okta.app.OAuth
Explore with Pulumi AI
This resource allows you to create and configure an OIDC Application.
During an apply if there is change in
status
the app will first be activated or deactivated in accordance with thestatus
change. Then, all other arguments that changed will be applied.
Etc.
Resetting client secret
If the client secret needs to be reset run an apply with omit_secret
set to
true in the resource. This causes client_secret
to be set to blank. Remove
omit_secret
and run apply again. The resource will set a new client_secret
for the app.
Private Keys
The private key format that an Okta OAuth app expects is PKCS#8 (unencrypted).
The operator either uploads their own private key or Okta can generate one in
the Admin UI Panel under the apps Client Credentials. PKCS#8 format can be
identified by a header that starts with -----BEGIN PRIVATE KEY-----
. If the
operator has a PKCS#1 (unencrypted) format private key (the header starts with
-----BEGIN RSA PRIVATE KEY-----
) they can generate a PKCS#8 format
key with openssl
:
import * as pulumi from "@pulumi/pulumi";
import pulumi
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
{}
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var example = new Okta.App.OAuth("example", new()
{
GrantTypes = new[]
{
"authorization_code",
},
Label = "example",
RedirectUris = new[]
{
"https://example.com/",
},
ResponseTypes = new[]
{
"code",
},
Type = "web",
});
});
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
GrantTypes: pulumi.StringArray{
pulumi.String("authorization_code"),
},
Label: pulumi.String("example"),
RedirectUris: pulumi.StringArray{
pulumi.String("https://example.com/"),
},
ResponseTypes: pulumi.StringArray{
pulumi.String("code"),
},
Type: pulumi.String("web"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.OAuth;
import com.pulumi.okta.app.OAuthArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new OAuth("example", OAuthArgs.builder()
.grantTypes("authorization_code")
.label("example")
.redirectUris("https://example.com/")
.responseTypes("code")
.type("web")
.build());
}
}
import pulumi
import pulumi_okta as okta
example = okta.app.OAuth("example",
grant_types=["authorization_code"],
label="example",
redirect_uris=["https://example.com/"],
response_types=["code"],
type="web")
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const example = new okta.app.OAuth("example", {
grantTypes: ["authorization_code"],
label: "example",
redirectUris: ["https://example.com/"],
responseTypes: ["code"],
type: "web",
});
resources:
example:
type: okta:app:OAuth
properties:
grantTypes:
- authorization_code
label: example
redirectUris:
- https://example.com/
responseTypes:
- code
type: web
With JWKS value
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var example = new Okta.App.OAuth("example", new()
{
GrantTypes = new[]
{
"client_credentials",
},
Jwks = new[]
{
new Okta.App.Inputs.OAuthJwkArgs
{
E = "AQAB",
Kid = "SIGNING_KEY_RSA",
Kty = "RSA",
N = "xyz",
},
new Okta.App.Inputs.OAuthJwkArgs
{
Kid = "SIGNING_KEY_EC",
Kty = "EC",
X = "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
Y = "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
},
},
Label = "example",
ResponseTypes = new[]
{
"token",
},
TokenEndpointAuthMethod = "private_key_jwt",
Type = "service",
});
});
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
GrantTypes: pulumi.StringArray{
pulumi.String("client_credentials"),
},
Jwks: app.OAuthJwkArray{
&app.OAuthJwkArgs{
E: pulumi.String("AQAB"),
Kid: pulumi.String("SIGNING_KEY_RSA"),
Kty: pulumi.String("RSA"),
N: pulumi.String("xyz"),
},
&app.OAuthJwkArgs{
Kid: pulumi.String("SIGNING_KEY_EC"),
Kty: pulumi.String("EC"),
X: pulumi.String("K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I"),
Y: pulumi.String("8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo"),
},
},
Label: pulumi.String("example"),
ResponseTypes: pulumi.StringArray{
pulumi.String("token"),
},
TokenEndpointAuthMethod: pulumi.String("private_key_jwt"),
Type: pulumi.String("service"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.OAuth;
import com.pulumi.okta.app.OAuthArgs;
import com.pulumi.okta.app.inputs.OAuthJwkArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new OAuth("example", OAuthArgs.builder()
.grantTypes("client_credentials")
.jwks(
