1. Pulumi Registry
  2. Okta
  3. API Docs
  4. app
  5. OAuth
okta logo
Okta v3.21.0, Mar 15 23

okta.app.OAuth

This resource allows you to create and configure an OIDC Application.

Etc.

Resetting client secret

If the client secret needs to be reset run an apply with omit_secret set to true in the resource. This causes client_secret to be set to blank. Remove omit_secret and run apply again. The resource will set a new client_secret for the app.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var example = new Okta.App.OAuth("example", new()
    {
        GrantTypes = new[]
        {
            "authorization_code",
        },
        Label = "example",
        RedirectUris = new[]
        {
            "https://example.com/",
        },
        ResponseTypes = new[]
        {
            "code",
        },
        Type = "web",
    });

});

package main

import (
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/app"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
			GrantTypes: pulumi.StringArray{
				pulumi.String("authorization_code"),
			},
			Label: pulumi.String("example"),
			RedirectUris: pulumi.StringArray{
				pulumi.String("https://example.com/"),
			},
			ResponseTypes: pulumi.StringArray{
				pulumi.String("code"),
			},
			Type: pulumi.String("web"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.OAuth;
import com.pulumi.okta.app.OAuthArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new OAuth("example", OAuthArgs.builder()        
            .grantTypes("authorization_code")
            .label("example")
            .redirectUris("https://example.com/")
            .responseTypes("code")
            .type("web")
            .build());

    }
}

import pulumi
import pulumi_okta as okta

example = okta.app.OAuth("example",
    grant_types=["authorization_code"],
    label="example",
    redirect_uris=["https://example.com/"],
    response_types=["code"],
    type="web")

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.app.OAuth("example", {
    grantTypes: ["authorization_code"],
    label: "example",
    redirectUris: ["https://example.com/"],
    responseTypes: ["code"],
    type: "web",
});

resources:
  example:
    type: okta:app:OAuth
    properties:
      grantTypes:
        - authorization_code
      label: example
      redirectUris:
        - https://example.com/
      responseTypes:
        - code
      type: web

With JWKS value

using System.Collections.Generic;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var example = new Okta.App.OAuth("example", new()
    {
        GrantTypes = new[]
        {
            "client_credentials",
        },
        Jwks = new[]
        {
            new Okta.App.Inputs.OAuthJwkArgs
            {
                E = "AQAB",
                Kid = "SIGNING_KEY",
                Kty = "RSA",
                N = "xyz",
            },
        },
        Label = "example",
        ResponseTypes = new[]
        {
            "token",
        },
        TokenEndpointAuthMethod = "private_key_jwt",
        Type = "service",
    });

});

package main

import (
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/app"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := app.NewOAuth(ctx, "example", &app.OAuthArgs{
			GrantTypes: pulumi.StringArray{
				pulumi.String("client_credentials"),
			},
			Jwks: app.OAuthJwkArray{
				&app.OAuthJwkArgs{
					E:   pulumi.String("AQAB"),
					Kid: pulumi.String("SIGNING_KEY"),
					Kty: pulumi.String("RSA"),
					N:   pulumi.String("xyz"),
				},
			},
			Label: pulumi.String("example"),
			ResponseTypes: pulumi.StringArray{
				pulumi.String("token"),
			},
			TokenEndpointAuthMethod: pulumi.String("private_key_jwt"),
			Type:                    pulumi.String("service"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.OAuth;
import com.pulumi.okta.app.OAuthArgs;
import com.pulumi.okta.app.inputs.OAuthJwkArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new OAuth("example", OAuthArgs.builder()        
            .grantTypes("client_credentials")
            .jwks(OAuthJwkArgs.builder()
                .e("AQAB")
                .kid("SIGNING_KEY")
                .kty("RSA")
                .n("xyz")
                .build())
            .label("example")
            .responseTypes("token")
            .tokenEndpointAuthMethod("private_key_jwt")
            .type("service")
            .build());

    }
}

import pulumi
import pulumi_okta as okta

example = okta.app.OAuth("example",
    grant_types=["client_credentials"],
    jwks=[okta.app.OAuthJwkArgs(
        e="AQAB",
        kid="SIGNING_KEY",
        kty="RSA",
        n="xyz",
    )],
    label="example",
    response_types=["token"],
    token_endpoint_auth_method="private_key_jwt",
    type="service")

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.app.OAuth("example", {
    grantTypes: ["client_credentials"],
    jwks: [{
        e: "AQAB",
        kid: "SIGNING_KEY",
        kty: "RSA",
        n: "xyz",
    }],
    label: "example",
    responseTypes: ["token"],
    tokenEndpointAuthMethod: "private_key_jwt",
    type: "service",
});

resources:
  example:
    type: okta:app:OAuth
    properties:
      grantTypes:
        - client_credentials
      jwks:
        - e: AQAB
          kid: SIGNING_KEY
          kty: RSA
          n: xyz
      label: example
      responseTypes:
        - token
      tokenEndpointAuthMethod: private_key_jwt
      type: service

