable signature validation of external IDP signatures. Defaults to false.

    Import

    Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

    Example:

    bash

    $ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp
    

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v5.3.1 published on Monday, Mar 11, 2024 by Pulumi