OAuthJwkArgs.builder()
.e("AQAB")
.kid("SIGNING_KEY_RSA")
.kty("RSA")
.n("xyz")
.build(),
OAuthJwkArgs.builder()
.kid("SIGNING_KEY_EC")
.kty("EC")
.x("K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I")
.y("8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo")
.build())
.label("example")
.responseTypes("token")
.tokenEndpointAuthMethod("private_key_jwt")
.type("service")
.build());
}
}
import pulumi
import pulumi_okta as okta
example = okta.app.OAuth("example",
grant_types=["client_credentials"],
jwks=[
okta.app.OAuthJwkArgs(
e="AQAB",
kid="SIGNING_KEY_RSA",
kty="RSA",
n="xyz",
),
okta.app.OAuthJwkArgs(
kid="SIGNING_KEY_EC",
kty="EC",
x="K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
y="8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
),
],
label="example",
response_types=["token"],
token_endpoint_auth_method="private_key_jwt",
type="service")
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const example = new okta.app.OAuth("example", {
grantTypes: ["client_credentials"],
jwks: [
{
e: "AQAB",
kid: "SIGNING_KEY_RSA",
kty: "RSA",
n: "xyz",
},
{
kid: "SIGNING_KEY_EC",
kty: "EC",
x: "K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I",
y: "8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo",
},
],
label: "example",
responseTypes: ["token"],
tokenEndpointAuthMethod: "private_key_jwt",
type: "service",
});
resources:
example:
type: okta:app:OAuth
properties:
grantTypes:
- client_credentials
jwks:
- e: AQAB
kid: SIGNING_KEY_RSA
kty: RSA
n: xyz
- kid: SIGNING_KEY_EC
kty: EC
x: K37X78mXJHHldZYMzrwipjKR-YZUS2SMye0KindHp6I
y: 8IfvsvXWzbFWOZoVOMwgF5p46mUj3kbOVf9Fk0vVVHo
label: example
responseTypes:
- token
tokenEndpointAuthMethod: private_key_jwt
type: service
Private Keys
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import pulumi
import * as pulumi from "@pulumi/pulumi";
{}
Create OAuth Resource
new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);
@overload
def OAuth(resource_name: str,
opts: Optional[ResourceOptions] = None,
accessibility_error_redirect_url: Optional[str] = None,
accessibility_login_redirect_url: Optional[str] = None,
accessibility_self_service: Optional[bool] = None,
admin_note: Optional[str] = None,
app_links_json: Optional[str] = None,
app_settings_json: Optional[str] = None,
authentication_policy: Optional[str] = None,
auto_key_rotation: Optional[bool] = None,
auto_submit_toolbar: Optional[bool] = None,
client_basic_secret: Optional[str] = None,
client_id: Optional[str] = None,
client_uri: Optional[str] = None,
consent_method: Optional[str] = None,
enduser_note: Optional[str] = None,
grant_types: Optional[Sequence[str]] = None,
groups_claim: Optional[OAuthGroupsClaimArgs] = None,
hide_ios: Optional[bool] = None,
hide_web: Optional[bool] = None,
implicit_assignment: Optional[bool] = None,
issuer_mode: Optional[str] = None,
jwks: Optional[Sequence[OAuthJwkArgs]] = None,
jwks_uri: Optional[str] = None,
label: Optional[str] = None,
login_mode: Optional[str] = None,
login_scopes: Optional[Sequence[str]] = None,
login_uri: Optional[str] = None,
logo: Optional[str] = None,
logo_uri: Optional[str] = None,
omit_secret: Optional[bool] = None,
pkce_required: Optional[bool] = None,
policy_uri: Optional[str] = None,
post_logout_redirect_uris: Optional[Sequence[str]] = None,
profile: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
refresh_token_leeway: Optional[int] = None,
refresh_token_rotation: Optional[str] = None,
response_types: Optional[Sequence[str]] = None,
status: Optional[str] = None,
token_endpoint_auth_method: Optional[str] = None,
tos_uri: Optional[str] = None,
type: Optional[str] = None,
user_name_template: Optional[str] = None,
user_name_template_push_status: Optional[str] = None,
user_name_template_suffix: Optional[str] = None,
user_name_template_type: Optional[str] = None,
wildcard_redirect: Optional[str] = None)
@overload
def OAuth(resource_name: str,
args: OAuthArgs,
opts: Optional[ResourceOptions] = None)
func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)
public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)
type: okta:app:OAuth
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
OAuth Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The OAuth resource accepts the following input properties:
- Label string
- The Application's display name.