Create OAuth Resource

new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);
@overload
def OAuth(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          accessibility_error_redirect_url: Optional[str] = None,
          accessibility_login_redirect_url: Optional[str] = None,
          accessibility_self_service: Optional[bool] = None,
          admin_note: Optional[str] = None,
          app_links_json: Optional[str] = None,
          app_settings_json: Optional[str] = None,
          authentication_policy: Optional[str] = None,
          auto_key_rotation: Optional[bool] = None,
          auto_submit_toolbar: Optional[bool] = None,
          client_basic_secret: Optional[str] = None,
          client_id: Optional[str] = None,
          client_uri: Optional[str] = None,
          consent_method: Optional[str] = None,
          custom_client_id: Optional[str] = None,
          enduser_note: Optional[str] = None,
          grant_types: Optional[Sequence[str]] = None,
          groups: Optional[Sequence[str]] = None,
          groups_claim: Optional[OAuthGroupsClaimArgs] = None,
          hide_ios: Optional[bool] = None,
          hide_web: Optional[bool] = None,
          implicit_assignment: Optional[bool] = None,
          issuer_mode: Optional[str] = None,
          jwks: Optional[Sequence[OAuthJwkArgs]] = None,
          label: Optional[str] = None,
          login_mode: Optional[str] = None,
          login_scopes: Optional[Sequence[str]] = None,
          login_uri: Optional[str] = None,
          logo: Optional[str] = None,
          logo_uri: Optional[str] = None,
          omit_secret: Optional[bool] = None,
          pkce_required: Optional[bool] = None,
          policy_uri: Optional[str] = None,
          post_logout_redirect_uris: Optional[Sequence[str]] = None,
          profile: Optional[str] = None,
          redirect_uris: Optional[Sequence[str]] = None,
          refresh_token_leeway: Optional[int] = None,
          refresh_token_rotation: Optional[str] = None,
          response_types: Optional[Sequence[str]] = None,
          skip_groups: Optional[bool] = None,
          skip_users: Optional[bool] = None,
          status: Optional[str] = None,
          token_endpoint_auth_method: Optional[str] = None,
          tos_uri: Optional[str] = None,
          type: Optional[str] = None,
          user_name_template: Optional[str] = None,
          user_name_template_push_status: Optional[str] = None,
          user_name_template_suffix: Optional[str] = None,
          user_name_template_type: Optional[str] = None,
          users: Optional[Sequence[OAuthUserArgs]] = None,
          wildcard_redirect: Optional[str] = None)
@overload
def OAuth(resource_name: str,
          args: OAuthArgs,
          opts: Optional[ResourceOptions] = None)
func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)
public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)
public OAuth(String name, OAuthArgs args)
public OAuth(String name, OAuthArgs args, CustomResourceOptions options)

type: okta:app:OAuth
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
name string
The unique name of the resource.
args OAuthArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args OAuthArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args OAuthArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args OAuthArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args OAuthArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

OAuth Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The OAuth resource accepts the following input properties:

Label string

The Application's display name.

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

AccessibilityErrorRedirectUrl string

Custom error page URL.

AccessibilityLoginRedirectUrl string

Custom login page for this application.

AccessibilitySelfService bool

Enable self-service. By default, it is false.

AdminNote string

Application notes for admins.

AppLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

AppSettingsJson string

Application settings in JSON format.

AuthenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

AutoKeyRotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

AutoSubmitToolbar bool

Display auto submit toolbar.

ClientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

ClientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientUri string

URI to a web page providing information about the client.

ConsentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

CustomClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

EnduserNote string

Application notes for end users.

GrantTypes List<string>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

Groups List<string>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

GroupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

HideIos bool

Do not display application icon on mobile app.

HideWeb bool

Do not display application icon to users.

ImplicitAssignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

Jwks List<OAuthJwkArgs>

JSON Web Key set. Admin Console JWK Reference

LoginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

LoginScopes List<string>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

LoginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

Logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

LogoUri string

URI that references a logo for the client.

OmitSecret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

PkceRequired bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

PolicyUri string

URI to web page providing client policy document.

PostLogoutRedirectUris List<string>

List of URIs for redirection after logout.

Profile string

Custom JSON that represents an OAuth application's profile.

RedirectUris List<string>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

RefreshTokenLeeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

RefreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

ResponseTypes List<string>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

SkipGroups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

SkipUsers bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

Status string

The status of the application, by default, it is "ACTIVE".

TokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

TosUri string

URI to web page providing client tos (terms of service).

UserNameTemplate string

Username template. Default: "${source.login}"

UserNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

UserNameTemplateSuffix string

Username template suffix.

UserNameTemplateType string

Username template type. Default: "BUILT_IN".

Users List<OAuthUserArgs>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

WildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

Label string

The Application's display name.

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

AccessibilityErrorRedirectUrl string

Custom error page URL.

