1. Packages
  2. Okta
  3. API Docs
  4. app
  5. OAuth
Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi

okta.app.OAuth

Explore with Pulumi AI

okta logo
Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi

    This resource allows you to create and configure an OIDC Application.

    During an apply if there is change in status the app will first be activated or deactivated in accordance with the status change. Then, all other arguments that changed will be applied.

    Etc.

    Resetting client secret

    If the client secret needs to be reset run an apply with omit_secret set to true in the resource. This causes client_secret to be set to blank. Remove omit_secret and run apply again. The resource will set a new client_secret for the app.

    Private Keys

    The private key format that an Okta OAuth app expects is PKCS#8 (unencrypted). The operator either uploads their own private key or Okta can generate one in the Admin UI Panel under the apps Client Credentials. PKCS#8 format can be identified by a header that starts with -----BEGIN PRIVATE KEY-----. If the operator has a PKCS#1 (unencrypted) format private key (the header starts with -----BEGIN RSA PRIVATE KEY-----) they can generate a PKCS#8 format key with openssl:

    import * as pulumi from "@pulumi/pulumi";
    
    import pulumi
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    {}
    

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Okta.App.OAuth("example", new()
        {
            GrantTypes = new[]
            {
                "authorization_code",
            },
            Label = "example",
            RedirectUris = new[]
            {
                "https://example.com/",
            },
            ResponseTypes = new[]
            {
                "code",
            },
            Type = "web",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
    			GrantTypes: pulumi.StringArray{
    				pulumi.String("authorization_code"),
    			},
    			Label: pulumi.String("example"),
    			RedirectUris: pulumi.StringArray{
    				pulumi.String("https://example.com/"),
    			},
    			ResponseTypes: pulumi.StringArray{
    				pulumi.String("code"),
    			},
    			Type: pulumi.String("web"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.app.OAuth;
    import com.pulumi.okta.app.OAuthArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new OAuth("example", OAuthArgs.builder()        
                .grantTypes("authorization_code")
                .label("example")
                .redirectUris("https://example.com/")
                .responseTypes("code")
                .type("web")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_okta as okta
    
    example = okta.app.OAuth("example",
        grant_types=["authorization_code"],
        label="example",
        redirect_uris=["https://example.com/"],
        response_types=["code"],
        type="web")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const example = new okta.app.OAuth("example", {
        grantTypes: ["authorization_code"],
        label: "example",
        redirectUris: ["https://example.com/"],
        responseTypes: ["code"],
        type: "web",
    });
    
    resources:
      example:
        type: okta:app:OAuth
        properties:
          grantTypes:
            - authorization_code
          label: example
          redirectUris:
            - https://example.com/
          responseTypes:
            - code
          type: web
    

    With JWKS value

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Okta.App.OAuth("example", new()
        {
            GrantTypes = new[]
            {
                "client_credentials",
            },
            Jwks = new[]
            {
                new Okta.App.Inputs.OAuthJwkArgs
                {
                    E = "AQAB",
                    Kid = "SIGNING_KEY_RSA",
                    Kty = "RSA",
                    N = "xyz",
                },
                new Okta.App.Inputs.OAuthJwkArgs
                {
                    Kid = "SIGNING_KEY_EC",
                    Kty = "EC",
                    X = "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
                    Y = "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
                },
            },
            Label = "example",
            ResponseTypes = new[]
            {
                "token",
            },
            TokenEndpointAuthMethod = "private_key_jwt",
            Type = "service",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
    			GrantTypes: pulumi.StringArray{
    				pulumi.String("client_credentials"),
    			},
    			Jwks: app.OAuthJwkArray{
    				&app.OAuthJwkArgs{
    					E:   pulumi.String("AQAB"),
    					Kid: pulumi.String("SIGNING_KEY_RSA"),
    					Kty: pulumi.String("RSA"),
    					N:   pulumi.String("xyz"),
    				},
    				&app.OAuthJwkArgs{
    					Kid: pulumi.String("SIGNING_KEY_EC"),
    					Kty: pulumi.String("EC"),
    					X:   pulumi.String("K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I"),
    					Y:   pulumi.String("8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo"),
    				},
    			},
    			Label: pulumi.String("example"),
    			ResponseTypes: pulumi.StringArray{
    				pulumi.String("token"),
    			},
    			TokenEndpointAuthMethod: pulumi.String("private_key_jwt"),
    			Type:                    pulumi.String("service"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.app.OAuth;
    import com.pulumi.okta.app.OAuthArgs;
    import com.pulumi.okta.app.inputs.OAuthJwkArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new OAuth("example", OAuthArgs.builder()        
                .grantTypes("client_credentials")
                .jwks(            
                    OAuthJwkArgs.builder()
                        .e("AQAB")
                        .kid("SIGNING_KEY_RSA")
                        .kty("RSA")
                        .n("xyz")
                        .build(),
                    OAuthJwkArgs.builder()
                        .kid("SIGNING_KEY_EC")
                        .kty("EC")
                        .x("K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I")
                        .y("8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo")
                        .build())
                .label("example")
                .responseTypes("token")
                .tokenEndpointAuthMethod("private_key_jwt")
                .type("service")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_okta as okta
    