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - Accessibility
Error stringRedirect Url - Custom error page URL.
- Accessibility
Login stringRedirect Url - Custom login page for this application.
- Accessibility
Self boolService - Enable self-service. By default, it is
false
. - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format.
- Authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - Auto
Key boolRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Auto
Submit boolToolbar - Display auto submit toolbar.
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - Client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - Enduser
Note string - Application notes for end users.
- Grant
Types List<string> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - Groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- Hide
Ios bool - Do not display application icon on mobile app.
- Hide
Web bool - Do not display application icon to users.
- Implicit
Assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - Jwks
List<OAuth
Jwk> - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- Jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - Login
Scopes List<string> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - Login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Omit
Secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Policy
Uri string - URI to web page providing client policy document.
- Post
Logout List<string>Redirect Uris - List of URIs for redirection after logout.
- Profile string
- Custom JSON that represents an OAuth application's profile.
- Redirect
Uris List<string> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- Refresh
Token intLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- Refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - Response
Types List<string> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - Status string
- The status of the application, by default, it is
"ACTIVE"
. - Token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Tos
Uri string - URI to web page providing client tos (terms of service).
- User
Name stringTemplate - Username template. Default:
"${source.login}"
- User
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - User
Name stringTemplate Suffix - Username template suffix.
- User
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- Label string
- The Application's display name.
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - Accessibility
Error stringRedirect Url - Custom error page URL.
- Accessibility
Login stringRedirect Url - Custom login page for this application.
- Accessibility
Self boolService - Enable self-service. By default, it is
false
. - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format.
- Authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - Auto
Key boolRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Auto
Submit boolToolbar - Display auto submit toolbar.
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - Client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - Enduser
Note string - Application notes for end users.
- Grant
Types []string - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - Groups
Claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- Hide
Ios bool - Do not display application icon on mobile app.
- Hide
Web bool - Do not display application icon to users.
- Implicit
Assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - Jwks
[]OAuth
Jwk Args - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- Jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - Login
Scopes []string - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - Login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Omit
Secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Policy
Uri string - URI to web page providing client policy document.
- Post
Logout []stringRedirect Uris - List of URIs for redirection after logout.
- Profile string
- Custom JSON that represents an OAuth application's profile.
- Redirect
Uris []string - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- Refresh
Token intLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- Refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - Response
Types []string - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - Status string
- The status of the application, by default, it is
"ACTIVE"
. - Token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Tos
Uri string - URI to web page providing client tos (terms of service).
- User
Name stringTemplate - Username template. Default:
"${source.login}"
- User
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - User
Name stringTemplate Suffix - Username template suffix.
- User
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- label String
- The Application's display name.
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - accessibility
Error StringRedirect Url - Custom error page URL.
- accessibility
Login StringRedirect Url - Custom login page for this application.
- accessibility
Self BooleanService - Enable self-service. By default, it is
false
. - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format.
- authentication
Policy String - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key BooleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit BooleanToolbar - Display auto submit toolbar.
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id String - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios Boolean - Do not display application icon on mobile app.
- hide
Web Boolean - Do not display application icon to users.
- implicit
Assignment Boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
List<OAuth
Jwk> - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri String - URL of the custom authorization server's JSON Web Key Set document.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes List<String> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri String - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- omit
Secret Boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout.
- profile String
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token IntegerLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token StringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types List<String> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - status String
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint StringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri String - URI to web page providing client tos (terms of service).
- user
Name StringTemplate - Username template. Default:
"${source.login}"
- user
Name StringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name StringTemplate Suffix - Username template suffix.
- user
Name StringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- label string
- The Application's display name.
- type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - accessibility
Error stringRedirect Url - Custom error page URL.
- accessibility
Login stringRedirect Url - Custom login page for this application.