AccessibilityLoginRedirectUrl string

Custom login page for this application.

AccessibilitySelfService bool

Enable self-service. By default, it is false.

AdminNote string

Application notes for admins.

AppLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

AppSettingsJson string

Application settings in JSON format.

AuthenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

AutoKeyRotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

AutoSubmitToolbar bool

Display auto submit toolbar.

ClientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

ClientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientUri string

URI to a web page providing information about the client.

ConsentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

CustomClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

EnduserNote string

Application notes for end users.

GrantTypes []string

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

Groups []string

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

GroupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

HideIos bool

Do not display application icon on mobile app.

HideWeb bool

Do not display application icon to users.

ImplicitAssignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

Jwks []OAuthJwkArgs

JSON Web Key set. Admin Console JWK Reference

LoginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

LoginScopes []string

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

LoginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

Logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

LogoUri string

URI that references a logo for the client.

OmitSecret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

PkceRequired bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

PolicyUri string

URI to web page providing client policy document.

PostLogoutRedirectUris []string

List of URIs for redirection after logout.

Profile string

Custom JSON that represents an OAuth application's profile.

RedirectUris []string

List of URIs for use in the redirect-based flow. This is required for all application types except service.

RefreshTokenLeeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

RefreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

ResponseTypes []string

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

SkipGroups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

SkipUsers bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

Status string

The status of the application, by default, it is "ACTIVE".

TokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

TosUri string

URI to web page providing client tos (terms of service).

UserNameTemplate string

Username template. Default: "${source.login}"

UserNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

UserNameTemplateSuffix string

Username template suffix.

UserNameTemplateType string

Username template type. Default: "BUILT_IN".

Users []OAuthUserArgs

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

WildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

label String

The Application's display name.

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

accessibilityErrorRedirectUrl String

Custom error page URL.

accessibilityLoginRedirectUrl String

Custom login page for this application.

accessibilitySelfService Boolean

Enable self-service. By default, it is false.

adminNote String

Application notes for admins.

appLinksJson String

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson String

Application settings in JSON format.

authenticationPolicy String

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation Boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar Boolean

Display auto submit toolbar.

clientBasicSecret String

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId String

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri String

URI to a web page providing information about the client.

consentMethod String

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId String

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote String

Application notes for end users.

grantTypes List<String>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups List<String>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos Boolean

Do not display application icon on mobile app.

hideWeb Boolean

Do not display application icon to users.

implicitAssignment Boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks List<OAuthJwkArgs>

JSON Web Key set. Admin Console JWK Reference

loginMode String

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes List<String>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri String

URI that initiates login. Required when login_mode is NOT DISABLED.

logo String

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri String

URI that references a logo for the client.

omitSecret Boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired Boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri String

URI to web page providing client policy document.

postLogoutRedirectUris List<String>

List of URIs for redirection after logout.

profile String

Custom JSON that represents an OAuth application's profile.

redirectUris List<String>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway Integer

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation String

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes List<String>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

skipGroups Boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers Boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status String

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod String

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri String

URI to web page providing client tos (terms of service).

userNameTemplate String

Username template. Default: "${source.login}"

userNameTemplatePushStatus String

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix String

Username template suffix.

userNameTemplateType String

Username template type. Default: "BUILT_IN".

users List<OAuthUserArgs>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect String

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

label string

The Application's display name.

type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

accessibilityErrorRedirectUrl string

Custom error page URL.

accessibilityLoginRedirectUrl string

Custom login page for this application.

accessibilitySelfService boolean

Enable self-service. By default, it is false.

adminNote string

Application notes for admins.

appLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson string

Application settings in JSON format.

authenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar boolean

Display auto submit toolbar.

clientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri string

URI to a web page providing information about the client.

consentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote string

Application notes for end users.

grantTypes string[]

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups string[]

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos boolean

Do not display application icon on mobile app.

hideWeb boolean

Do not display application icon to users.

implicitAssignment boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks OAuthJwkArgs[]

JSON Web Key set. Admin Console JWK Reference

loginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes string[]

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri string

URI that references a logo for the client.

omitSecret boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri string

URI to web page providing client policy document.

postLogoutRedirectUris string[]

List of URIs for redirection after logout.

profile string

Custom JSON that represents an OAuth application's profile.

redirectUris string[]

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway number

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes string[]

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

skipGroups boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status string

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri string

URI to web page providing client tos (terms of service).

userNameTemplate string

Username template. Default: "${source.login}"

userNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix string

Username template suffix.

userNameTemplateType string

Username template type. Default: "BUILT_IN".

users OAuthUserArgs[]

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

label str

The Application's display name.

type str

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

accessibility_error_redirect_url str

Custom error page URL.

accessibility_login_redirect_url str

Custom login page for this application.

accessibility_self_service bool

Enable self-service. By default, it is false.

admin_note str

Application notes for admins.

