keycloak.oidc.IdentityProvider
Explore with Pulumi AI
Allows for creating and managing OIDC Identity Providers within Keycloak.
OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realmIdentityProvider", new()
{
Realm = realm.Id,
Alias = "my-idp",
AuthorizationUrl = "https://authorizationurl.com",
ClientId = "clientID",
ClientSecret = "clientSecret",
TokenUrl = "https://tokenurl.com",
ExtraConfig =
{
{ "clientAuthMethod", "client_secret_post" },
},
});
});
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-idp"),
AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
ClientId: pulumi.String("clientID"),
ClientSecret: pulumi.String("clientSecret"),
TokenUrl: pulumi.String("https://tokenurl.com"),
ExtraConfig: pulumi.AnyMap{
"clientAuthMethod": pulumi.Any("client_secret_post"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-idp")
.authorizationUrl("https://authorizationurl.com")
.clientId("clientID")
.clientSecret("clientSecret")
.tokenUrl("https://tokenurl.com")
.extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
.build());
}
}
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realmIdentityProvider",
realm=realm.id,
alias="my-idp",
authorization_url="https://authorizationurl.com",
client_id="clientID",
client_secret="clientSecret",
token_url="https://tokenurl.com",
extra_config={
"clientAuthMethod": "client_secret_post",
})
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realmIdentityProvider", {
realm: realm.id,
alias: "my-idp",
authorizationUrl: "https://authorizationurl.com",
clientId: "clientID",
clientSecret: "clientSecret",
tokenUrl: "https://tokenurl.com",
extraConfig: {
clientAuthMethod: "client_secret_post",
},
});
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmIdentityProvider:
type: keycloak:oidc:IdentityProvider
properties:
realm: ${realm.id}
alias: my-idp
authorizationUrl: https://authorizationurl.com
clientId: clientID
clientSecret: clientSecret
tokenUrl: https://tokenurl.com
extraConfig:
clientAuthMethod: client_secret_post
Create IdentityProvider Resource
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
authorization_url: Optional[str] = None,
backchannel_supported: Optional[bool] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, Any]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
issuer: Optional[str] = None,
jwks_url: Optional[str] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
logout_url: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
token_url: Optional[str] = None,
trust_email: Optional[bool] = None,
ui_locales: Optional[bool] = None,
user_info_url: Optional[str] = None,
validate_signature: Optional[bool] = None)
@overload
def IdentityProvider(resource_name: str,
args: IdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The IdentityProvider resource accepts the following input properties:
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
The Authorization Url.
- Client
Id string The client or client identifier registered within the identity provider.
- Client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
The name of the realm. This is unique across Keycloak.
- Token
Url string The Token URL.
- Accepts
Prompt boolNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- Add
Read boolToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout? Defaults to
true
.- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- Disable
User boolInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- Display
Name string Display name for the identity provider in the GUI.
- Enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- Gui
Order string A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string JSON Web Key Set URL.
- Link
Only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- Login
Hint string Pass login hint to identity provider.
- Logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- Store
Token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- Sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- Trust
Email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- Ui
Locales bool Pass current locale to identity provider. Defaults to
false
.- User
Info stringUrl User Info URL.
- Validate
Signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
The Authorization Url.
- Client
Id string The client or client identifier registered within the identity provider.
- Client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Realm string
The name of the realm. This is unique across Keycloak.
- Token
Url string The Token URL.
- Accepts
Prompt boolNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- Add
Read boolToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout? Defaults to
true
.- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- Disable
User boolInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- Display
Name string Display name for the identity provider in the GUI.
- Enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- Gui
Order string A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string JSON Web Key Set URL.
- Link
Only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- Login
Hint string Pass login hint to identity provider.
- Logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- Store
Token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- Sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- Trust
Email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- Ui
Locales bool Pass current locale to identity provider. Defaults to
false
.- User
Info stringUrl User Info URL.
- Validate
Signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias String
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- String
The Authorization Url.
- client
Id String The client or client identifier registered within the identity provider.
- client
Secret String The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
The name of the realm. This is unique across Keycloak.
- token
Url String The Token URL.
- accepts
Prompt BooleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read BooleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- authenticate
By BooleanDefault Enable/disable authenticate users by default.
- backchannel
Supported Boolean Does the external IDP support backchannel logout? Defaults to
true
.- default
Scopes String The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User BooleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name String Display name for the identity provider in the GUI.
- enabled Boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config Map<String,Object> - first
Broker StringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order String A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String JSON Web Key Set URL.
- link
Only Boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint String Pass login hint to identity provider.
- logout
Url String The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- store
Token Boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode String The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- trust
Email Boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales Boolean Pass current locale to identity provider. Defaults to
false
.- user
Info StringUrl User Info URL.
- validate
Signature Boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
The Authorization Url.
- client
Id string The client or client identifier registered within the identity provider.
- client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm string
The name of the realm. This is unique across Keycloak.
- token
Url string The Token URL.