    example = okta.app.OAuth("example",
        grant_types=["client_credentials"],
        jwks=[
            okta.app.OAuthJwkArgs(
                e="AQAB",
                kid="SIGNING_KEY_RSA",
                kty="RSA",
                n="xyz",
            ),
            okta.app.OAuthJwkArgs(
                kid="SIGNING_KEY_EC",
                kty="EC",
                x="K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
                y="8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
            ),
        ],
        label="example",
        response_types=["token"],
        token_endpoint_auth_method="private_key_jwt",
        type="service")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const example = new okta.app.OAuth("example", {
        grantTypes: ["client_credentials"],
        jwks: [
            {
                e: "AQAB",
                kid: "SIGNING_KEY_RSA",
                kty: "RSA",
                n: "xyz",
            },
            {
                kid: "SIGNING_KEY_EC",
                kty: "EC",
                x: "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
                y: "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
            },
        ],
        label: "example",
        responseTypes: ["token"],
        tokenEndpointAuthMethod: "private_key_jwt",
        type: "service",
    });
    
    resources:
      example:
        type: okta:app:OAuth
        properties:
          grantTypes:
            - client_credentials
          jwks:
            - e: AQAB
              kid: SIGNING_KEY_RSA
              kty: RSA
              n: xyz
            - kid: SIGNING_KEY_EC
              kty: EC
              x: K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I
              y: 8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo
          label: example
          responseTypes:
            - token
          tokenEndpointAuthMethod: private_key_jwt
          type: service
    

    Private Keys

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Create OAuth Resource

    new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);
    @overload
    def OAuth(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              accessibility_error_redirect_url: Optional[str] = None,
              accessibility_login_redirect_url: Optional[str] = None,
              accessibility_self_service: Optional[bool] = None,
              admin_note: Optional[str] = None,
              app_links_json: Optional[str] = None,
              app_settings_json: Optional[str] = None,
              authentication_policy: Optional[str] = None,
              auto_key_rotation: Optional[bool] = None,
              auto_submit_toolbar: Optional[bool] = None,
              client_basic_secret: Optional[str] = None,
              client_id: Optional[str] = None,
              client_uri: Optional[str] = None,
              consent_method: Optional[str] = None,
              enduser_note: Optional[str] = None,
              grant_types: Optional[Sequence[str]] = None,
              groups_claim: Optional[OAuthGroupsClaimArgs] = None,
              hide_ios: Optional[bool] = None,
              hide_web: Optional[bool] = None,
              implicit_assignment: Optional[bool] = None,
              issuer_mode: Optional[str] = None,
              jwks: Optional[Sequence[OAuthJwkArgs]] = None,
              jwks_uri: Optional[str] = None,
              label: Optional[str] = None,
              login_mode: Optional[str] = None,
              login_scopes: Optional[Sequence[str]] = None,
              login_uri: Optional[str] = None,
              logo: Optional[str] = None,
              logo_uri: Optional[str] = None,
              omit_secret: Optional[bool] = None,
              pkce_required: Optional[bool] = None,
              policy_uri: Optional[str] = None,
              post_logout_redirect_uris: Optional[Sequence[str]] = None,
              profile: Optional[str] = None,
              redirect_uris: Optional[Sequence[str]] = None,
              refresh_token_leeway: Optional[int] = None,
              refresh_token_rotation: Optional[str] = None,
              response_types: Optional[Sequence[str]] = None,
              status: Optional[str] = None,
              token_endpoint_auth_method: Optional[str] = None,
              tos_uri: Optional[str] = None,
              type: Optional[str] = None,
              user_name_template: Optional[str] = None,
              user_name_template_push_status: Optional[str] = None,
              user_name_template_suffix: Optional[str] = None,
              user_name_template_type: Optional[str] = None,
              wildcard_redirect: Optional[str] = None)
    @overload
    def OAuth(resource_name: str,
              args: OAuthArgs,
              opts: Optional[ResourceOptions] = None)
    func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)
    public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)
    public OAuth(String name, OAuthArgs args)
    public OAuth(String name, OAuthArgs args, CustomResourceOptions options)
    
    type: okta:app:OAuth
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args OAuthArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args OAuthArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args OAuthArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args OAuthArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args OAuthArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    OAuth Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The OAuth resource accepts the following input properties:

