keycloak.oidc.IdentityProvider

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realmIdentityProvider", new()
    {
        Realm = realm.Id,
        Alias = "my-idp",
        AuthorizationUrl = "https://authorizationurl.com",
        ClientId = "clientID",
        ClientSecret = "clientSecret",
        TokenUrl = "https://tokenurl.com",
        ExtraConfig = 
        {
            { "clientAuthMethod", "client_secret_post" },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
			Realm:            realm.ID(),
			Alias:            pulumi.String("my-idp"),
			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
			ClientId:         pulumi.String("clientID"),
			ClientSecret:     pulumi.String("clientSecret"),
			TokenUrl:         pulumi.String("https://tokenurl.com"),
			ExtraConfig: pulumi.AnyMap{
				"clientAuthMethod": pulumi.Any("client_secret_post"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()        
            .realm(realm.id())
            .alias("my-idp")
            .authorizationUrl("https://authorizationurl.com")
            .clientId("clientID")
            .clientSecret("clientSecret")
            .tokenUrl("https://tokenurl.com")
            .extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realmIdentityProvider",
    realm=realm.id,
    alias="my-idp",
    authorization_url="https://authorizationurl.com",
    client_id="clientID",
    client_secret="clientSecret",
    token_url="https://tokenurl.com",
    extra_config={
        "clientAuthMethod": "client_secret_post",
    })
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realmIdentityProvider", {
    realm: realm.id,
    alias: "my-idp",
    authorizationUrl: "https://authorizationurl.com",
    clientId: "clientID",
    clientSecret: "clientSecret",
    tokenUrl: "https://tokenurl.com",
    extraConfig: {
        clientAuthMethod: "client_secret_post",
    },
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmIdentityProvider:
    type: keycloak:oidc:IdentityProvider
    properties:
      realm: ${realm.id}
      alias: my-idp
      authorizationUrl: https://authorizationurl.com
      clientId: clientID
      clientSecret: clientSecret
      tokenUrl: https://tokenurl.com
      extraConfig:
        clientAuthMethod: client_secret_post

Create IdentityProvider Resource

new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     accepts_prompt_none_forward_from_client: Optional[bool] = None,
                     add_read_token_role_on_create: Optional[bool] = None,
                     alias: Optional[str] = None,
                     authenticate_by_default: Optional[bool] = None,
                     authorization_url: Optional[str] = None,
                     backchannel_supported: Optional[bool] = None,
                     client_id: Optional[str] = None,
                     client_secret: Optional[str] = None,
                     default_scopes: Optional[str] = None,
                     disable_user_info: Optional[bool] = None,
                     display_name: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     extra_config: Optional[Mapping[str, Any]] = None,
                     first_broker_login_flow_alias: Optional[str] = None,
                     gui_order: Optional[str] = None,
                     hide_on_login_page: Optional[bool] = None,
                     issuer: Optional[str] = None,
                     jwks_url: Optional[str] = None,
                     link_only: Optional[bool] = None,
                     login_hint: Optional[str] = None,
                     logout_url: Optional[str] = None,
                     post_broker_login_flow_alias: Optional[str] = None,
                     provider_id: Optional[str] = None,
                     realm: Optional[str] = None,
                     store_token: Optional[bool] = None,
                     sync_mode: Optional[str] = None,
                     token_url: Optional[str] = None,
                     trust_email: Optional[bool] = None,
                     ui_locales: Optional[bool] = None,
                     user_info_url: Optional[str] = None,
                     validate_signature: Optional[bool] = None)
@overload
def IdentityProvider(resource_name: str,
                     args: IdentityProviderArgs,
                     opts: Optional[ResourceOptions] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args IdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args IdentityProviderArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args IdentityProviderArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args IdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args IdentityProviderArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

IdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The IdentityProvider resource accepts the following input properties:

Alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

AuthorizationUrl string

The Authorization Url.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

Realm string

The name of the realm. This is unique across Keycloak.

TokenUrl string

The Token URL.

AcceptsPromptNoneForwardFromClient bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

BackchannelSupported bool

Does the external IDP support backchannel logout? Defaults to true.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

Display name for the identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

Issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

JwksUrl string

JSON Web Key Set URL.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

LoginHint string

Pass login hint to identity provider.

LogoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UiLocales bool

Pass current locale to identity provider. Defaults to false.

UserInfoUrl string

User Info URL.

ValidateSignature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

Alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

AuthorizationUrl string

The Authorization Url.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

Realm string

The name of the realm. This is unique across Keycloak.

TokenUrl string

The Token URL.

AcceptsPromptNoneForwardFromClient bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

BackchannelSupported bool

Does the external IDP support backchannel logout? Defaults to true.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

Display name for the identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

Issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

JwksUrl string

JSON Web Key Set URL.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

LoginHint string

Pass login hint to identity provider.

LogoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UiLocales bool

Pass current locale to identity provider. Defaults to false.

UserInfoUrl string

User Info URL.

ValidateSignature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

alias String

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authorizationUrl String

The Authorization Url.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm String

The name of the realm. This is unique across Keycloak.

tokenUrl String

The Token URL.

acceptsPromptNoneForwardFromClient Boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

backchannelSupported Boolean

Does the external IDP support backchannel logout? Defaults to true.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

Display name for the identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

issuer String

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl String

JSON Web Key Set URL.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint String

Pass login hint to identity provider.

logoutUrl String

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales Boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl String

User Info URL.

validateSignature Boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authorizationUrl string

The Authorization Url.

clientId string

The client or client identifier registered within the identity provider.

clientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm string

The name of the realm. This is unique across Keycloak.

tokenUrl string

The Token URL.

acceptsPromptNoneForwardFromClient boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault boolean

Enable/disable authenticate users by default.

backchannelSupported boolean

Does the external IDP support backchannel logout? Defaults to true.

defaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName string

Display name for the identity provider in the GUI.

enabled boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder string

A number defining the order of this identity provider in the GUI.

hideOnLoginPage boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl string

JSON Web Key Set URL.

linkOnly boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint string

Pass login hint to identity provider.

logoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

storeToken boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl string

User Info URL.

validateSignature boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

alias str

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authorization_url str

The Authorization Url.

client_id str

The client or client identifier registered within the identity provider.

client_secret str

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm str

The name of the realm. This is unique across Keycloak.

token_url str

The Token URL.

accepts_prompt_none_forward_from_client bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

add_read_token_role_on_create bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticate_by_default bool

Enable/disable authenticate users by default.

backchannel_supported bool

Does the external IDP support backchannel logout? Defaults to true.

default_scopes str

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disable_user_info bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

display_name str

Display name for the identity provider in the GUI.

enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extra_config Mapping[str, Any]
first_broker_login_flow_alias str

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

gui_order str

A number defining the order of this identity provider in the GUI.

hide_on_login_page bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

issuer str

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwks_url str

JSON Web Key Set URL.

link_only bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

login_hint str

Pass login hint to identity provider.

logout_url str

The Logout URL is the end session endpoint to use to logout user from external identity provider.

post_broker_login_flow_alias str

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

provider_id str

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

store_token bool

When true, tokens will be stored after authenticating users. Defaults to true.

sync_mode str

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trust_email bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

ui_locales bool

Pass current locale to identity provider. Defaults to false.

user_info_url str

User Info URL.

validate_signature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

alias String

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authorizationUrl String

The Authorization Url.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

realm String

The name of the realm. This is unique across Keycloak.

tokenUrl String

The Token URL.

acceptsPromptNoneForwardFromClient Boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

backchannelSupported Boolean

Does the external IDP support backchannel logout? Defaults to true.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

Display name for the identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<Any>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

issuer String

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl String

JSON Web Key Set URL.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint String

Pass login hint to identity provider.

logoutUrl String

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales Boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl String

User Info URL.

validateSignature Boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

Outputs

All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Id string

The provider-assigned unique ID for this managed resource.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

id String

The provider-assigned unique ID for this managed resource.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

id string

The provider-assigned unique ID for this managed resource.

internalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

id str

The provider-assigned unique ID for this managed resource.

internal_id str

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

id String

The provider-assigned unique ID for this managed resource.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Look up Existing IdentityProvider Resource

Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accepts_prompt_none_forward_from_client: Optional[bool] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        authorization_url: Optional[str] = None,
        backchannel_supported: Optional[bool] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        default_scopes: Optional[str] = None,
        disable_user_info: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        internal_id: Optional[str] = None,
        issuer: Optional[str] = None,
        jwks_url: Optional[str] = None,
        link_only: Optional[bool] = None,
        login_hint: Optional[str] = None,
        logout_url: Optional[str] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        token_url: Optional[str] = None,
        trust_email: Optional[bool] = None,
        ui_locales: Optional[bool] = None,
        user_info_url: Optional[str] = None,
        validate_signature: Optional[bool] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AcceptsPromptNoneForwardFromClient bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

Alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

AuthorizationUrl string

The Authorization Url.

BackchannelSupported bool

Does the external IDP support backchannel logout? Defaults to true.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

Display name for the identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

JwksUrl string

JSON Web Key Set URL.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

LoginHint string

Pass login hint to identity provider.

LogoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

Realm string

The name of the realm. This is unique across Keycloak.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TokenUrl string

The Token URL.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UiLocales bool

Pass current locale to identity provider. Defaults to false.

UserInfoUrl string

User Info URL.

ValidateSignature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

AcceptsPromptNoneForwardFromClient bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

AddReadTokenRoleOnCreate bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

Alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

AuthenticateByDefault bool

Enable/disable authenticate users by default.

AuthorizationUrl string

The Authorization Url.

BackchannelSupported bool

Does the external IDP support backchannel logout? Defaults to true.

ClientId string

The client or client identifier registered within the identity provider.

ClientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

DefaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

DisableUserInfo bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

DisplayName string

Display name for the identity provider in the GUI.

Enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

GuiOrder string

A number defining the order of this identity provider in the GUI.

HideOnLoginPage bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

InternalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

JwksUrl string

JSON Web Key Set URL.

LinkOnly bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

LoginHint string

Pass login hint to identity provider.

LogoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

PostBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

ProviderId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

Realm string

The name of the realm. This is unique across Keycloak.

StoreToken bool

When true, tokens will be stored after authenticating users. Defaults to true.

SyncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

TokenUrl string

The Token URL.

TrustEmail bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

UiLocales bool

Pass current locale to identity provider. Defaults to false.

UserInfoUrl string

User Info URL.

ValidateSignature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

acceptsPromptNoneForwardFromClient Boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias String

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

authorizationUrl String

The Authorization Url.

backchannelSupported Boolean

Does the external IDP support backchannel logout? Defaults to true.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

Display name for the identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

issuer String

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl String

JSON Web Key Set URL.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint String

Pass login hint to identity provider.

logoutUrl String

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

realm String

The name of the realm. This is unique across Keycloak.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

tokenUrl String

The Token URL.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales Boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl String

User Info URL.

validateSignature Boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

acceptsPromptNoneForwardFromClient boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias string

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticateByDefault boolean

Enable/disable authenticate users by default.

authorizationUrl string

The Authorization Url.

backchannelSupported boolean

Does the external IDP support backchannel logout? Defaults to true.

clientId string

The client or client identifier registered within the identity provider.

clientSecret string

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes string

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName string

Display name for the identity provider in the GUI.

enabled boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder string

A number defining the order of this identity provider in the GUI.

hideOnLoginPage boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

internalId string

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

issuer string

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl string

JSON Web Key Set URL.

linkOnly boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint string

Pass login hint to identity provider.

logoutUrl string

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias string

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId string

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

realm string

The name of the realm. This is unique across Keycloak.

storeToken boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode string

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

tokenUrl string

The Token URL.

trustEmail boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl string

User Info URL.

validateSignature boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

accepts_prompt_none_forward_from_client bool

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

add_read_token_role_on_create bool

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias str

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticate_by_default bool

Enable/disable authenticate users by default.

authorization_url str

The Authorization Url.

backchannel_supported bool

Does the external IDP support backchannel logout? Defaults to true.

client_id str

The client or client identifier registered within the identity provider.

client_secret str

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

default_scopes str

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disable_user_info bool

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

display_name str

Display name for the identity provider in the GUI.

enabled bool

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extra_config Mapping[str, Any]
first_broker_login_flow_alias str

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

gui_order str

A number defining the order of this identity provider in the GUI.

hide_on_login_page bool

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

internal_id str

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

issuer str

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwks_url str

JSON Web Key Set URL.

link_only bool

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

login_hint str

Pass login hint to identity provider.

logout_url str

The Logout URL is the end session endpoint to use to logout user from external identity provider.

post_broker_login_flow_alias str

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

provider_id str

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

realm str

The name of the realm. This is unique across Keycloak.

store_token bool

When true, tokens will be stored after authenticating users. Defaults to true.

sync_mode str

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

token_url str

The Token URL.

trust_email bool

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

ui_locales bool

Pass current locale to identity provider. Defaults to false.

user_info_url str

User Info URL.

validate_signature bool

Enable/disable signature validation of external IDP signatures. Defaults to false.

acceptsPromptNoneForwardFromClient Boolean

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate Boolean

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias String

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticateByDefault Boolean

Enable/disable authenticate users by default.

authorizationUrl String

The Authorization Url.

backchannelSupported Boolean

Does the external IDP support backchannel logout? Defaults to true.

clientId String

The client or client identifier registered within the identity provider.

clientSecret String

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes String

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo Boolean

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName String

Display name for the identity provider in the GUI.

enabled Boolean

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig Map<Any>
firstBrokerLoginFlowAlias String

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder String

A number defining the order of this identity provider in the GUI.

hideOnLoginPage Boolean

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

internalId String

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

issuer String

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl String

JSON Web Key Set URL.

linkOnly Boolean

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint String

Pass login hint to identity provider.

logoutUrl String

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias String

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId String

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

realm String

The name of the realm. This is unique across Keycloak.

storeToken Boolean

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode String

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

tokenUrl String

The Token URL.

trustEmail Boolean

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales Boolean

Pass current locale to identity provider. Defaults to false.

userInfoUrl String

User Info URL.

validateSignature Boolean

Enable/disable signature validation of external IDP signatures. Defaults to false.

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Examplebash

 $ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.