app_links_json str

Displays specific appLinks for the app. The value for each application link should be boolean.

app_settings_json str

Application settings in JSON format.

authentication_policy str

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

auto_key_rotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

auto_submit_toolbar bool

Display auto submit toolbar.

client_basic_secret str

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

client_id str

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

client_uri str

URI to a web page providing information about the client.

consent_method str

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

custom_client_id str

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduser_note str

Application notes for end users.

grant_types Sequence[str]

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups Sequence[str]

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groups_claim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hide_ios bool

Do not display application icon on mobile app.

hide_web bool

Do not display application icon to users.

implicit_assignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuer_mode str

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks Sequence[OAuthJwkArgs]

JSON Web Key set. Admin Console JWK Reference

login_mode str

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

login_scopes Sequence[str]

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

login_uri str

URI that initiates login. Required when login_mode is NOT DISABLED.

logo str

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logo_uri str

URI that references a logo for the client.

omit_secret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkce_required bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policy_uri str

URI to web page providing client policy document.

post_logout_redirect_uris Sequence[str]

List of URIs for redirection after logout.

profile str

Custom JSON that represents an OAuth application's profile.

redirect_uris Sequence[str]

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refresh_token_leeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

refresh_token_rotation str

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

response_types Sequence[str]

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

skip_groups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skip_users bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status str

The status of the application, by default, it is "ACTIVE".

token_endpoint_auth_method str

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tos_uri str

URI to web page providing client tos (terms of service).

user_name_template str

Username template. Default: "${source.login}"

user_name_template_push_status str

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

user_name_template_suffix str

Username template suffix.

user_name_template_type str

Username template type. Default: "BUILT_IN".

users Sequence[OAuthUserArgs]

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcard_redirect str

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

label String

The Application's display name.

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

accessibilityErrorRedirectUrl String

Custom error page URL.

accessibilityLoginRedirectUrl String

Custom login page for this application.

accessibilitySelfService Boolean

Enable self-service. By default, it is false.

adminNote String

Application notes for admins.

appLinksJson String

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson String

Application settings in JSON format.

authenticationPolicy String

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation Boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar Boolean

Display auto submit toolbar.

clientBasicSecret String

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId String

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri String

URI to a web page providing information about the client.

consentMethod String

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId String

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote String

Application notes for end users.

grantTypes List<String>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups List<String>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim Property Map

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos Boolean

Do not display application icon on mobile app.

hideWeb Boolean

Do not display application icon to users.

implicitAssignment Boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks List<Property Map>

JSON Web Key set. Admin Console JWK Reference

loginMode String

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes List<String>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri String

URI that initiates login. Required when login_mode is NOT DISABLED.

logo String

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri String

URI that references a logo for the client.

omitSecret Boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired Boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri String

URI to web page providing client policy document.

postLogoutRedirectUris List<String>

List of URIs for redirection after logout.

profile String

Custom JSON that represents an OAuth application's profile.

redirectUris List<String>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway Number

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation String

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes List<String>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

skipGroups Boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers Boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status String

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod String

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri String

URI to web page providing client tos (terms of service).

userNameTemplate String

Username template. Default: "${source.login}"

userNameTemplatePushStatus String

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix String

Username template suffix.

userNameTemplateType String

Username template type. Default: "BUILT_IN".

users List<Property Map>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect String

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

Outputs

All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:

ClientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

Id string

The provider-assigned unique ID for this managed resource.

LogoUrl string

Direct link of application logo.

Name string

Name of the claim that will be used in the token.

SignOnMode string

Sign-on mode of application.

ClientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

Id string

The provider-assigned unique ID for this managed resource.

LogoUrl string

Direct link of application logo.

Name string

Name of the claim that will be used in the token.

SignOnMode string

Sign-on mode of application.

clientSecret String

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

id String

The provider-assigned unique ID for this managed resource.

logoUrl String

Direct link of application logo.

name String

Name of the claim that will be used in the token.

signOnMode String

Sign-on mode of application.

clientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

id string

The provider-assigned unique ID for this managed resource.

logoUrl string

Direct link of application logo.

name string

Name of the claim that will be used in the token.

signOnMode string

Sign-on mode of application.

client_secret str

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

id str

The provider-assigned unique ID for this managed resource.

logo_url str

Direct link of application logo.

name str

Name of the claim that will be used in the token.

sign_on_mode str

Sign-on mode of application.

clientSecret String

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

id String

The provider-assigned unique ID for this managed resource.

logoUrl String

Direct link of application logo.

name String

Name of the claim that will be used in the token.

signOnMode String

Sign-on mode of application.