    Label string
    The Application's display name.
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    AccessibilityErrorRedirectUrl string
    Custom error page URL.
    AccessibilityLoginRedirectUrl string
    Custom login page for this application.
    AccessibilitySelfService bool
    Enable self-service. By default, it is false.
    AdminNote string
    Application notes for admins.
    AppLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    AppSettingsJson string
    Application settings in JSON format.
    AuthenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    AutoKeyRotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    AutoSubmitToolbar bool
    Display auto submit toolbar.
    ClientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    ClientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientUri string
    URI to a web page providing information about the client.
    ConsentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    EnduserNote string
    Application notes for end users.
    GrantTypes List<string>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    GroupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    HideIos bool
    Do not display application icon on mobile app.
    HideWeb bool
    Do not display application icon to users.
    ImplicitAssignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    Jwks List<OAuthJwk>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    JwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    LoginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    LoginScopes List<string>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    LoginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    Logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    LogoUri string
    URI that references a logo for the client.
    OmitSecret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    PolicyUri string
    URI to web page providing client policy document.
    PostLogoutRedirectUris List<string>
    List of URIs for redirection after logout.
    Profile string
    Custom JSON that represents an OAuth application's profile.
    RedirectUris List<string>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    RefreshTokenLeeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    RefreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    ResponseTypes List<string>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    Status string
    The status of the application, by default, it is "ACTIVE".
    TokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    TosUri string
    URI to web page providing client tos (terms of service).
    UserNameTemplate string
    Username template. Default: "${source.login}"
    UserNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    UserNameTemplateSuffix string
    Username template suffix.
    UserNameTemplateType string
    Username template type. Default: "BUILT_IN".
    WildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    Label string
    The Application's display name.
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    AccessibilityErrorRedirectUrl string
    Custom error page URL.
    AccessibilityLoginRedirectUrl string
    Custom login page for this application.
    AccessibilitySelfService bool
    Enable self-service. By default, it is false.
    AdminNote string
    Application notes for admins.
    AppLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    AppSettingsJson string
    Application settings in JSON format.
    AuthenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    AutoKeyRotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    AutoSubmitToolbar bool
    Display auto submit toolbar.
    ClientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    ClientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientUri string
    URI to a web page providing information about the client.
    ConsentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    EnduserNote string
    Application notes for end users.
    GrantTypes []string
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    GroupsClaim OAuthGroupsClaimArgs
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    HideIos bool
    Do not display application icon on mobile app.
    HideWeb bool
    Do not display application icon to users.
    ImplicitAssignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    Jwks []OAuthJwkArgs
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    JwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    LoginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    LoginScopes []string
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    LoginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    Logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    LogoUri string
    URI that references a logo for the client.
    OmitSecret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    PolicyUri string
    URI to web page providing client policy document.
    PostLogoutRedirectUris []string
    List of URIs for redirection after logout.
    Profile string
    Custom JSON that represents an OAuth application's profile.
    RedirectUris []string
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    RefreshTokenLeeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    RefreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    ResponseTypes []string
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    Status string
    The status of the application, by default, it is "ACTIVE".
    TokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    TosUri string
    URI to web page providing client tos (terms of service).
    UserNameTemplate string
    Username template. Default: "${source.login}"
    UserNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    UserNameTemplateSuffix string
    Username template suffix.
    UserNameTemplateType string
    Username template type. Default: "BUILT_IN".
    WildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    label String
    The Application's display name.
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    accessibilityErrorRedirectUrl String
    Custom error page URL.
    accessibilityLoginRedirectUrl String
    Custom login page for this application.
    accessibilitySelfService Boolean
    Enable self-service. By default, it is false.
    adminNote String
    Application notes for admins.
    appLinksJson String
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson String
    Application settings in JSON format.
    authenticationPolicy String
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation Boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar Boolean
    Display auto submit toolbar.
    clientBasicSecret String
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId String
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri String
    URI to a web page providing information about the client.
    consentMethod String
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote String
    Application notes for end users.
    grantTypes List<String>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos Boolean
    Do not display application icon on mobile app.
    hideWeb Boolean
    Do not display application icon to users.
    implicitAssignment Boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks List<OAuthJwk>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri String
    URL of the custom authorization server's JSON Web Key Set document.
    loginMode String
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes List<String>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri String
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo String
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri String
    URI that references a logo for the client.
    omitSecret Boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri String
    URI to web page providing client policy document.
    postLogoutRedirectUris List<String>
    List of URIs for redirection after logout.
    profile String
    Custom JSON that represents an OAuth application's profile.
    redirectUris List<String>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway Integer
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation String
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes List<String>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    status String
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod String
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri String
    URI to web page providing client tos (terms of service).
    userNameTemplate String
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus String
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix String
    Username template suffix.
    userNameTemplateType String
    Username template type. Default: "BUILT_IN".
    wildcardRedirect String
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    label string
    The Application's display name.
    type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    accessibilityErrorRedirectUrl string
    Custom error page URL.
    accessibilityLoginRedirectUrl string
    Custom login page for this application.
    accessibilitySelfService boolean
    Enable self-service. By default, it is false.
    adminNote string
    Application notes for admins.
    appLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson string
    Application settings in JSON format.
    authenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar boolean
    Display auto submit toolbar.
    clientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri string
    URI to a web page providing information about the client.
    consentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote string
    Application notes for end users.
    grantTypes string[]
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos boolean
    Do not display application icon on mobile app.
    hideWeb boolean
    Do not display application icon to users.
    implicitAssignment boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks OAuthJwk[]
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    loginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes string[]
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri string
    URI that references a logo for the client.
    omitSecret boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri string
    URI to web page providing client policy document.
    postLogoutRedirectUris string[]
    List of URIs for redirection after logout.
    profile string
    Custom JSON that represents an OAuth application's profile.
    redirectUris string[]
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway number
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes string[]
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    status string
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri string
    URI to web page providing client tos (terms of service).
    userNameTemplate string
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix string
    Username template suffix.
    userNameTemplateType string
    Username template type. Default: "BUILT_IN".
    wildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    label str
    The Application's display name.
    type str
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    accessibility_error_redirect_url str
    Custom error page URL.
    accessibility_login_redirect_url str
    Custom login page for this application.
    accessibility_self_service bool
    Enable self-service. By default, it is false.
    admin_note str
    Application notes for admins.
    app_links_json str
    Displays specific appLinks for the app. The value for each application link should be boolean.
    app_settings_json str
    Application settings in JSON format.
    authentication_policy str
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    auto_key_rotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    auto_submit_toolbar bool
    Display auto submit toolbar.
    client_basic_secret str
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    client_id str
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    client_uri str
    URI to a web page providing information about the client.
    consent_method str
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduser_note str
    Application notes for end users.
    grant_types Sequence[str]
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groups_claim OAuthGroupsClaimArgs
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hide_ios bool
    Do not display application icon on mobile app.
    hide_web bool
    Do not display application icon to users.
    implicit_assignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuer_mode str
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks Sequence[OAuthJwkArgs]
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwks_uri str
    URL of the custom authorization server's JSON Web Key Set document.
    login_mode str
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    login_scopes Sequence[str]
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    login_uri str
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo str
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logo_uri str
    URI that references a logo for the client.
    omit_secret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkce_required bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policy_uri str
    URI to web page providing client policy document.
    post_logout_redirect_uris Sequence[str]
    List of URIs for redirection after logout.
    profile str
    Custom JSON that represents an OAuth application's profile.
    redirect_uris Sequence[str]
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refresh_token_leeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refresh_token_rotation str
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    response_types Sequence[str]
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    status str
    The status of the application, by default, it is "ACTIVE".
    token_endpoint_auth_method str
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tos_uri str
    URI to web page providing client tos (terms of service).
    user_name_template str
    Username template. Default: "${source.login}"
    user_name_template_push_status str
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    user_name_template_suffix str
    Username template suffix.
    user_name_template_type str
    Username template type. Default: "BUILT_IN".
    wildcard_redirect str
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    label String
    The Application's display name.
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    accessibilityErrorRedirectUrl String
    Custom error page URL.
    accessibilityLoginRedirectUrl String
    Custom login page for this application.
    accessibilitySelfService Boolean
    Enable self-service. By default, it is false.
    adminNote String
    Application notes for admins.
    appLinksJson String
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson String
    Application settings in JSON format.
    authenticationPolicy String
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation Boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar Boolean
    Display auto submit toolbar.
    clientBasicSecret String
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId String
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri String
    URI to a web page providing information about the client.
    consentMethod String
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote String
    Application notes for end users.
    grantTypes List<String>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim Property Map
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos Boolean
    Do not display application icon on mobile app.
    hideWeb Boolean
    Do not display application icon to users.
    implicitAssignment Boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks List<Property Map>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri String
    URL of the custom authorization server's JSON Web Key Set document.
    loginMode String
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes List<String>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri String
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo String
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri String
    URI that references a logo for the client.
    omitSecret Boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri String
    URI to web page providing client policy document.
    postLogoutRedirectUris List<String>
    List of URIs for redirection after logout.
    profile String
    Custom JSON that represents an OAuth application's profile.
    redirectUris List<String>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway Number
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation String
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes List<String>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    status String
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod String
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri String
    URI to web page providing client tos (terms of service).
    userNameTemplate String
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus String
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix String
    Username template suffix.
    userNameTemplateType String
    Username template type. Default: "BUILT_IN".
    wildcardRedirect String
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