- accessibility
Self booleanService - Enable self-service. By default, it is
false
. - admin
Note string - Application notes for admins.
- app
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings stringJson - Application settings in JSON format.
- authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key booleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit booleanToolbar - Display auto submit toolbar.
- client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri string - URI to a web page providing information about the client.
- consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note string - Application notes for end users.
- grant
Types string[] - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios boolean - Do not display application icon on mobile app.
- hide
Web boolean - Do not display application icon to users.
- implicit
Assignment boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
OAuth
Jwk[] - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes string[] - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri string - URI that references a logo for the client.
- omit
Secret boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri string - URI to web page providing client policy document.
- post
Logout string[]Redirect Uris - List of URIs for redirection after logout.
- profile string
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris string[] - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token numberLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types string[] - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - status string
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri string - URI to web page providing client tos (terms of service).
- user
Name stringTemplate - Username template. Default:
"${source.login}"
- user
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name stringTemplate Suffix - Username template suffix.
- user
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- label str
- The Application's display name.
- type str
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - accessibility_
error_ strredirect_ url - Custom error page URL.
- accessibility_
login_ strredirect_ url - Custom login page for this application.
- accessibility_
self_ boolservice - Enable self-service. By default, it is
false
. - admin_
note str - Application notes for admins.
- app_
links_ strjson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app_
settings_ strjson - Application settings in JSON format.
- authentication_
policy str - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto_
key_ boolrotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto_
submit_ booltoolbar - Display auto submit toolbar.
- client_
basic_ strsecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client_
id str - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client_
uri str - URI to a web page providing information about the client.
- consent_
method str - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser_
note str - Application notes for end users.
- grant_
types Sequence[str] - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups_
claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide_
ios bool - Do not display application icon on mobile app.
- hide_
web bool - Do not display application icon to users.
- implicit_
assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer_
mode str - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
Sequence[OAuth
Jwk Args] - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks_
uri str - URL of the custom authorization server's JSON Web Key Set document.
- login_
mode str - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login_
scopes Sequence[str] - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login_
uri str - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo str
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo_
uri str - URI that references a logo for the client.
- omit_
secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy_
uri str - URI to web page providing client policy document.
- post_
logout_ Sequence[str]redirect_ uris - List of URIs for redirection after logout.
- profile str
- Custom JSON that represents an OAuth application's profile.
- redirect_
uris Sequence[str] - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh_
token_ intleeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh_
token_ strrotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response_
types Sequence[str] - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - status str
- The status of the application, by default, it is
"ACTIVE"
. - token_
endpoint_ strauth_ method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos_
uri str - URI to web page providing client tos (terms of service).
- user_
name_ strtemplate - Username template. Default:
"${source.login}"
- user_
name_ strtemplate_ push_ status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user_
name_ strtemplate_ suffix - Username template suffix.
- user_
name_ strtemplate_ type - Username template type. Default:
"BUILT_IN"
. - wildcard_
redirect str - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- label String
- The Application's display name.
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - accessibility
Error StringRedirect Url - Custom error page URL.
- accessibility
Login StringRedirect Url - Custom login page for this application.
- accessibility
Self BooleanService - Enable self-service. By default, it is
false
. - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format.
- authentication
Policy String - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key BooleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit BooleanToolbar - Display auto submit toolbar.
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id String - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim Property Map - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios Boolean - Do not display application icon on mobile app.
- hide
Web Boolean - Do not display application icon to users.
- implicit
Assignment Boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks List<Property Map>
- JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri String - URL of the custom authorization server's JSON Web Key Set document.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes List<String> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri String - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- omit
Secret Boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout.
- profile String
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token NumberLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token StringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types List<String> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - status String
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint StringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri String - URI to web page providing client tos (terms of service).
- user
Name StringTemplate - Username template. Default:
"${source.login}"
- user
Name StringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name StringTemplate Suffix - Username template suffix.
- user
Name StringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
Outputs
All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Id string
- The provider-assigned unique ID for this managed resource.
- Logo
Url string - Direct link of application logo.
- Name string
- Name of the claim that will be used in the token.
- Sign
On stringMode - Sign-on mode of application.
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Id string
- The provider-assigned unique ID for this managed resource.