Look up Existing OAuth Resource

Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessibility_error_redirect_url: Optional[str] = None,
        accessibility_login_redirect_url: Optional[str] = None,
        accessibility_self_service: Optional[bool] = None,
        admin_note: Optional[str] = None,
        app_links_json: Optional[str] = None,
        app_settings_json: Optional[str] = None,
        authentication_policy: Optional[str] = None,
        auto_key_rotation: Optional[bool] = None,
        auto_submit_toolbar: Optional[bool] = None,
        client_basic_secret: Optional[str] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_uri: Optional[str] = None,
        consent_method: Optional[str] = None,
        custom_client_id: Optional[str] = None,
        enduser_note: Optional[str] = None,
        grant_types: Optional[Sequence[str]] = None,
        groups: Optional[Sequence[str]] = None,
        groups_claim: Optional[OAuthGroupsClaimArgs] = None,
        hide_ios: Optional[bool] = None,
        hide_web: Optional[bool] = None,
        implicit_assignment: Optional[bool] = None,
        issuer_mode: Optional[str] = None,
        jwks: Optional[Sequence[OAuthJwkArgs]] = None,
        label: Optional[str] = None,
        login_mode: Optional[str] = None,
        login_scopes: Optional[Sequence[str]] = None,
        login_uri: Optional[str] = None,
        logo: Optional[str] = None,
        logo_uri: Optional[str] = None,
        logo_url: Optional[str] = None,
        name: Optional[str] = None,
        omit_secret: Optional[bool] = None,
        pkce_required: Optional[bool] = None,
        policy_uri: Optional[str] = None,
        post_logout_redirect_uris: Optional[Sequence[str]] = None,
        profile: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        refresh_token_leeway: Optional[int] = None,
        refresh_token_rotation: Optional[str] = None,
        response_types: Optional[Sequence[str]] = None,
        sign_on_mode: Optional[str] = None,
        skip_groups: Optional[bool] = None,
        skip_users: Optional[bool] = None,
        status: Optional[str] = None,
        token_endpoint_auth_method: Optional[str] = None,
        tos_uri: Optional[str] = None,
        type: Optional[str] = None,
        user_name_template: Optional[str] = None,
        user_name_template_push_status: Optional[str] = None,
        user_name_template_suffix: Optional[str] = None,
        user_name_template_type: Optional[str] = None,
        users: Optional[Sequence[OAuthUserArgs]] = None,
        wildcard_redirect: Optional[str] = None) -> OAuth
func GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)
public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)
public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessibilityErrorRedirectUrl string

Custom error page URL.

AccessibilityLoginRedirectUrl string

Custom login page for this application.

AccessibilitySelfService bool

Enable self-service. By default, it is false.

AdminNote string

Application notes for admins.

AppLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

AppSettingsJson string

Application settings in JSON format.

AuthenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

AutoKeyRotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

AutoSubmitToolbar bool

Display auto submit toolbar.

ClientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

ClientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientUri string

URI to a web page providing information about the client.

ConsentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

CustomClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

EnduserNote string

Application notes for end users.

GrantTypes List<string>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

Groups List<string>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

GroupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

HideIos bool

Do not display application icon on mobile app.

HideWeb bool

Do not display application icon to users.

ImplicitAssignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

Jwks List<OAuthJwkArgs>

JSON Web Key set. Admin Console JWK Reference

Label string

The Application's display name.

LoginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

LoginScopes List<string>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

LoginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

Logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

LogoUri string

URI that references a logo for the client.

LogoUrl string

Direct link of application logo.

Name string

Name of the claim that will be used in the token.

OmitSecret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

PkceRequired bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

PolicyUri string

URI to web page providing client policy document.

PostLogoutRedirectUris List<string>

List of URIs for redirection after logout.

Profile string

Custom JSON that represents an OAuth application's profile.

RedirectUris List<string>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

RefreshTokenLeeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

RefreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

ResponseTypes List<string>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

SignOnMode string

Sign-on mode of application.

SkipGroups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

SkipUsers bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

Status string

The status of the application, by default, it is "ACTIVE".

TokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

TosUri string

URI to web page providing client tos (terms of service).

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

UserNameTemplate string

Username template. Default: "${source.login}"

UserNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

UserNameTemplateSuffix string

Username template suffix.

UserNameTemplateType string

Username template type. Default: "BUILT_IN".

Users List<OAuthUserArgs>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

WildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

AccessibilityErrorRedirectUrl string

Custom error page URL.

AccessibilityLoginRedirectUrl string

Custom login page for this application.

AccessibilitySelfService bool

Enable self-service. By default, it is false.

AdminNote string

Application notes for admins.

AppLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

AppSettingsJson string

Application settings in JSON format.

AuthenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

AutoKeyRotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

AutoSubmitToolbar bool

Display auto submit toolbar.

ClientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

ClientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

ClientUri string

URI to a web page providing information about the client.

ConsentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

CustomClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

EnduserNote string

Application notes for end users.

GrantTypes []string

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

Groups []string

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

GroupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

HideIos bool

Do not display application icon on mobile app.

HideWeb bool

Do not display application icon to users.

ImplicitAssignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

Jwks []OAuthJwkArgs

JSON Web Key set. Admin Console JWK Reference

Label string

The Application's display name.

LoginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

LoginScopes []string

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

LoginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

Logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

LogoUri string

URI that references a logo for the client.

LogoUrl string

Direct link of application logo.

Name string

Name of the claim that will be used in the token.

OmitSecret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

PkceRequired bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

PolicyUri string

URI to web page providing client policy document.

PostLogoutRedirectUris []string

List of URIs for redirection after logout.

Profile string

Custom JSON that represents an OAuth application's profile.

RedirectUris []string

List of URIs for use in the redirect-based flow. This is required for all application types except service.

RefreshTokenLeeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

RefreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

ResponseTypes []string

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

SignOnMode string

Sign-on mode of application.

SkipGroups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

SkipUsers bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

Status string

The status of the application, by default, it is "ACTIVE".

TokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

TosUri string

URI to web page providing client tos (terms of service).

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

UserNameTemplate string

Username template. Default: "${source.login}"

UserNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

UserNameTemplateSuffix string

Username template suffix.

UserNameTemplateType string

Username template type. Default: "BUILT_IN".

Users []OAuthUserArgs

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

WildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

accessibilityErrorRedirectUrl String

Custom error page URL.

accessibilityLoginRedirectUrl String

Custom login page for this application.

accessibilitySelfService Boolean

Enable self-service. By default, it is false.

adminNote String

Application notes for admins.

appLinksJson String

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson String

Application settings in JSON format.

authenticationPolicy String

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation Boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar Boolean

Display auto submit toolbar.

clientBasicSecret String

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId String

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientSecret String

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri String

URI to a web page providing information about the client.

consentMethod String

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId String

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote String

Application notes for end users.

grantTypes List<String>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups List<String>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos Boolean

Do not display application icon on mobile app.

hideWeb Boolean

Do not display application icon to users.

implicitAssignment Boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks List<OAuthJwkArgs>

JSON Web Key set. Admin Console JWK Reference

label String

The Application's display name.

loginMode String

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes List<String>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri String

URI that initiates login. Required when login_mode is NOT DISABLED.

logo String

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri String

URI that references a logo for the client.

logoUrl String

Direct link of application logo.

name String

Name of the claim that will be used in the token.

omitSecret Boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired Boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri String

URI to web page providing client policy document.

postLogoutRedirectUris List<String>

List of URIs for redirection after logout.

profile String

Custom JSON that represents an OAuth application's profile.

redirectUris List<String>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway Integer

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation String

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes List<String>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

signOnMode String

Sign-on mode of application.

skipGroups Boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers Boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status String

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod String

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri String

URI to web page providing client tos (terms of service).

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

userNameTemplate String

Username template. Default: "${source.login}"

userNameTemplatePushStatus String

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix String

Username template suffix.

userNameTemplateType String

Username template type. Default: "BUILT_IN".

users List<OAuthUserArgs>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect String

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

accessibilityErrorRedirectUrl string

Custom error page URL.

accessibilityLoginRedirectUrl string

Custom login page for this application.

accessibilitySelfService boolean

Enable self-service. By default, it is false.

adminNote string

Application notes for admins.

appLinksJson string

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson string

Application settings in JSON format.

authenticationPolicy string

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar boolean

Display auto submit toolbar.

clientBasicSecret string

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId string

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientSecret string

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri string

URI to a web page providing information about the client.

consentMethod string

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId string

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote string

Application notes for end users.

grantTypes string[]

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups string[]

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos boolean

Do not display application icon on mobile app.

hideWeb boolean

Do not display application icon to users.

implicitAssignment boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks OAuthJwkArgs[]

JSON Web Key set. Admin Console JWK Reference

label string

The Application's display name.

loginMode string

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes string[]

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri string

URI that initiates login. Required when login_mode is NOT DISABLED.

logo string

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri string

URI that references a logo for the client.

logoUrl string

Direct link of application logo.

name string

Name of the claim that will be used in the token.

omitSecret boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri string

URI to web page providing client policy document.

postLogoutRedirectUris string[]

List of URIs for redirection after logout.

profile string

Custom JSON that represents an OAuth application's profile.

redirectUris string[]

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway number

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation string

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes string[]

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

signOnMode string

Sign-on mode of application.

skipGroups boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status string

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod string

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri string

URI to web page providing client tos (terms of service).

type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

userNameTemplate string

Username template. Default: "${source.login}"

userNameTemplatePushStatus string

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix string

Username template suffix.

userNameTemplateType string

Username template type. Default: "BUILT_IN".

users OAuthUserArgs[]

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect string

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

accessibility_error_redirect_url str

Custom error page URL.

accessibility_login_redirect_url str

Custom login page for this application.

accessibility_self_service bool

Enable self-service. By default, it is false.

admin_note str

Application notes for admins.

app_links_json str

Displays specific appLinks for the app. The value for each application link should be boolean.