    Outputs

    All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:

    ClientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    Id string
    The provider-assigned unique ID for this managed resource.
    LogoUrl string
    Direct link of application logo.
    Name string
    Name of the claim that will be used in the token.
    SignOnMode string
    Sign-on mode of application.
    ClientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    Id string
    The provider-assigned unique ID for this managed resource.
    LogoUrl string
    Direct link of application logo.
    Name string
    Name of the claim that will be used in the token.
    SignOnMode string
    Sign-on mode of application.
    clientSecret String
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    id String
    The provider-assigned unique ID for this managed resource.
    logoUrl String
    Direct link of application logo.
    name String
    Name of the claim that will be used in the token.
    signOnMode String
    Sign-on mode of application.
    clientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    id string
    The provider-assigned unique ID for this managed resource.
    logoUrl string
    Direct link of application logo.
    name string
    Name of the claim that will be used in the token.
    signOnMode string
    Sign-on mode of application.
    client_secret str
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    id str
    The provider-assigned unique ID for this managed resource.
    logo_url str
    Direct link of application logo.
    name str
    Name of the claim that will be used in the token.
    sign_on_mode str
    Sign-on mode of application.
    clientSecret String
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    id String
    The provider-assigned unique ID for this managed resource.
    logoUrl String
    Direct link of application logo.
    name String
    Name of the claim that will be used in the token.
    signOnMode String
    Sign-on mode of application.