- Logo
Url string - Direct link of application logo.
- Name string
- Name of the claim that will be used in the token.
- Sign
On stringMode - Sign-on mode of application.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- id String
- The provider-assigned unique ID for this managed resource.
- logo
Url String - Direct link of application logo.
- name String
- Name of the claim that will be used in the token.
- sign
On StringMode - Sign-on mode of application.
- client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- id string
- The provider-assigned unique ID for this managed resource.
- logo
Url string - Direct link of application logo.
- name string
- Name of the claim that will be used in the token.
- sign
On stringMode - Sign-on mode of application.
- client_
secret str - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- id str
- The provider-assigned unique ID for this managed resource.
- logo_
url str - Direct link of application logo.
- name str
- Name of the claim that will be used in the token.
- sign_
on_ strmode - Sign-on mode of application.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- id String
- The provider-assigned unique ID for this managed resource.
- logo
Url String - Direct link of application logo.
- name String
- Name of the claim that will be used in the token.
- sign
On StringMode - Sign-on mode of application.
Look up Existing OAuth Resource
Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessibility_error_redirect_url: Optional[str] = None,
accessibility_login_redirect_url: Optional[str] = None,
accessibility_self_service: Optional[bool] = None,
admin_note: Optional[str] = None,
app_links_json: Optional[str] = None,
app_settings_json: Optional[str] = None,
authentication_policy: Optional[str] = None,
auto_key_rotation: Optional[bool] = None,
auto_submit_toolbar: Optional[bool] = None,
client_basic_secret: Optional[str] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
client_uri: Optional[str] = None,
consent_method: Optional[str] = None,
enduser_note: Optional[str] = None,
grant_types: Optional[Sequence[str]] = None,
groups_claim: Optional[OAuthGroupsClaimArgs] = None,
hide_ios: Optional[bool] = None,
hide_web: Optional[bool] = None,
implicit_assignment: Optional[bool] = None,
issuer_mode: Optional[str] = None,
jwks: Optional[Sequence[OAuthJwkArgs]] = None,
jwks_uri: Optional[str] = None,
label: Optional[str] = None,
login_mode: Optional[str] = None,
login_scopes: Optional[Sequence[str]] = None,
login_uri: Optional[str] = None,
logo: Optional[str] = None,
logo_uri: Optional[str] = None,
logo_url: Optional[str] = None,
name: Optional[str] = None,
omit_secret: Optional[bool] = None,
pkce_required: Optional[bool] = None,
policy_uri: Optional[str] = None,
post_logout_redirect_uris: Optional[Sequence[str]] = None,
profile: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
refresh_token_leeway: Optional[int] = None,
refresh_token_rotation: Optional[str] = None,
response_types: Optional[Sequence[str]] = None,
sign_on_mode: Optional[str] = None,
status: Optional[str] = None,
token_endpoint_auth_method: Optional[str] = None,
tos_uri: Optional[str] = None,
type: Optional[str] = None,
user_name_template: Optional[str] = None,
user_name_template_push_status: Optional[str] = None,
user_name_template_suffix: Optional[str] = None,
user_name_template_type: Optional[str] = None,
wildcard_redirect: Optional[str] = None) -> OAuth
func GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)
public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)
public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessibility
Error stringRedirect Url - Custom error page URL.
- Accessibility
Login stringRedirect Url - Custom login page for this application.
- Accessibility
Self boolService - Enable self-service. By default, it is
false
. - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format.
- Authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - Auto
Key boolRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Auto
Submit boolToolbar - Display auto submit toolbar.
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - Client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - Enduser
Note string - Application notes for end users.
- Grant
Types List<string> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - Groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- Hide
Ios bool - Do not display application icon on mobile app.
- Hide
Web bool - Do not display application icon to users.
- Implicit
Assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - Jwks
List<OAuth
Jwk> - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- Jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- Label string
- The Application's display name.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - Login
Scopes List<string> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - Login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Logo
Url string - Direct link of application logo.
- Name string
- Name of the claim that will be used in the token.
- Omit
Secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Policy
Uri string - URI to web page providing client policy document.
- Post
Logout List<string>Redirect Uris - List of URIs for redirection after logout.