app_settings_json str

Application settings in JSON format.

authentication_policy str

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

auto_key_rotation bool

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

auto_submit_toolbar bool

Display auto submit toolbar.

client_basic_secret str

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

client_id str

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

client_secret str

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

client_uri str

URI to a web page providing information about the client.

consent_method str

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

custom_client_id str

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduser_note str

Application notes for end users.

grant_types Sequence[str]

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups Sequence[str]

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groups_claim OAuthGroupsClaimArgs

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hide_ios bool

Do not display application icon on mobile app.

hide_web bool

Do not display application icon to users.

implicit_assignment bool

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuer_mode str

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks Sequence[OAuthJwkArgs]

JSON Web Key set. Admin Console JWK Reference

label str

The Application's display name.

login_mode str

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

login_scopes Sequence[str]

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

login_uri str

URI that initiates login. Required when login_mode is NOT DISABLED.

logo str

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logo_uri str

URI that references a logo for the client.

logo_url str

Direct link of application logo.

name str

Name of the claim that will be used in the token.

omit_secret bool

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkce_required bool

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policy_uri str

URI to web page providing client policy document.

post_logout_redirect_uris Sequence[str]

List of URIs for redirection after logout.

profile str

Custom JSON that represents an OAuth application's profile.

redirect_uris Sequence[str]

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refresh_token_leeway int

Grace period for token rotation. Valid values: 0 to 60 seconds.

refresh_token_rotation str

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

response_types Sequence[str]

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

sign_on_mode str

Sign-on mode of application.

skip_groups bool

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skip_users bool

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status str

The status of the application, by default, it is "ACTIVE".

token_endpoint_auth_method str

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tos_uri str

URI to web page providing client tos (terms of service).

type str

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

user_name_template str

Username template. Default: "${source.login}"

user_name_template_push_status str

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

user_name_template_suffix str

Username template suffix.

user_name_template_type str

Username template type. Default: "BUILT_IN".

users Sequence[OAuthUserArgs]

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcard_redirect str

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

accessibilityErrorRedirectUrl String

Custom error page URL.

accessibilityLoginRedirectUrl String

Custom login page for this application.

accessibilitySelfService Boolean

Enable self-service. By default, it is false.

adminNote String

Application notes for admins.

appLinksJson String

Displays specific appLinks for the app. The value for each application link should be boolean.

appSettingsJson String

Application settings in JSON format.

authenticationPolicy String

The ID of the associated app_signon_policy. If this property is removed from the application the default sign-on-policy will be associated with this application.

autoKeyRotation Boolean

Requested key rotation mode. If auto_key_rotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

autoSubmitToolbar Boolean

Display auto submit toolbar.

clientBasicSecret String

OAuth client secret key, this can be set when token_endpoint_auth_method is "client_secret_basic".

clientId String

OAuth client ID. If set during creation, app is created with this id. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientSecret String

The client secret of the application. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

clientUri String

URI to a web page providing information about the client.

consentMethod String

Indicates whether user consent is required or implicit. Valid values: "REQUIRED", "TRUSTED". Default value is "TRUSTED".

customClientId String

This property allows you to set your client_id during creation. NOTE: updating after creation will be a no-op, use client_id for that behavior instead.

Deprecated:

This field is being replaced by client_id. Please set that field instead.

enduserNote String

Application notes for end users.

grantTypes List<String>

List of OAuth 2.0 grant types. Conditional validation params found here. Defaults to minimum requirements per app type. Valid values: "authorization_code", "implicit", "password", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:saml2-bearer" (Early Access Property), "urn:ietf:params:oauth:grant-type:token-exchange" (Early Access Property), "interaction_code" (OIE only).

groups List<String>

The groups assigned to the application. It is recommended not to use this and instead use okta.app.GroupAssignment.

Deprecated:

The direct configuration of groups in this app resource is deprecated, please ensure you use the resource okta_app_group_assignments for this functionality.

groupsClaim Property Map

Groups claim for an OpenID Connect client application. IMPORTANT: this field is available only when using api token in the provider config.

hideIos Boolean

Do not display application icon on mobile app.

hideWeb Boolean

Do not display application icon to users.

implicitAssignment Boolean

Early Access Property. Enables Federation Broker Mode. When this mode is enabled, users and groups arguments are ignored.