    Look up Existing OAuth Resource

    Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accessibility_error_redirect_url: Optional[str] = None,
            accessibility_login_redirect_url: Optional[str] = None,
            accessibility_self_service: Optional[bool] = None,
            admin_note: Optional[str] = None,
            app_links_json: Optional[str] = None,
            app_settings_json: Optional[str] = None,
            authentication_policy: Optional[str] = None,
            auto_key_rotation: Optional[bool] = None,
            auto_submit_toolbar: Optional[bool] = None,
            client_basic_secret: Optional[str] = None,
            client_id: Optional[str] = None,
            client_secret: Optional[str] = None,
            client_uri: Optional[str] = None,
            consent_method: Optional[str] = None,
            enduser_note: Optional[str] = None,
            grant_types: Optional[Sequence[str]] = None,
            groups_claim: Optional[OAuthGroupsClaimArgs] = None,
            hide_ios: Optional[bool] = None,
            hide_web: Optional[bool] = None,
            implicit_assignment: Optional[bool] = None,
            issuer_mode: Optional[str] = None,
            jwks: Optional[Sequence[OAuthJwkArgs]] = None,
            jwks_uri: Optional[str] = None,
            label: Optional[str] = None,
            login_mode: Optional[str] = None,
            login_scopes: Optional[Sequence[str]] = None,
            login_uri: Optional[str] = None,
            logo: Optional[str] = None,
            logo_uri: Optional[str] = None,
            logo_url: Optional[str] = None,
            name: Optional[str] = None,
            omit_secret: Optional[bool] = None,
            pkce_required: Optional[bool] = None,
            policy_uri: Optional[str] = None,
            post_logout_redirect_uris: Optional[Sequence[str]] = None,
            profile: Optional[str] = None,
            redirect_uris: Optional[Sequence[str]] = None,
            refresh_token_leeway: Optional[int] = None,
            refresh_token_rotation: Optional[str] = None,
            response_types: Optional[Sequence[str]] = None,
            sign_on_mode: Optional[str] = None,
            status: Optional[str] = None,
            token_endpoint_auth_method: Optional[str] = None,
            tos_uri: Optional[str] = None,
            type: Optional[str] = None,
            user_name_template: Optional[str] = None,
            user_name_template_push_status: Optional[str] = None,
            user_name_template_suffix: Optional[str] = None,
            user_name_template_type: Optional[str] = None,
            wildcard_redirect: Optional[str] = None) -> OAuth
    func GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)
    public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)
    public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessibilityErrorRedirectUrl string
    Custom error page URL.
    AccessibilityLoginRedirectUrl string
    Custom login page for this application.
    AccessibilitySelfService bool
    Enable self-service. By default, it is false.
    AdminNote string
    Application notes for admins.
    AppLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    AppSettingsJson string
    Application settings in JSON format.
    AuthenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    AutoKeyRotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    AutoSubmitToolbar bool
    Display auto submit toolbar.
    ClientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    ClientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientUri string
    URI to a web page providing information about the client.
    ConsentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    EnduserNote string
    Application notes for end users.
    GrantTypes List<string>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    GroupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    HideIos bool
    Do not display application icon on mobile app.
    HideWeb bool
    Do not display application icon to users.
    ImplicitAssignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    Jwks List<OAuthJwk>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    JwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    Label string
    The Application's display name.
    LoginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    LoginScopes List<string>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    LoginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    Logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    LogoUri string
    URI that references a logo for the client.
    LogoUrl string
    Direct link of application logo.
    Name string
    Name of the claim that will be used in the token.
    OmitSecret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    PolicyUri string
    URI to web page providing client policy document.
    PostLogoutRedirectUris List<string>
    List of URIs for redirection after logout.
    Profile string
    Custom JSON that represents an OAuth application's profile.
    RedirectUris List<string>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    RefreshTokenLeeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    RefreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    ResponseTypes List<string>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    SignOnMode string
    Sign-on mode of application.
    Status string
    The status of the application, by default, it is "ACTIVE".
    TokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    TosUri string
    URI to web page providing client tos (terms of service).
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    UserNameTemplate string
    Username template. Default: "${source.login}"
    UserNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    UserNameTemplateSuffix string
    Username template suffix.
    UserNameTemplateType string
    Username template type. Default: "BUILT_IN".
    WildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    AccessibilityErrorRedirectUrl string
    Custom error page URL.
    AccessibilityLoginRedirectUrl string
    Custom login page for this application.
    AccessibilitySelfService bool
    Enable self-service. By default, it is false.
    AdminNote string
    Application notes for admins.
    AppLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    AppSettingsJson string
    Application settings in JSON format.
    AuthenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    AutoKeyRotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    AutoSubmitToolbar bool
    Display auto submit toolbar.
    ClientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    ClientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    ClientUri string
    URI to a web page providing information about the client.
    ConsentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    EnduserNote string
    Application notes for end users.
    GrantTypes []string
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    GroupsClaim OAuthGroupsClaimArgs
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    HideIos bool
    Do not display application icon on mobile app.
    HideWeb bool
    Do not display application icon to users.
    ImplicitAssignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    Jwks []OAuthJwkArgs
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    JwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    Label string
    The Application's display name.
    LoginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    LoginScopes []string
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    LoginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    Logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    LogoUri string
    URI that references a logo for the client.
    LogoUrl string