- Profile string
- Custom JSON that represents an OAuth application's profile.
- Redirect
Uris List<string> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- Refresh
Token intLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- Refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - Response
Types List<string> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - Sign
On stringMode - Sign-on mode of application.
- Status string
- The status of the application, by default, it is
"ACTIVE"
. - Token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Tos
Uri string - URI to web page providing client tos (terms of service).
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - User
Name stringTemplate - Username template. Default:
"${source.login}"
- User
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - User
Name stringTemplate Suffix - Username template suffix.
- User
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- Accessibility
Error stringRedirect Url - Custom error page URL.
- Accessibility
Login stringRedirect Url - Custom login page for this application.
- Accessibility
Self boolService - Enable self-service. By default, it is
false
. - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format.
- Authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - Auto
Key boolRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Auto
Submit boolToolbar - Display auto submit toolbar.
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - Client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - Enduser
Note string - Application notes for end users.
- Grant
Types []string - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - Groups
Claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- Hide
Ios bool - Do not display application icon on mobile app.
- Hide
Web bool - Do not display application icon to users.
- Implicit
Assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - Jwks
[]OAuth
Jwk Args - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- Jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- Label string
- The Application's display name.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - Login
Scopes []string - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - Login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Logo
Url string - Direct link of application logo.
- Name string
- Name of the claim that will be used in the token.
- Omit
Secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Policy
Uri string - URI to web page providing client policy document.
- Post
Logout []stringRedirect Uris - List of URIs for redirection after logout.
- Profile string
- Custom JSON that represents an OAuth application's profile.
- Redirect
Uris []string - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- Refresh
Token intLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- Refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - Response
Types []string - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - Sign
On stringMode - Sign-on mode of application.
- Status string
- The status of the application, by default, it is
"ACTIVE"
. - Token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - Tos
Uri string - URI to web page providing client tos (terms of service).
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - User
Name stringTemplate - Username template. Default:
"${source.login}"
- User
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - User
Name stringTemplate Suffix - Username template suffix.
- User
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- accessibility
Error StringRedirect Url - Custom error page URL.
- accessibility
Login StringRedirect Url - Custom login page for this application.
- accessibility
Self BooleanService - Enable self-service. By default, it is
false
. - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format.
- authentication
Policy String - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key BooleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit BooleanToolbar - Display auto submit toolbar.
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id String - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios Boolean - Do not display application icon on mobile app.
- hide
Web Boolean - Do not display application icon to users.
- implicit
Assignment Boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
List<OAuth
Jwk> - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri String - URL of the custom authorization server's JSON Web Key Set document.
- label String
- The Application's display name.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes List<String> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri String - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- logo
Url String - Direct link of application logo.
- name String
- Name of the claim that will be used in the token.
- omit
Secret Boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout.
- profile String
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token IntegerLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token StringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types List<String> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - sign
On StringMode - Sign-on mode of application.
- status String
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint StringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri String - URI to web page providing client tos (terms of service).
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - user
Name StringTemplate - Username template. Default:
"${source.login}"
- user
Name StringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name StringTemplate Suffix - Username template suffix.
- user
Name StringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- accessibility
Error stringRedirect Url - Custom error page URL.
- accessibility
Login stringRedirect Url - Custom login page for this application.
- accessibility
Self booleanService - Enable self-service. By default, it is
false
. - admin
Note string - Application notes for admins.
- app
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings stringJson - Application settings in JSON format.
- authentication
Policy string - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key booleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit booleanToolbar - Display auto submit toolbar.
- client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id string - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri string - URI to a web page providing information about the client.
- consent
Method string - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note string - Application notes for end users.
- grant
Types string[] - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios boolean - Do not display application icon on mobile app.
- hide
Web boolean - Do not display application icon to users.
- implicit
Assignment boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
OAuth
Jwk[] - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri string - URL of the custom authorization server's JSON Web Key Set document.
- label string
- The Application's display name.
- login
Mode string - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes string[] - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri string - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri string - URI that references a logo for the client.
- logo
Url string - Direct link of application logo.
- name string
- Name of the claim that will be used in the token.
- omit
Secret boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri string - URI to web page providing client policy document.
- post
Logout string[]Redirect Uris - List of URIs for redirection after logout.
- profile string
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris string[] - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token numberLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token stringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types string[] - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - sign
On stringMode - Sign-on mode of application.
- status string
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint stringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri string - URI to web page providing client tos (terms of service).
- type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - user
Name stringTemplate - Username template. Default:
"${source.login}"
- user
Name stringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name stringTemplate Suffix - Username template suffix.
- user
Name stringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- accessibility_
error_ strredirect_ url - Custom error page URL.
- accessibility_
login_ strredirect_ url - Custom login page for this application.
- accessibility_
self_ boolservice - Enable self-service. By default, it is
false
. - admin_
note str - Application notes for admins.
- app_
links_ strjson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app_
settings_ strjson - Application settings in JSON format.
- authentication_
policy str - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto_
key_ boolrotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto_
submit_ booltoolbar - Display auto submit toolbar.
- client_
basic_ strsecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client_
id str - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client_
secret str - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client_
uri str - URI to a web page providing information about the client.
- consent_
method str - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser_
note str - Application notes for end users.
- grant_
types Sequence[str] - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups_
claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide_
ios bool - Do not display application icon on mobile app.
- hide_
web bool - Do not display application icon to users.
- implicit_
assignment bool - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer_
mode str - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks
Sequence[OAuth
Jwk Args] - JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks_
uri str - URL of the custom authorization server's JSON Web Key Set document.
- label str
- The Application's display name.
- login_
mode str - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login_
scopes Sequence[str] - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login_
uri str - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo str
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo_
uri str - URI that references a logo for the client.
- logo_
url str - Direct link of application logo.
- name str
- Name of the claim that will be used in the token.
- omit_
secret bool - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy_
uri str - URI to web page providing client policy document.
- post_
logout_ Sequence[str]redirect_ uris - List of URIs for redirection after logout.
- profile str
- Custom JSON that represents an OAuth application's profile.
- redirect_
uris Sequence[str] - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh_
token_ intleeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh_
token_ strrotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response_
types Sequence[str] - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - sign_
on_ strmode - Sign-on mode of application.
- status str
- The status of the application, by default, it is
"ACTIVE"
. - token_
endpoint_ strauth_ method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos_
uri str - URI to web page providing client tos (terms of service).
- type str
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - user_
name_ strtemplate - Username template. Default:
"${source.login}"
- user_
name_ strtemplate_ push_ status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user_
name_ strtemplate_ suffix - Username template suffix.
- user_
name_ strtemplate_ type - Username template type. Default:
"BUILT_IN"
. - wildcard_
redirect str - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
- accessibility
Error StringRedirect Url - Custom error page URL.
- accessibility
Login StringRedirect Url - Custom login page for this application.
- accessibility
Self BooleanService - Enable self-service. By default, it is
false
. - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format.
- authentication
Policy String - The ID of the associated
app_signon_policy
. If this property is removed from the application thedefault
sign-on-policy will be associated with this application. - auto
Key BooleanRotation - Requested key rotation mode. If
auto_key_rotation
isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - auto
Submit BooleanToolbar - Display auto submit toolbar.
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when
token_endpoint_auth_method
is"client_secret_basic"
. This does nothing whenomit_secret
is set to true. - client
Id String - OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Indicates whether user consent is required or implicit. Valid values:
"REQUIRED"
,"TRUSTED"
. Default value is"TRUSTED"
. - enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here.
Defaults to minimum requirements per app type. Valid values:
"authorization_code"
,"implicit"
,"password"
,"refresh_token"
,"client_credentials"
,"urn:ietf:params:oauth:grant-type:saml2-bearer"
(Early Access Property),"urn:ietf:params:oauth:grant-type:token-exchange"
(Early Access Property),"interaction_code"
(OIE only). - groups
Claim Property Map - Groups claim for an OpenID Connect client application. IMPORTANT: this argument is ignored when Okta API authentication is done with OAuth 2.0 credentials
- hide
Ios Boolean - Do not display application icon on mobile app.
- hide
Web Boolean - Do not display application icon to users.