- accepts
Prompt booleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read booleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- authenticate
By booleanDefault Enable/disable authenticate users by default.
- backchannel
Supported boolean Does the external IDP support backchannel logout? Defaults to
true
.- default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User booleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name string Display name for the identity provider in the GUI.
- enabled boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order string A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url string JSON Web Key Set URL.
- link
Only boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint string Pass login hint to identity provider.
- logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- store
Token boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- trust
Email boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales boolean Pass current locale to identity provider. Defaults to
false
.- user
Info stringUrl User Info URL.
- validate
Signature boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- str
The Authorization Url.
- client_
id str The client or client identifier registered within the identity provider.
- client_
secret str The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm str
The name of the realm. This is unique across Keycloak.
- token_
url str The Token URL.
- accepts_
prompt_ boolnone_ forward_ from_ client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add_
read_ booltoken_ role_ on_ create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- backchannel_
supported bool Does the external IDP support backchannel logout? Defaults to
true
.- default_
scopes str The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable_
user_ boolinfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display_
name str Display name for the identity provider in the GUI.
- enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra_
config Mapping[str, Any] - first_
broker_ strlogin_ flow_ alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui_
order str A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- issuer str
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks_
url str JSON Web Key Set URL.
- link_
only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login_
hint str Pass login hint to identity provider.
- logout_
url str The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post_
broker_ strlogin_ flow_ alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- store_
token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync_
mode str The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- trust_
email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui_
locales bool Pass current locale to identity provider. Defaults to
false
.- user_
info_ strurl User Info URL.
- validate_
signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- alias String
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- String
The Authorization Url.
- client
Id String The client or client identifier registered within the identity provider.
- client
Secret String The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- realm String
The name of the realm. This is unique across Keycloak.
- token
Url String The Token URL.
- accepts
Prompt BooleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read BooleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- authenticate
By BooleanDefault Enable/disable authenticate users by default.
- backchannel
Supported Boolean Does the external IDP support backchannel logout? Defaults to
true
.- default
Scopes String The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User BooleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name String Display name for the identity provider in the GUI.
- enabled Boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config Map<Any> - first
Broker StringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order String A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String JSON Web Key Set URL.
- link
Only Boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint String Pass login hint to identity provider.
- logout
Url String The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- store
Token Boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode String The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- trust
Email Boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales Boolean Pass current locale to identity provider. Defaults to
false
.- user
Info StringUrl User Info URL.
- validate
Signature Boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Id string
The provider-assigned unique ID for this managed resource.
- Internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id String
The provider-assigned unique ID for this managed resource.
- internal
Id String (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id string
The provider-assigned unique ID for this managed resource.
- internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id str
The provider-assigned unique ID for this managed resource.
- internal_
id str (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- id String
The provider-assigned unique ID for this managed resource.
- internal
Id String (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Look up Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accepts_prompt_none_forward_from_client: Optional[bool] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
authorization_url: Optional[str] = None,
backchannel_supported: Optional[bool] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
default_scopes: Optional[str] = None,
disable_user_info: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
extra_config: Optional[Mapping[str, Any]] = None,
first_broker_login_flow_alias: Optional[str] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
issuer: Optional[str] = None,
jwks_url: Optional[str] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
logout_url: Optional[str] = None,
post_broker_login_flow_alias: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
token_url: Optional[str] = None,
trust_email: Optional[bool] = None,
ui_locales: Optional[bool] = None,
user_info_url: Optional[str] = None,
validate_signature: Optional[bool] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accepts
Prompt boolNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- Add
Read boolToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- string
The Authorization Url.
- Backchannel
Supported bool Does the external IDP support backchannel logout? Defaults to
true
.- Client
Id string The client or client identifier registered within the identity provider.
- Client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- Disable
User boolInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- Display
Name string Display name for the identity provider in the GUI.
- Enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- Gui
Order string A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- Internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string JSON Web Key Set URL.
- Link
Only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- Login
Hint string Pass login hint to identity provider.
- Logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- Realm string
The name of the realm. This is unique across Keycloak.
- Store
Token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- Sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- Token
Url string The Token URL.
- Trust
Email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- Ui
Locales bool Pass current locale to identity provider. Defaults to
false
.- User
Info stringUrl User Info URL.
- Validate
Signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- Accepts
Prompt boolNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- Add
Read boolToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- string
The Authorization Url.
- Backchannel
Supported bool Does the external IDP support backchannel logout? Defaults to
true
.- Client
Id string The client or client identifier registered within the identity provider.
- Client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- Disable
User boolInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- Display
Name string Display name for the identity provider in the GUI.
- Enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- Gui
Order string A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- Internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- Jwks
Url string JSON Web Key Set URL.
- Link
Only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- Login
Hint string Pass login hint to identity provider.
- Logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- Post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- Provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- Realm string
The name of the realm. This is unique across Keycloak.
- Store
Token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- Sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- Token
Url string The Token URL.
- Trust
Email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- Ui
Locales bool Pass current locale to identity provider. Defaults to
false
.- User
Info stringUrl User Info URL.