    Direct link of application logo.
    Name string
    Name of the claim that will be used in the token.
    OmitSecret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    PkceRequired bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    PolicyUri string
    URI to web page providing client policy document.
    PostLogoutRedirectUris []string
    List of URIs for redirection after logout.
    Profile string
    Custom JSON that represents an OAuth application's profile.
    RedirectUris []string
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    RefreshTokenLeeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    RefreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    ResponseTypes []string
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    SignOnMode string
    Sign-on mode of application.
    Status string
    The status of the application, by default, it is "ACTIVE".
    TokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    TosUri string
    URI to web page providing client tos (terms of service).
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    UserNameTemplate string
    Username template. Default: "${source.login}"
    UserNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    UserNameTemplateSuffix string
    Username template suffix.
    UserNameTemplateType string
    Username template type. Default: "BUILT_IN".
    WildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    accessibilityErrorRedirectUrl String
    Custom error page URL.
    accessibilityLoginRedirectUrl String
    Custom login page for this application.
    accessibilitySelfService Boolean
    Enable self-service. By default, it is false.
    adminNote String
    Application notes for admins.
    appLinksJson String
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson String
    Application settings in JSON format.
    authenticationPolicy String
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation Boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar Boolean
    Display auto submit toolbar.
    clientBasicSecret String
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId String
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientSecret String
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri String
    URI to a web page providing information about the client.
    consentMethod String
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote String
    Application notes for end users.
    grantTypes List<String>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos Boolean
    Do not display application icon on mobile app.
    hideWeb Boolean
    Do not display application icon to users.
    implicitAssignment Boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks List<OAuthJwk>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri String
    URL of the custom authorization server's JSON Web Key Set document.
    label String
    The Application's display name.
    loginMode String
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes List<String>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri String
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo String
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri String
    URI that references a logo for the client.
    logoUrl String
    Direct link of application logo.
    name String
    Name of the claim that will be used in the token.
    omitSecret Boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri String
    URI to web page providing client policy document.
    postLogoutRedirectUris List<String>
    List of URIs for redirection after logout.
    profile String
    Custom JSON that represents an OAuth application's profile.
    redirectUris List<String>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway Integer
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation String
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes List<String>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    signOnMode String
    Sign-on mode of application.
    status String
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod String
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri String
    URI to web page providing client tos (terms of service).
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    userNameTemplate String
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus String
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix String
    Username template suffix.
    userNameTemplateType String
    Username template type. Default: "BUILT_IN".
    wildcardRedirect String
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    accessibilityErrorRedirectUrl string
    Custom error page URL.
    accessibilityLoginRedirectUrl string
    Custom login page for this application.
    accessibilitySelfService boolean
    Enable self-service. By default, it is false.
    adminNote string
    Application notes for admins.
    appLinksJson string
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson string
    Application settings in JSON format.
    authenticationPolicy string
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar boolean
    Display auto submit toolbar.
    clientBasicSecret string
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId string
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientSecret string
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri string
    URI to a web page providing information about the client.
    consentMethod string
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote string
    Application notes for end users.
    grantTypes string[]
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim OAuthGroupsClaim
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos boolean
    Do not display application icon on mobile app.
    hideWeb boolean
    Do not display application icon to users.
    implicitAssignment boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks OAuthJwk[]
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri string
    URL of the custom authorization server's JSON Web Key Set document.
    label string
    The Application's display name.
    loginMode string
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes string[]
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri string
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo string
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri string
    URI that references a logo for the client.
    logoUrl string
    Direct link of application logo.
    name string
    Name of the claim that will be used in the token.
    omitSecret boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri string
    URI to web page providing client policy document.
    postLogoutRedirectUris string[]
    List of URIs for redirection after logout.
    profile string
    Custom JSON that represents an OAuth application's profile.
    redirectUris string[]
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway number
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation string
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes string[]
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    signOnMode string
    Sign-on mode of application.
    status string
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod string
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri string
    URI to web page providing client tos (terms of service).
    type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    userNameTemplate string
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus string
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix string
    Username template suffix.
    userNameTemplateType string
    Username template type. Default: "BUILT_IN".
    wildcardRedirect string
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    accessibility_error_redirect_url str
    Custom error page URL.