- implicit
Assignment Boolean - Early Access Property. Enables Federation Broker Mode. When this mode is enabled,
users
andgroups
arguments are ignored. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
. - jwks List<Property Map>
- JSON Web Key set. Multiple jwks are supportedAdmin Console JWK Reference. Use kty=RSA e=[value] n=[value] for RSA jwks, and kty=EC x=[value] y=[value] for EC jwks
- jwks
Uri String - URL of the custom authorization server's JSON Web Key Set document.
- label String
- The Application's display name.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any. Valid values:
"DISABLED"
,"SPEC"
,"OKTA"
. Default is"DISABLED"
. - login
Scopes List<String> - List of scopes to use for the request. Valid values:
"openid"
,"profile"
,"email"
,"address"
,"phone"
. Required whenlogin_mode
is NOTDISABLED
. - login
Uri String - URI that initiates login. Required when
login_mode
is NOTDISABLED
. - logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- logo
Url String - Direct link of application logo.
- name String
- Name of the claim that will be used in the token.
- omit
Secret Boolean - This tells the provider not manage the
client_secret
value in state. When this is false (the default), it will cause the auto-generatedclient_secret
to be persisted in theclient_secret
attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, theclient_secret
is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for
additional verification. If
pkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout.
- profile String
- Custom JSON that represents an OAuth application's profile.
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service.
- refresh
Token NumberLeeway - Grace period for token rotation. Valid values: 0 to 60 seconds.
- refresh
Token StringRotation - Refresh token rotation behavior. Valid values:
"STATIC"
or"ROTATE"
. - response
Types List<String> - List of OAuth 2.0 response type strings. Array
values of
"code"
,"token"
,"id_token"
. Thegrant_types
andresponse_types
values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that thegrant_types
available to a client influence theresponse_types
that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies aresponse_types
value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application - sign
On StringMode - Sign-on mode of application.
- status String
- The status of the application, by default, it is
"ACTIVE"
. - token
Endpoint StringAuth Method - Requested authentication method for
the token endpoint. It can be set to
"none"
,"client_secret_post"
,"client_secret_basic"
,"client_secret_jwt"
,"private_key_jwt"
. Usepkce_required
to require PKCE for your confidential clients using the Authorization Code flow. If"token_endpoint_auth_method"
is"none"
,pkce_required
needs to betrue
. Ifpkce_required
isn't specified when adding a new application, Okta sets it totrue
by default for"browser"
and"native"
application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object - tos
Uri String - URI to web page providing client tos (terms of service).
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - user
Name StringTemplate - Username template. Default:
"${source.login}"
- user
Name StringTemplate Push Status - Push username on update. Valid values:
"PUSH"
and"DONT_PUSH"
. - user
Name StringTemplate Suffix - Username template suffix.
- user
Name StringTemplate Type - Username template type. Default:
"BUILT_IN"
. - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of
redirect_uris
. Valid values:"DISABLED"
,"SUBDOMAIN"
. Default value is"DISABLED"
.
Supporting Types
OAuthGroupsClaim, OAuthGroupsClaimArgs
- Name string
- Name of the claim that will be used in the token.
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - Value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- Filter
Type string - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
- Name string
- Name of the claim that will be used in the token.
- Type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - Value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- Filter
Type string - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - Issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
- name String
- Name of the claim that will be used in the token.
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - value String
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type String - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
- name string
- Name of the claim that will be used in the token.
- type string
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type string - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - issuer
Mode string - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
- name str
- Name of the claim that will be used in the token.
- type str
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - value str
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter_
type str - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - issuer_
mode str - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
- name String
- Name of the claim that will be used in the token.
- type String
- The type of OAuth application. Valid values:
"web"
,"native"
,"browser"
,"service"
. For SPA apps usebrowser
. - value String
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type String - Groups claim filter. Can only be set if type is
"FILTER"
. Valid values:"EQUALS"
,"STARTS_WITH"
,"CONTAINS"
,"REGEX"
. - issuer
Mode String - Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Valid values:
"CUSTOM_URL"
,"ORG_URL"
or"DYNAMIC"
. Default is"ORG_URL"
.
OAuthJwk, OAuthJwkArgs
Import
An OIDC Application can be imported via the Okta ID.
$ pulumi import okta:app/oAuth:OAuth example <app id>
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
okta
Terraform Provider.