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

jwks List<Property Map>

JSON Web Key set. Admin Console JWK Reference

label String

The Application's display name.

loginMode String

The type of Idp-Initiated login that the client supports, if any. Valid values: "DISABLED", "SPEC", "OKTA". Default is "DISABLED".

loginScopes List<String>

List of scopes to use for the request. Valid values: "openid", "profile", "email", "address", "phone". Required when login_mode is NOT DISABLED.

loginUri String

URI that initiates login. Required when login_mode is NOT DISABLED.

logo String

Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.

logoUri String

URI that references a logo for the client.

logoUrl String

Direct link of application logo.

name String

Name of the claim that will be used in the token.

omitSecret Boolean

This tells the provider not to persist the application's secret to state. Your app's client_secret will be recreated if this ever changes from true => false.

pkceRequired Boolean

Require Proof Key for Code Exchange (PKCE) for additional verification. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

policyUri String

URI to web page providing client policy document.

postLogoutRedirectUris List<String>

List of URIs for redirection after logout.

profile String

Custom JSON that represents an OAuth application's profile.

redirectUris List<String>

List of URIs for use in the redirect-based flow. This is required for all application types except service.

refreshTokenLeeway Number

Grace period for token rotation. Valid values: 0 to 60 seconds.

refreshTokenRotation String

Refresh token rotation behavior. Valid values: "STATIC" or "ROTATE".

responseTypes List<String>

List of OAuth 2.0 response type strings. Array values of "code", "token", "id_token". The grant_types and response_types values described are partially orthogonal, as they refer to arguments passed to different endpoints in the OAuth 2.0 protocol (opens new window). However, they are related in that the grant_types available to a client influence the response_types that the client is allowed to use, and vice versa. For instance, a grant_types value that includes authorization_code implies a response_types value that includes code, as both values are defined as part of the OAuth 2.0 authorization code grant. See: https://developer.okta.com/docs/reference/api/apps/#add-oauth-2-0-client-application

signOnMode String

Sign-on mode of application.

skipGroups Boolean

Indicator that allows the app to skip groups sync (it's also can be provided during import). Default is false.

skipUsers Boolean

Indicator that allows the app to skip users sync (it's also can be provided during import). Default is false.

status String

The status of the application, by default, it is "ACTIVE".

tokenEndpointAuthMethod String

Requested authentication method for the token endpoint. It can be set to "none", "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt". Use pkce_required to require PKCE for your confidential clients using the Authorization Code flow. If "token_endpoint_auth_method" is "none", pkce_required needs to be true. If pkce_required isn't specified when adding a new application, Okta sets it to true by default for "browser" and "native" application types. See https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object

tosUri String

URI to web page providing client tos (terms of service).

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

userNameTemplate String

Username template. Default: "${source.login}"

userNameTemplatePushStatus String

Push username on update. Valid values: "PUSH" and "DONT_PUSH".

userNameTemplateSuffix String

Username template suffix.

userNameTemplateType String

Username template type. Default: "BUILT_IN".

users List<Property Map>

The users assigned to the application. It is recommended not to use this and instead use okta.app.User.

Deprecated:

The direct configuration of users in this app resource is deprecated, please ensure you use the resource okta_app_user for this functionality.

wildcardRedirect String

Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris. Valid values: "DISABLED", "SUBDOMAIN". Default value is "DISABLED".

Supporting Types

OAuthGroupsClaim

Name string

Name of the claim that will be used in the token.

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

Value string

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

FilterType string

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

Name string

Name of the claim that will be used in the token.

Type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

Value string

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

FilterType string

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

IssuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

name String

Name of the claim that will be used in the token.

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

value String

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

filterType String

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

name string

Name of the claim that will be used in the token.

type string

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

value string

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

filterType string

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

issuerMode string

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

name str

Name of the claim that will be used in the token.

type str

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

value str

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

filter_type str

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

issuer_mode str

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

name String

Name of the claim that will be used in the token.

type String

The type of OAuth application. Valid values: "web", "native", "browser", "service". For SPA apps use browser.

value String

Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.

filterType String

Groups claim filter. Can only be set if type is "FILTER". Valid values: "EQUALS", "STARTS_WITH", "CONTAINS", "REGEX".

issuerMode String

Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. Valid values: "CUSTOM_URL","ORG_URL" or "DYNAMIC". Default is "ORG_URL".

OAuthJwk

Kid string
Kty string
E string
N string
Kid string
Kty string
E string
N string
kid String
kty String
e String
n String
kid string
kty string
e string
n string
kid str
kty str
e str
n str
kid String
kty String
e String
n String

OAuthUser

Id string

ID of the application.

Password string
Scope string
Username string
Id string

ID of the application.

Password string
Scope string
Username string
id String

ID of the application.

password String
scope String
username String
id string

ID of the application.

password string
scope string
username string
id str

ID of the application.

password str
scope str
username str
id String

ID of the application.

password String
scope String
username String

Import

An OIDC Application can be imported via the Okta ID.

 $ pulumi import okta:app/oAuth:OAuth example &#60;app id&#62;

It’s also possible to import app without groups or/and users. In this case ID may look like this

 $ pulumi import okta:app/oAuth:OAuth example &#60;app id&#62;/skip_users

 $ pulumi import okta:app/oAuth:OAuth example &#60;app id&#62;/skip_users/skip_groups

 $ pulumi import okta:app/oAuth:OAuth example &#60;app id&#62;/skip_groups

Package Details

Repository
Okta pulumi/pulumi-okta
License
Apache-2.0
Notes

This Pulumi package is based on the okta Terraform Provider.