    accessibility_login_redirect_url str
    Custom login page for this application.
    accessibility_self_service bool
    Enable self-service. By default, it is false.
    admin_note str
    Application notes for admins.
    app_links_json str
    Displays specific appLinks for the app. The value for each application link should be boolean.
    app_settings_json str
    Application settings in JSON format.
    authentication_policy str
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    auto_key_rotation bool
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    auto_submit_toolbar bool
    Display auto submit toolbar.
    client_basic_secret str
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    client_id str
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    client_secret str
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    client_uri str
    URI to a web page providing information about the client.
    consent_method str
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduser_note str
    Application notes for end users.
    grant_types Sequence[str]
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groups_claim OAuthGroupsClaimArgs
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hide_ios bool
    Do not display application icon on mobile app.
    hide_web bool
    Do not display application icon to users.
    implicit_assignment bool
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuer_mode str
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks Sequence[OAuthJwkArgs]
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwks_uri str
    URL of the custom authorization server's JSON Web Key Set document.
    label str
    The Application's display name.
    login_mode str
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    login_scopes Sequence[str]
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    login_uri str
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo str
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logo_uri str
    URI that references a logo for the client.
    logo_url str
    Direct link of application logo.
    name str
    Name of the claim that will be used in the token.
    omit_secret bool
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkce_required bool
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policy_uri str
    URI to web page providing client policy document.
    post_logout_redirect_uris Sequence[str]
    List of URIs for redirection after logout.
    profile str
    Custom JSON that represents an OAuth application's profile.
    redirect_uris Sequence[str]
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refresh_token_leeway int
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refresh_token_rotation str
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    response_types Sequence[str]
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    sign_on_mode str
    Sign-on mode of application.
    status str
    The status of the application, by default, it is "ACTIVE".
    token_endpoint_auth_method str
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tos_uri str
    URI to web page providing client tos (terms of service).
    type str
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    user_name_template str
    Username template. Default: "${source.login}"
    user_name_template_push_status str
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    user_name_template_suffix str
    Username template suffix.
    user_name_template_type str
    Username template type. Default: "BUILT_IN".
    wildcard_redirect str
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".
    accessibilityErrorRedirectUrl String
    Custom error page URL.
    accessibilityLoginRedirectUrl String
    Custom login page for this application.
    accessibilitySelfService Boolean
    Enable self-service. By default, it is false.
    adminNote String
    Application notes for admins.
    appLinksJson String
    Displays specific appLinks for the app. The value for each application link should be boolean.
    appSettingsJson String
    Application settings in JSON format.
    authenticationPolicy String
    The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.
    autoKeyRotation Boolean
    Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    autoSubmitToolbar Boolean
    Display auto submit toolbar.
    clientBasicSecret String
    The user provided OAuth client secret key value, this can be set when token_endpoint_auth_method is "client_secret_basic". This does nothing when omit_secret is set to true.
    clientId String
    OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientSecret String
    OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    clientUri String
    URI to a web page providing information about the client.
    consentMethod String
    Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".
    enduserNote String
    Application notes for end users.
    grantTypes List<String>
    List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).
    groupsClaim Property Map
    Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
    hideIos Boolean
    Do not display application icon on mobile app.
    hideWeb Boolean
    Do not display application icon to users.
    implicitAssignment Boolean
    Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    jwks List<Property Map>
    JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
    jwksUri String
    URL of the custom authorization server's JSON Web Key Set document.
    label String
    The Application's display name.
    loginMode String
    The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".
    loginScopes List<String>
    List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.
    loginUri String
    URI that initiates login. Required when login_mode is NOT DISABLED.
    logo String
    Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
    logoUri String
    URI that references a logo for the client.
    logoUrl String
    Direct link of application logo.
    name String
    Name of the claim that will be used in the token.
    omitSecret Boolean
    This tells the provider not manage the client_secret value in state. When this is false (the default), it will cause the auto-generated client_secret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
    pkceRequired Boolean
    Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    policyUri String
    URI to web page providing client policy document.
    postLogoutRedirectUris List<String>
    List of URIs for redirection after logout.
    profile String
    Custom JSON that represents an OAuth application's profile.
    redirectUris List<String>
    List of URIs for use in the redirect-based flow. This is required for all application types except service.
    refreshTokenLeeway Number
    Grace period for token rotation. Valid values: 0 to 60 seconds.
    refreshTokenRotation String
    Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".
    responseTypes List<String>
    List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application
    signOnMode String
    Sign-on mode of application.
    status String
    The status of the application, by default, it is "ACTIVE".
    tokenEndpointAuthMethod String
    Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
    tosUri String
    URI to web page providing client tos (terms of service).
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    userNameTemplate String
    Username template. Default: "${source.login}"
    userNameTemplatePushStatus String
    Push username on update. Valid values: "PUSH" and "DONT_PUSH".
    userNameTemplateSuffix String
    Username template suffix.
    userNameTemplateType String
    Username template type. Default: "BUILT_IN".
    wildcardRedirect String
    Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