- Validate
Signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt BooleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read BooleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- alias String
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault Enable/disable authenticate users by default.
- String
The Authorization Url.
- backchannel
Supported Boolean Does the external IDP support backchannel logout? Defaults to
true
.- client
Id String The client or client identifier registered within the identity provider.
- client
Secret String The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User BooleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name String Display name for the identity provider in the GUI.
- enabled Boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config Map<String,Object> - first
Broker StringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order String A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- internal
Id String (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String JSON Web Key Set URL.
- link
Only Boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint String Pass login hint to identity provider.
- logout
Url String The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- realm String
The name of the realm. This is unique across Keycloak.
- store
Token Boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode String The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- token
Url String The Token URL.
- trust
Email Boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales Boolean Pass current locale to identity provider. Defaults to
false
.- user
Info StringUrl User Info URL.
- validate
Signature Boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt booleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read booleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- string
The Authorization Url.
- backchannel
Supported boolean Does the external IDP support backchannel logout? Defaults to
true
.- client
Id string The client or client identifier registered within the identity provider.
- client
Secret string The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User booleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name string Display name for the identity provider in the GUI.
- enabled boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order string A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- internal
Id string (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url string JSON Web Key Set URL.
- link
Only boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint string Pass login hint to identity provider.
- logout
Url string The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker stringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id string The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- realm string
The name of the realm. This is unique across Keycloak.
- store
Token boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode string The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- token
Url string The Token URL.
- trust
Email boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales boolean Pass current locale to identity provider. Defaults to
false
.- user
Info stringUrl User Info URL.
- validate
Signature boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts_
prompt_ boolnone_ forward_ from_ client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add_
read_ booltoken_ role_ on_ create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- str
The Authorization Url.
- backchannel_
supported bool Does the external IDP support backchannel logout? Defaults to
true
.- client_
id str The client or client identifier registered within the identity provider.
- client_
secret str The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default_
scopes str The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable_
user_ boolinfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display_
name str Display name for the identity provider in the GUI.
- enabled bool
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra_
config Mapping[str, Any] - first_
broker_ strlogin_ flow_ alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui_
order str A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- internal_
id str (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer str
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks_
url str JSON Web Key Set URL.
- link_
only bool When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login_
hint str Pass login hint to identity provider.
- logout_
url str The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post_
broker_ strlogin_ flow_ alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider_
id str The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- realm str
The name of the realm. This is unique across Keycloak.
- store_
token bool When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync_
mode str The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- token_
url str The Token URL.
- trust_
email bool When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui_
locales bool Pass current locale to identity provider. Defaults to
false
.- user_
info_ strurl User Info URL.
- validate_
signature bool Enable/disable signature validation of external IDP signatures. Defaults to
false
.
- accepts
Prompt BooleanNone Forward From Client When
true
, the IDP will accept forwarded authentication requests that contain theprompt=none
query parameter. Defaults tofalse
.- add
Read BooleanToken Role On Create When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
.- alias String
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault Enable/disable authenticate users by default.
- String
The Authorization Url.
- backchannel
Supported Boolean Does the external IDP support backchannel logout? Defaults to
true
.- client
Id String The client or client identifier registered within the identity provider.
- client
Secret String The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
- default
Scopes String The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to
openid
.- disable
User BooleanInfo When
true
, disables the usage of the user info service to obtain additional user information. Defaults tofalse
.- display
Name String Display name for the identity provider in the GUI.
- enabled Boolean
When
true
, users will be able to log in to this realm using this identity provider. Defaults totrue
.- extra
Config Map<Any> - first
Broker StringLogin Flow Alias The authentication flow to use when users log in for the first time through this identity provider. Defaults to
first broker login
.- gui
Order String A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page When
true
, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults tofalse
.- internal
Id String (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
- issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
- jwks
Url String JSON Web Key Set URL.
- link
Only Boolean When
true
, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults tofalse
.- login
Hint String Pass login hint to identity provider.
- logout
Url String The Logout URL is the end session endpoint to use to logout user from external identity provider.
- post
Broker StringLogin Flow Alias The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
- provider
Id String The ID of the identity provider to use. Defaults to
oidc
, which should be used unless you have extended Keycloak and provided your own implementation.- realm String
The name of the realm. This is unique across Keycloak.
- store
Token Boolean When
true
, tokens will be stored after authenticating users. Defaults totrue
.- sync
Mode String The default sync mode to use for all mappers attached to this identity provider. Can be once of
IMPORT
,FORCE
, orLEGACY
.- token
Url String The Token URL.
- trust
Email Boolean When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
.- ui
Locales Boolean Pass current locale to identity provider. Defaults to
false
.- user
Info StringUrl User Info URL.
- validate
Signature Boolean Enable/disable signature validation of external IDP signatures. Defaults to
false
.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}
, where idp_alias
is the identity provider alias. Examplebash
$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
keycloak
Terraform Provider.