    Supporting Types

    OAuthGroupsClaim, OAuthGroupsClaimArgs

    Name string
    Name of the claim that will be used in the token.
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    Value string
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    FilterType string
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    Name string
    Name of the claim that will be used in the token.
    Type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    Value string
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    FilterType string
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    IssuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    name String
    Name of the claim that will be used in the token.
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    value String
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    filterType String
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    name string
    Name of the claim that will be used in the token.
    type string
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    value string
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    filterType string
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    issuerMode string
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    name str
    Name of the claim that will be used in the token.
    type str
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    value str
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    filter_type str
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    issuer_mode str
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".
    name String
    Name of the claim that will be used in the token.
    type String
    The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.
    value String
    Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
    filterType String
    Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".
    issuerMode String
    Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

    OAuthJwk, OAuthJwkArgs

    Kid string
    Key ID
    Kty string
    Key type
    E string
    RSA Exponent
    N string
    RSA Modulus
    X string
    X coordinate of the elliptic curve point
    Y string
    Y coordinate of the elliptic curve point
    Kid string
    Key ID
    Kty string
    Key type
    E string
    RSA Exponent
    N string
    RSA Modulus
    X string
    X coordinate of the elliptic curve point
    Y string
    Y coordinate of the elliptic curve point
    kid String
    Key ID
    kty String
    Key type
    e String
    RSA Exponent
    n String
    RSA Modulus
    x String
    X coordinate of the elliptic curve point
    y String
    Y coordinate of the elliptic curve point
    kid string
    Key ID
    kty string
    Key type
    e string
    RSA Exponent
    n string
    RSA Modulus
    x string
    X coordinate of the elliptic curve point
    y string
    Y coordinate of the elliptic curve point
    kid str
    Key ID
    kty str
    Key type
    e str
    RSA Exponent
    n str
    RSA Modulus
    x str
    X coordinate of the elliptic curve point
    y str
    Y coordinate of the elliptic curve point
    kid String
    Key ID
    kty String
    Key type
    e String
    RSA Exponent
    n String
    RSA Modulus
    x String
    X coordinate of the elliptic curve point
    y String
    Y coordinate of the elliptic curve point

    Import

    An OIDC Application can be imported via the Okta ID.

    $ pulumi import okta:app/oAuth:OAuth example &#60;app id&#62;
    

    Package Details

    Repository
    Okta pulumi/pulumi-okta
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the okta Terraform Provider.
    okta logo
    Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi